Summary: The Insurance Services Office (ISO) introduced optional coverage for cyber and data breach liability for the Businessowners program with the Information Security Protection Endorsement, BP 15 07 03 15. The endorsement may be further modified by using the Payment Card Industry (PCI) – Provide Coverage For Defense Expenses And Fines Or Penalties endorsement, BP 15 08 03 15, and Provide Coverage For Dishonest, Malicious Or Fraudulent Acts Committed By Employees endorsement, BP 15 10 03 15.
Topics covered:
In 2015 ISO introduced the Information Security Protection Endorsement, for use with the Businessowners program, to address data and cyber breach exposures.
Coverage is provided in three tiers. Tier 1 is automatically provided if the endorsement is attached to the policy and includes insuring agreements for replacement or restoration of electronic data, public relations expense, and security breach expense.
Tier 2 is applicable only when an insured places an "X" in the appropriate box on the schedule. This tier provides coverage for security breach liability on a claims-made basis. Tier 1 coverage must be provided if Tier 2 coverage is provided.
Tier 3 is applicable only if Tier 2 is also applied and when an insured places an "X" in the appropriate box on the schedule. Tier 3 provides coverage for extortion threats, business income and extra expense, and website publishing liability (on a claims-made basis). Tier 1 and 2 coverage must be provided if Tier 3 coverage is provided.
The schedule contains a space to enter a retroactive date, which applies only to the insuring agreements for security breach liability and website publishing liability. Wrongful acts that occur prior to the retroactive date are not covered even if a claim was first made during the policy period, the basic extended reporting period, or the supplemental extended reporting period. If no retroactive date is entered, coverage may be afforded for wrongful acts occurring prior to the inception date of the policy.
A basic extended reporting period is also applicable only to the insuring agreements for security breach liability and website publishing liability, which starts with the end of the policy period and lasts for thirty days. Claims covered under subsequent insurance purchased or that would be covered if the aggregate limit had not been exhausted are not covered by the basic extended reporting period. The period does not provide an additional limit of insurance. A supplemental extended reporting period may also be purchased for these two insuring agreements, which must be requested by the named insured in writing within thirty days after the end of the policy period or cancellation effective date. The period is for one year, beginning after the thirty-day basic extended reporting period ends. There is no additional limit provided by this reporting period extension.
ISO rules state that the form may be written with an aggregate limit of $10,000, $25,000, $50,000, $75,000, or $100,000. Deductibles, where applicable, are available in amounts of $500, $1,000, $2,500, or $5,000.
ISO lists the following risks characteristics for this exposure: if insured conducts online transactions, if remote access to the insured's computer system is granted to authorized third parties, whether the insured has a website or social media profiles, if insured collects data from customers or visitors to its website, whether insured collects or retains information on minors, if the insured uses medical records in daily business or uses background or credit checks in daily business and retains the information, and whether the insured uses encryption in customer communications.
According to the ISO rules, the following are high hazard classifications: accounting services, collection agencies, credit reporting agencies, detective and investigative agencies, employment agencies, financial planners, insurance agents, lawyers, mailing or addressing companies, medical offices, health maintenance organizations, and payroll accounting services.
A.Tier 1 First-party Expense Coverages
For the purposes of the coverage provided by this Endorsement, the following is added to Paragraph A.5. Additional Coverages of Section I – Property:
Insuring Agreements
Coverage is provided under the following Insuring Agreements:
a.Replacement Or Restoration Of Electronic Data
We will pay for "loss" of "electronic data" (as defined in Paragraph R. of this Endorsement) or "computer programs" stored within the "computer system" resulting directly from an "e-commerce incident" sustained during the "policy period".
b.Public Relations Expense
We will pay for "loss" due to "negative publicity" resulting directly from an "ecommerce incident" or a "security breach" sustained during the "policy period".
c.Security Breach Expense
We will pay for "loss" resulting directly from a "security breach" sustained during the "policy period".
Analysis:
Endorsement BP 15 07 adds the Tier 1 coverage—applicable to first-party exposures—to the additional coverages section of the Businessowners Coverage Form.
The form will pay for costs the insured incurs to replace or restore electronic data or computer programs. These costs include the costs of reprogramming, computer consultation services, and data entry.
In this insuring agreement, "electronic data" means digital information, facts, images or sounds stored as or on, created or used on, or transmitted to or from computer software (including systems and applications software) on electronic storage devices including, but not limited to, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment. "Electronic data" is not tangible property. "Electronic data" does not include your "electronic data" that is licensed, leased, rented or loaned to others.
Losses under this insuring agreement must result directly from an e-commerce incident. "E-commerce incident" is a defined term and means
"Virus"; Malicious code; or Denial of service attack; introduced into or enacted upon the "computer system" (including "electronic data") or a network to which it is connected, that is designed to damage, destroy, delete, corrupt or prevent the use of or access to any part of the "computer system" or otherwise disrupt its normal operation. Recurrence of the same "virus" after the "computer system" has been restored shall constitute a separate "e-commerce incident".
So, if the latest computer virus infects the insured's computer system, the costs to restore or replace the lost or damaged electronic data will be covered.
Under the public relations expense insuring agreement, negative publicity—meaning "information which has been made public that has caused, or is reasonably likely to cause, a decline or deterioration in the reputation of the Named Insured or of one or more of its products or services"—caused by an e-commerce incident or a security breach is covered.
"Security breach" means
the acquisition of "personal information" held within the "computer system" or in non-electronic format while in the care, custody or control of the insured or authorized "third party" by a person:
This premium content is locked for FC&S Coverage Interpretation Subscribers
Enjoy unlimited access to the trusted solution for successful interpretation and analyses of complex insurance policies.
- Quality content from industry experts with over 60 years insurance experience, combined
- Customizable alerts of changes in relevant policies and trends
- Search and navigate Q&As to find answers to your specific questions
- Filter by article, discussion, analysis and more to find the exact information you’re looking for
- Continually updated to bring you the latest reports, trending topics, and coverage analysis
Already have an account? Sign In Now
For enterprise-wide or corporate access, please contact our Sales Department at 1-800-543-0874 or email [email protected]