We try to regularly comment on first-party computer virus insurance issues
in this column because, whether rightly or wrongly, we view this as one of the
more problematic e-business insurance issues with which corporate insureds are
dealing. This update incorporates our thoughts based on what we're seeing and
hearing during 2002 property insurance renewals as of April 1, 2002, as well
as discussing matters with several insurers and brokers at the recent Risk and
Insurance Management Society, Inc. (RIMS), Annual Conference in New Orleans.
What Is the Exposure?
To put things into perspective, let me start by making two observations.
The first is that a company's exposure to computer virus risk is not limited to loss of online revenue because
a website "goes down." I don't even like using that measurement as a risk assessment
tool. Rather, I keep coming back to a real-life scenario that convinces me that
companies should have coverage for first-party computer virus risk.
Consider the following example of a company that manufactures products which
run on software. One day an employee dialed in remote, a virus was introduced
into the company's network, got into the assembly line, and was loaded onto
the products as software was being installed into the products as they were
being assembled. By the time the virus was discovered, the insured had to shut
down the assembly line, remediate the problem, and deal with the infected product.
The total loss was approximately US$15 million (about $2 million in remediation
costs, and $13 million in business interruption). This loss was covered by the
company's property insurance program.
This real-life loss should be a wake-up call to all risk managers. Don't
assume that you can self-insure first-party computer virus risk because you
don't have a lot of online revenues. Ask yourself what company operations depend
on computer programs running correctly, on the ability to access uncorrupted
data, etc. Also ask yourself if your products have software, data, or programs
in them. I believe that if you start asking yourself these questions and others
like them, the conclusion will be that you have exposure to first-party computer
virus risk.
The second observation is that it appears that the vast majority of insurers
and reinsurers in the United Kingdom and Continental Europe, from a philosophical
perspective, do not believe that a loss caused by computer virus involves the
type of "physical loss or damage" required to trigger coverage under a property
policy. Put another way, such insurers and reinsurers, according to them, never
intended to cover computer virus loss under property policies.
Computer Virus Exclusions
This belief is having a dramatic impact on the insurability of first-party
computer virus risk under property insurance. Without reinsurance support for
this risk for traditional property policies, we're seeing an alarming increase
in the use of computer virus exclusions on property programs placed around the
world. There is one particular exclusion we are seeing most frequently. It was
created by the Non Marine Association in London, and goes by the name "NMA 2914."
It reads as follows:
| ELECTRONIC DATA ENDORSEMENT A - Electronic Data Exclusion
Notwithstanding
any provision to the contrary within the Policy or any endorsement
thereto, it is understood and agreed as follows: - This Policy does not insure, loss, damage, destruction,
distortion, erasure, corruption or alteration of ELECTRONIC
DATA from any cause whatsoever (including but not limited to
COMPUTER VIRUS) or loss of use, reduction in functionality,
cost, expense of whatsoever nature resulting therefrom, regardless
of any other cause or event contributing concurrently or in
any other sequence to the loss.
ELECTRONIC DATA means
facts, concepts and information converted to a form useable
for communications, interpretation or processing by electronic
and electromechanical data processing or electronically controlled
equipment and includes programmes, software, and other coded
instructions for the processing and manipulation of data or
the direction and manipulation of such equipment. COMPUTER VIRUS means a set of corrupting, harmful or otherwise
unauthorised instructions or code including a set of maliciously
introduced unauthorised instructions or code, programmatic or
otherwise, that propagate themselves through a computer system
or network of whatsoever nature. COMPUTER VIRUS includes but is not limited to 'Trojan Horses',
'worms' and 'time or logic bombs'. - However, in the event that a peril listed below results
from any of the matters described in paragraph a) above, this
Policy, subject to all its terms, conditions and exclusions
will cover physical damage occurring during the Policy period
to property insured by this Policy directly caused by such listed
peril.
Listed Perils Fire Explosion - Electronic Data Processing Media Valuation
Notwithstanding
any provision to the contrary within the Policy or any endorsement
thereto, it is understood and agreed as follows: Should electronic data processing media insured by this Policy
suffer physical loss or damage insured by this Policy, then the
basis of valuation shall be the cost to repair, replace or restore
such media to the condition that existed immediately prior to such
loss or damage, including the cost of reproducing any ELECTRONIC
DATA contained thereon, providing such media is repaired, replaced
or restored. Such cost of reproduction shall include all reasonable
and necessary amounts, not to exceed [Response] any one loss, incurred
by the Assured in recreating, gathering and assembling such ELECTRONIC
DATA. If the media is not repaired, replaced or restored the basis
of valuation shall be the cost of the blank media. However this
Policy does not insure any amount pertaining to the value of such
ELECTRONIC DATA to the Assured or any other party, even if such
ELECTRONIC DATA cannot be recreated, gathered or assembled. NMA 2914 25/01/2001 |
Not only are we seeing more and more European direct insurers require this
exclusion, but we are also seeing more and more U.S. insurers "dupe" the foregoing
language into their own computer virus exclusions and requiring them. A couple
of features of this exclusion—whether coming in NMA 2914 itself or a knock-off—are
notable.
First, the exclusion for data, programs and software in the first part of
the endorsement is all-inclusive. But for the buy-back in the second part of
the endorsement, not even data losses that are caused by fire, explosion, and
other traditional perils would be covered. Accordingly, don't overlook the importance
of the second part of the exclusion—it's more than just valuation language or
a place to stick a sublimit (a point that has been overlooked more than once
by insurer, risk manager, and broker alike).
Second, note that the "ensuing loss" exception is on a specified-perils basis,
limited to fire and explosion. What about the myriad other ensuing losses that
could occur after a data, software, or program loss?! This "ensuing loss" exception
should be on an "all-risk" basis. I find it telling that several U.S. insurers
agree that the exception should be on an "all-risk" basis. In my view, it's
just bad form to limit the exception to specified perils.
In any event, what's left when this type of exclusion is attached? If loss
of data occurs because the "media" on which such data was stored is damaged,
then coverage might be afforded, provided the loss is otherwise covered. However,
if the loss involves just loss or corruption of data, whether by virus or otherwise,
without any physical damage to the "media" on which the data resides, the exclusion
appears to apply. Also, this exclusion has no express exception for employee
malicious destruction. If an employee launches a virus, or otherwise corrupts,
damages, destroys, deletes or adversely affects data, software, or programs
without damaging the "media" on which such information is stored, will NMA 2914
bar coverage? These and other similar questions will be tested in court as NMA
2914 and exclusions like it are put on more and more property programs.
Not My Insurer!
You might be saying to yourself that not all property insurers are using this type of exclusion, so I'm being a "Cassandra."
It is true that, as reported previously in this column, a few direct property
insurers (most notably, FM Global) are still providing computer virus coverage
on their property programs. However, if one of these insurers is used in a quota
share program with European insurers, the European insurers are insisting on
the use of NMA 2914, and these insurers are forced to use it on their forms
for their quota share of the program. (This feature of quota share programs
is called something like the "best terms" principle, but I see it as the "lowest
common denominator" principle.)
And yes it is true that some (if not many) crime insurers will cover first-party
computer virus risk. But to date I have not seen a crime insurer remove the "potential income" and/or "indirect loss" exclusions
or otherwise confirm that the policy will cover business interruption, extra
expense, and other time element losses due to computer virus loss. So, what
type of protection is that (especially given the example at the outset of this
article, where of the total $15 million loss, only $2 million of it was for
remediation costs, whereas $13 million of it was for business interruption loss)?
Even for those property insurers who are not yet using computer virus exclusions
when they are doing the whole program (rather than being involved in a quota
share program), there are signs of problems ahead. For example, we are seeing
sublimits on the coverage that are not much better than what one can get in
the stand-alone e-business insurance market for computer virus coverage.
Even more problematic, rumor has it that even these insurers will lose reinsurance
support for computer virus risk in mid-2002 with their upcoming reinsurance
renewals because their reinsurers intend to use NMA 2914 or its equivalent on
their reinsurance policies. If such direct insurer have to take computer virus
exposure on net, one would assume that such insurers would have to even further
decrease the sublimits on the computer virus coverage they can offer each of
their insureds, or do away with the coverage altogether, to address their aggregate
exposure risk.
Conclusion
Based on the foregoing, we repeat an observation we made last year—it would
seem that now or in the near future corporate insureds that want to insure first-party
computer virus risk really have only one alternative—the stand-alone e-business
insurance market. But is that true? Maybe not. There might be another alternative.
Stay tuned for the next installment in this column, because I hope to be in
a position to write publicly about this alternative in the next couple of months.
In any event, our prediction is that we will see in 2002 the end of computer
virus coverage as we have known it.