Part Two discusses the endorsements available to provide some limited coverage for cyber incidents and electronic data liability.

Topics Covered:

Background

Cyber incident liability coverage and electronic data liability coverage subject to loss of electronic data, each cyber incident occurrence and aggregate limits BP 18 08

Electronic data liability – limited coverage subject to cyber incident exclusion, deletion of bodily injury exception BP 18 05

Exclusion – electronic data – deletion of bodily injury exception BP 18 09

Electronic data liability – limited coverage subject to cyber incident exclusion BP 05 95

Electronic data liability – broad coverage BP 05 96

Background

The cyber exposures of today were not contemplated when ISO developed the coverages  reflected in its Commercial Property and Businessowners coverage forms over 30 years ago. In fact, the terms cyber and distributed denial-of-service (DDoS) attacks are somewhat relatively new terms to the industry, and the impact of such attacks can be catastrophic. Also, until fairly recently, an insured had no way to cover cyber attacks. Now, such coverage can be obtained from a cyber insurance policy, such as ISO's Commercial Cyber Insurance Policy CY 00 01 01 18 (CA, FL and VI); or CY 00 02 11 21 (all other states). See the Cyber Forms List here, and the cyber forms analyses can be found here.

ISO has continued to monitor the ever evolving cyber landscape, including so called 'silent' cyber exposures and how policies may be affected. As the use of technology expands, and the use of connected devices increases, and as hackers become more sophisticated, the possibility of related events contributing to property damage and/or bodily injury may be heightened.

A cyber attack targets an enterprise's use of cyberspace (internet, cloudspace), for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment or infrastructure; or destroying the integrity of data or stealing data or information.

A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. Such an attack can be highly effective by attacking multiple systems as sources of attack traffic.

Cyber attacks can cause direct loss, such as totally damaging or destroying an entire computer network of servers or computers; or indirect loss, such as damaging the data lines that serve industrial control systems and causing interruptions to those data lines.

Cyber Incident Liability Coverage Subject to Each Cyber Incident Occurrence and Aggregate Limits BP 18 07

Section II – Liability is amended as follows:

A. Coverage provided by this insurance for damages because of "bodily injury" or "property damage" caused by a "cyber incident" is subject to the Each Cyber Incident Occurrence Limit and Cyber Incident Aggregate Limit as described in Paragraph D. of this endorsement.

Analysis:

This endorsement BP 18 07 12 23 allows for scheduling of a limited amount of liability coverage for each cyber incident occurrence, subject to an applicable aggregate limit for all such cyber incidents. The endorsement covers damages because of bodily injury or property damage caused by a cyber incident, but does not provide coverage for personal and advertising injury liability.

B. For the purposes of the coverage provided by this endorsement:

|

1. Paragraph q. Electronic Data of 1. Applicable To Business Liability Coverage under B. Exclusions is replaced by the following:

This insurance does not apply to:

q. Electronic Data

Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate "electronic data".

However, this exclusion does not apply to liability for damages because of:

(1) "Bodily injury"; or (2) "Property damage" caused by a "cyber incident".

2. The following is added to Paragraph B. Exclusions:

Cyber Incident Costs Or Expenses

Damages claimed for notification costs, credit or identity monitoring expenses, forensic expenses, public relations expenses, data restoration expenses, extortion expenses or any other similar cost or expense incurred by you or others arising out of a "cyber incident".

C. The following is added to Paragraph p. Personal And Advertising Injury of 1. Applicable To Business Liability Coverage under B. Exclusions:

This insurance does not apply to:

Cyber Incident

"Personal and advertising injury" arising out of a "cyber incident".

This exclusion applies even if damages are claimed for notification costs, credit or identity monitoring expenses, forensic expenses, public relations expenses, data restoration expenses, extortion expenses or any other similar cost or expense incurred by you or others arising out of a "cyber incident".

Analysis:

By amending the electronic data exclusion, the endorsement adds a cyber incident exception that covers damages because of bodily injury or property damage caused by a cyber incident. However, as further described in paragraph C. of the endorsement, the coverage does not extend to personal and advertising injury liability arising out of a cyber incident.