The End of Computer Virus Coverage as We Know It?
Michael Rossi | May 1, 2002
Mike Rossi updates readers on problematic e-business insurance issues he's seeing during 2002 property insurance renewals and in conversations with insurers at RIMS.
We try to regularly comment on first-party computer virus insurance issues in this column because, whether rightly or wrongly, we view this as one of the more problematic e-business insurance issues with which corporate insureds are dealing. This update incorporates our thoughts based on what we're seeing and hearing during 2002 property insurance renewals as of April 1, 2002, as well as discussing matters with several insurers and brokers at the recent Risk and Insurance Management Society, Inc. (RIMS), Annual Conference in New Orleans.
What Is the Exposure?
To put things into perspective, let me start by making two observations. The first is that a company's exposure to computer virus risk is not limited to loss of online revenue because a website "goes down." I don't even like using that measurement as a risk assessment tool. Rather, I keep coming back to a real-life scenario that convinces me that companies should have coverage for first-party computer virus risk.
Consider the following example of a company that manufactures products which run on software. One day an employee dialed in remote, a virus was introduced into the company's network, got into the assembly line, and was loaded onto the products as software was being installed into the products as they were being assembled. By the time the virus was discovered, the insured had to shut down the assembly line, remediate the problem, and deal with the infected product. The total loss was approximately US$15 million (about $2 million in remediation costs, and $13 million in business interruption). This loss was covered by the company's property insurance program.
This real-life loss should be a wake-up call to all risk managers. Don't assume that you can self-insure first-party computer virus risk because you don't have a lot of online revenues. Ask yourself what company operations depend on computer programs running correctly, on the ability to access uncorrupted data, etc. Also ask yourself if your products have software, data, or programs in them. I believe that if you start asking yourself these questions and others like them, the conclusion will be that you have exposure to first-party computer virus risk.
The second observation is that it appears that the vast majority of insurers and reinsurers in the United Kingdom and Continental Europe, from a philosophical perspective, do not believe that a loss caused by computer virus involves the type of "physical loss or damage" required to trigger coverage under a property policy. Put another way, such insurers and reinsurers, according to them, never intended to cover computer virus loss under property policies.
Computer Virus Exclusions
This belief is having a dramatic impact on the insurability of first-party computer virus risk under property insurance. Without reinsurance support for this risk for traditional property policies, we're seeing an alarming increase in the use of computer virus exclusions on property programs placed around the world. There is one particular exclusion we are seeing most frequently. It was created by the Non Marine Association in London, and goes by the name "NMA 2914." It reads as follows:
Electronic Data Endorsement A
- Electronic Data Exclusion
Notwithstanding any provision to the contrary within the Policy or any endorsement thereto, it is understood and agreed as follows:
- This Policy does not insure, loss, damage, destruction, distortion, erasure, corruption or alteration of ELECTRONIC DATA from any cause whatsoever (including but not limited to COMPUTER VIRUS) or loss of use, reduction in functionality, cost, expense of whatsoever nature resulting therefrom, regardless of any other cause or event contributing concurrently or in any other sequence to the loss.
ELECTRONIC DATA means facts, concepts and information converted to a form useable for communications, interpretation or processing by electronic and electromechanical data processing or electronically controlled equipment and includes programmes, software, and other coded instructions for the processing and manipulation of data or the direction and manipulation of such equipment.
COMPUTER VIRUS means a set of corrupting, harmful or otherwise unauthorised instructions or code including a set of maliciously introduced unauthorised instructions or code, programmatic or otherwise, that propagate themselves through a computer system or network of whatsoever nature.
COMPUTER VIRUS includes but is not limited to 'Trojan Horses', 'worms' and 'time or logic bombs'.
- However, in the event that a peril listed below results from any of the matters described in paragraph a) above, this Policy, subject to all its terms, conditions and exclusions will cover physical damage occurring during the Policy period to property insured by this Policy directly caused by such listed peril.
Listed Perils
Fire
Explosion
- This Policy does not insure, loss, damage, destruction, distortion, erasure, corruption or alteration of ELECTRONIC DATA from any cause whatsoever (including but not limited to COMPUTER VIRUS) or loss of use, reduction in functionality, cost, expense of whatsoever nature resulting therefrom, regardless of any other cause or event contributing concurrently or in any other sequence to the loss.
- Electronic Data Processing Media Valuation
Notwithstanding any provision to the contrary within the Policy or any endorsement thereto, it is understood and agreed as follows:
Should electronic data processing media insured by this Policy suffer physical loss or damage insured by this Policy, then the basis of valuation shall be the cost to repair, replace or restore such media to the condition that existed immediately prior to such loss or damage, including the cost of reproducing any ELECTRONIC DATA contained thereon, providing such media is repaired, replaced or restored. Such cost of reproduction shall include all reasonable and necessary amounts, not to exceed [Response] any one loss, incurred by the Assured in recreating, gathering and assembling such ELECTRONIC DATA. If the media is not repaired, replaced or restored the basis of valuation shall be the cost of the blank media. However this Policy does not insure any amount pertaining to the value of such ELECTRONIC DATA to the Assured or any other party, even if such ELECTRONIC DATA cannot be recreated, gathered or assembled.
NMA 2914
25/01/2001
Not only are we seeing more and more European direct insurers require this exclusion, but we are also seeing more and more U.S. insurers "dupe" the foregoing language into their own computer virus exclusions and requiring them. A couple of features of this exclusion—whether coming in NMA 2914 itself or a knock-off—are notable.
First, the exclusion for data, programs and software in the first part of the endorsement is all-inclusive. But for the buy-back in the second part of the endorsement, not even data losses that are caused by fire, explosion, and other traditional perils would be covered. Accordingly, don't overlook the importance of the second part of the exclusion—it's more than just valuation language or a place to stick a sublimit (a point that has been overlooked more than once by insurer, risk manager, and broker alike).
Second, note that the "ensuing loss" exception is on a specified-perils basis, limited to fire and explosion. What about the myriad other ensuing losses that could occur after a data, software, or program loss?! This "ensuing loss" exception should be on an "all-risk" basis. I find it telling that several U.S. insurers agree that the exception should be on an "all-risk" basis. In my view, it's just bad form to limit the exception to specified perils.
In any event, what's left when this type of exclusion is attached? If loss of data occurs because the "media" on which such data was stored is damaged, then coverage might be afforded, provided the loss is otherwise covered. However, if the loss involves just loss or corruption of data, whether by virus or otherwise, without any physical damage to the "media" on which the data resides, the exclusion appears to apply. Also, this exclusion has no express exception for employee malicious destruction. If an employee launches a virus, or otherwise corrupts, damages, destroys, deletes or adversely affects data, software, or programs without damaging the "media" on which such information is stored, will NMA 2914 bar coverage? These and other similar questions will be tested in court as NMA 2914 and exclusions like it are put on more and more property programs.
Not My Insurer!
You might be saying to yourself that not all property insurers are using this type of exclusion, so I'm being a "Cassandra." It is true that, as reported previously in this column, a few direct property insurers (most notably, FM Global) are still providing computer virus coverage on their property programs. However, if one of these insurers is used in a quota share program with European insurers, the European insurers are insisting on the use of NMA 2914, and these insurers are forced to use it on their forms for their quota share of the program. (This feature of quota share programs is called something like the "best terms" principle, but I see it as the "lowest common denominator" principle.)
And yes it is true that some (if not many) crime insurers will cover first-party computer virus risk. But to date I have not seen a crime insurer remove the "potential income" and/or "indirect loss" exclusions or otherwise confirm that the policy will cover business interruption, extra expense, and other time element losses due to computer virus loss. So, what type of protection is that (especially given the example at the outset of this article, where of the total $15 million loss, only $2 million of it was for remediation costs, whereas $13 million of it was for business interruption loss)?
Even for those property insurers who are not yet using computer virus exclusions when they are doing the whole program (rather than being involved in a quota share program), there are signs of problems ahead. For example, we are seeing sublimits on the coverage that are not much better than what one can get in the stand-alone e-business insurance market for computer virus coverage.
Even more problematic, rumor has it that even these insurers will lose reinsurance support for computer virus risk in mid-2002 with their upcoming reinsurance renewals because their reinsurers intend to use NMA 2914 or its equivalent on their reinsurance policies. If such direct insurer have to take computer virus exposure on net, one would assume that such insurers would have to even further decrease the sublimits on the computer virus coverage they can offer each of their insureds, or do away with the coverage altogether, to address their aggregate exposure risk.
Conclusion
Based on the foregoing, we repeat an observation we made last year—it would seem that now or in the near future corporate insureds that want to insure first-party computer virus risk really have only one alternative—the stand-alone e-business insurance market. But is that true? Maybe not. There might be another alternative. Stay tuned for the next installment in this column, because I hope to be in a position to write publicly about this alternative in the next couple of months. In any event, our prediction is that we will see in 2002 the end of computer virus coverage as we have known it.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
