Background

Cyber Incident Exclusion

Cyber Incident Exclusion With Ensuing Cause(s) Of Loss Exceptions

Spoilage Coverage

Background

The cyber exposures of today were not contemplated when ISO developed the coverages  reflected in its Commercial Property and Businessowners coverage forms over 30 years ago. In fact, the terms cyber and distributed denial-of-service (DDoS) attacks  are somewhat relatively new terms to the industry, and the impact of such attacks can be catastrophic. Also, until fairly recently, an insured had no way to cover cyber attacks. Now, such coverage can be obtained from a cyber insurance policy, such as  ISO's Commercial Cyber Insurance Policy.

A cyber attack targets an enterprise's use of cyberspace (internet, cloudspace), for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment or infrastructure; or destroying the integrity of data or stealing data or information.

A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. Such an attack can be highly effective by attacking multiple systems as sources of attack traffic.

Cyber attacks can cause direct loss, such as totally damaging or destroying an entire computer network of servers or computers; or indirect loss, such as damaging the data lines that serve industrial control systems and causing interruptions to those data lines.

Cyber Incident Exclusion – CP 10 75 12 20 and BP 15 60

Exclusions:

We will not pay for loss or damage caused directly or indirectly by the following. Such loss or damage is excluded regardless of any other cause or event that contributes concurrently or in any sequence to the loss.

Analysis:

The Cyber Incident Exclusion endorsement adds an exclusion for loss or damage to covered property caused directly or indirectly by a cyber incident, regardless of any other contributing cause or event, concurrently or in any sequence to the loss. While this is a broad exclusion, there is an exception for loss or damage caused by fire or explosion resulting from a cyber incident; and the exclusion contains an exception so that it does not apply to the extent coverage is provided in the Additional Coverage for Electronic Data, or the Additional Coverage for Interruption of Computer Operations. The exclusion also contains an exception so that it does not apply to the Electronic Commerce (E-Commerce) endorsement if attached to the policy.

Cyber Incident

1. Unauthorized access to or use of any computer system (including electronic data). 2. Malicious code, virus or any other harmful code that is directed at, enacted upon or introduced into any computer system (including electronic data) and is designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, exploit, use or prevent or restrict access to or the use of any part of any computer system (including electronic data) or otherwise disrupt  its normal functioning or operation. 3. Denial of service attack which disrupts, prevents or restricts access to or use of any computer system, or otherwise disrupts its normal functioning or operation.

Analysis:

The exclusion defines cyber incident to include unauthorized access to, or use of, any computer system; a malicious code, virus or any other harmful code that is directed at, enacted upon, or introduced to, any computer system;  and a denial of service attack. The definition is comprehensive in an effort to encompass any type of computer manipulation that would prevent or restrict access, or otherwise disrupt the normal functioning or operation of a computer system, including electronic data. So, if an insured's employee accidentally opened a link in a phishing email, and in so doing malware was spread throughout the insured's computer systems, this exclusion would preclude coverage for such loss.