Summary: When we first wrote about the introduction of the ISO commercial property and businessowners cyber incident exclusion endorsements back in 2020, the filings had not yet been made for the businessowners program. Since that time, the businessowner cyber incident exclusion endorsement BP 15 60 was filed with an edition date of 02 21.
Because cyber continues to be an evolving exposure, impacting data privacy and electronic data, ISO is now introducing another cyber incident exclusion endorsement and updating several existing endorsements with respect to data privacy and electronic data. These new and revised endorsements will be available for policies effective 1/1/2024. Coinciding with these changes, endorsement BP 15 05 - Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability – Limited Bodily Injury Exception Not Included, is being withdrawn.
Due to the number of endorsements being discussed, we have divided this analysis into two parts.
Part One discussed the cyber incident, data privacy, and electronic data liability exclusion endorsements.
Part Two discusses the endorsements available to provide some limited coverage for cyber incidents and electronic data liability.
Topics Covered:
Electronic data liability – broad coverage BP 05 96
|Background
The cyber exposures of today were not contemplated when ISO developed the coverages reflected in its Commercial Property and Businessowners coverage forms over 30 years ago. In fact, the terms cyber and distributed denial-of-service (DDoS) attacks are somewhat relatively new terms to the industry, and the impact of such attacks can be catastrophic. Also, until fairly recently, an insured had no way to cover cyber attacks. Now, such coverage can be obtained from a cyber insurance policy, such as ISO's Commercial Cyber Insurance Policy CY 00 01 01 18 (CA, FL and VI); or CY 00 02 11 21 (all other states). See the Cyber Forms List here, and the cyber forms analyses can be found here.
ISO has continued to monitor the ever evolving cyber landscape, including so called 'silent' cyber exposures and how policies may be affected. As the use of technology expands, and the use of connected devices increases, and as hackers become more sophisticated, the possibility of related events contributing to property damage and/or bodily injury may be heightened.
A cyber attack targets an enterprise's use of cyberspace (internet, cloudspace), for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment or infrastructure; or destroying the integrity of data or stealing data or information.
A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. Such an attack can be highly effective by attacking multiple systems as sources of attack traffic.
Cyber attacks can cause direct loss, such as totally damaging or destroying an entire computer network of servers or computers; or indirect loss, such as damaging the data lines that serve industrial control systems and causing interruptions to those data lines.
|Cyber Incident Liability Coverage Subject to Each Cyber Incident Occurrence and Aggregate Limits BP 18 07
Section II – Liability is amended as follows:
A. Coverage provided by this insurance for damages because of "bodily injury" or "property damage" caused by a "cyber incident" is subject to the Each Cyber Incident Occurrence Limit and Cyber Incident Aggregate Limit as described in Paragraph D. of this endorsement.
Analysis:
This endorsement BP 18 07 12 23 allows for scheduling of a limited amount of liability coverage for each cyber incident occurrence, subject to an applicable aggregate limit for all such cyber incidents. The endorsement covers damages because of bodily injury or property damage caused by a cyber incident, but does not provide coverage for personal and advertising injury liability.
B. For the purposes of the coverage provided by this endorsement:
|
- Paragraph q. Electronic Data of 1. Applicable To Business Liability Coverage under B. Exclusions is replaced by the following:
This insurance does not apply to:
q. Electronic Data
Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate "electronic data".
However, this exclusion does not apply to liability for damages because of:
(1) "Bodily injury"; or (2) "Property damage" caused by a "cyber incident".
2. The following is added to Paragraph B. Exclusions:
Cyber Incident Costs Or Expenses
Damages claimed for notification costs, credit or identity monitoring expenses, forensic expenses, public relations expenses, data restoration expenses, extortion expenses or any other similar cost or expense incurred by you or others arising out of a "cyber incident".
C. The following is added to Paragraph p. Personal And Advertising Injury of 1. Applicable To Business Liability Coverage under B. Exclusions:
This insurance does not apply to:
Cyber Incident
"Personal and advertising injury" arising out of a "cyber incident".
This exclusion applies even if damages are claimed for notification costs, credit or identity monitoring expenses, forensic expenses, public relations expenses, data restoration expenses, extortion expenses or any other similar cost or expense incurred by you or others arising out of a "cyber incident".
Analysis:
By amending the electronic data exclusion, the endorsement adds a cyber incident exception that covers damages because of bodily injury or property damage caused by a cyber incident. However, as further described in paragraph C. of the endorsement, the coverage does not extend to personal and advertising injury liability arising out of a cyber incident.
This premium content is locked for FC&S Coverage Interpretation Subscribers
Enjoy unlimited access to the trusted solution for successful interpretation and analyses of complex insurance policies.
- Quality content from industry experts with over 60 years insurance experience, combined
- Customizable alerts of changes in relevant policies and trends
- Search and navigate Q&As to find answers to your specific questions
- Filter by article, discussion, analysis and more to find the exact information you’re looking for
- Continually updated to bring you the latest reports, trending topics, and coverage analysis
Already have an account? Sign In Now
For enterprise-wide or corporate access, please contact our Sales Department at 1-800-543-0874 or email [email protected]