The following article is from National Underwriter’s latest online resource,
FC&S Legal: The Insurance Coverage Law Information Center.
The Insurance Coverage Law Information Center
VIRUSES, TROJANS AND SPYWARE, OH MY! THE YELLOW BRICK ROAD
TO COVERAGE IN THE LAND OF INTERNET OZ – PART IV
By Roberta D. Anderson
Insurance can play a vital role in a company’s overall strategy to address, mitigate and maximize protection against
the increasing threat of cyber risk. In the final part of this four-part article, the author examines the types of coverages
available to address and mitigate cyber risk under revolutionary new “cyber” insurance products.
Filling Potential Gaps in the Road: Specialty “Cyber” Policies
The Sony coverage suit does not represent the first time that insurers have refused to voluntarily pay claims resulting from a network
security breach or other cyber-related liability under CGL policies. Nor will it be the last. Even where there is a good claim for
coverage, insurers can be expected to continue to argue that cyber risks are not covered under CGL or other “traditional” policies.1
Insurers are marketing newer insurance products specifically tailored to cover cyber risks. Coverage for cyber risks has been called
“the new frontier of the 21st century market.”2 Cyber risk policies can be extremely valuable. Although “traditional” policies will
likely cover some cyber risks faced by a company, there inevitably will be gaps in coverage and insurers invariably will argue that
“traditional” policies do not respond to cyber risks and costly coverage disputes are likely to ensue. For these reasons, virtually every
company that relies upon technology as part of their day-to-day operations or handles PII or business confidential information should
seriously consider cyber coverage as part of their overall risk management strategy – particularly in the wake of the recent explosion
of data breaches and increasing regulatory scrutiny. But companies should not focus on data and privacy liability to the exclusion of
potentially more substantial sources of liability, such as supply chain disruption, “cloud” security failure or disruption or intellectual
property infringement claims.
Even companies that believe they may have relatively less cyber risk exposure may be well served to backstop IT security safeguards
by filling gaps in existing insurance coverage through standalone cyber policies or tailored endorsements. Of course, companies
that have already purchased specialty “cyber” policies should be fully familiar with the coverage provided so that they can take full
advantage of the coverage – and negotiate enhanced terms at renewal. In addition, companies should carefully review the coverage
they have purchased to ensure that it adequately addresses the company’s risk profile and requirements.
Although “cyber” coverage has been around since the 1990s, the new coverages have evolved significantly in terms of scope,
availability and pricing in recent years.3 The new cyber policies may come under names such as “Privacy and Security,” “Network
Security,” and names that incorporate “Cyber,” “Privacy,” “Media” or some form of “Technology” or “Digital.” ISO has a standard
form called “Internet Liability and Network Protection Policy.”4
Many are often sold in a “modular” format (even within the same policy),5 permitting a company to choose some or all of specific
different types of cyber-coverages or as an optional part of a packaged policy that may provide, for example, E&O, D&O, crime, cyber
and EPL coverages. These products also may be combined with other types of insurance coverage, such as E&O coverage. Policies
are typically written on a claims-made and reported basis, with coverage available on a worldwide basis.6
Many cyber risk policies offer both first-party and third-party cyber coverage as separate coverage parts. Companies can often
select coverages on an individual or combined basis. The types of losses and liabilities that cyber risk policies may cover include the
following:
• losses resulting from a data breach, including defense and indemnity costs associated with third-party claims
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
• r esponse costs associated with post-breach remediation, including notification requirements, credit monitoring, call centers, public relations
efforts, forensics and crisis management
• regulatory investigations, fines and/or penalties
• losses resulting from a misappropriation of intellectual property or confidential business information
• l osses resulting from the receipt or transmission of malicious code, denial of third-party access to the insured’s network, and other security
threats to networks
• the cost to restore or recover data that is lost or damaged
• business interruption resulting from operations being disabled by a cyber attack
• cyber extortion
Cyber insurance products also increasingly offer pre- and post-loss risk management services, such as pre-loss risk management,
including employee privacy training, post-loss forensics, credit monitoring and data breach notification services.
Although the coverages can be very valuable, choosing the right cyber insurance product presents a real and significant challenge.
For starters, there is a dizzying array of cyber products in the marketplace, each with its own different terms and conditions that
vary quite dramatically from insurer to insurer – even from policy to policy underwritten by the same insurer.7 In addition, the
range of e-commerce activities engaged in by different companies is far-reaching and diverse. Even more than is the case with
most types of insurance policies, therefore, successful negotiation and placement of cyber coverage requires identification and
consideration of a company’s specific risk profile and risk tolerance, knowledge of the available coverages in the marketplace, and
careful attention to the specific policy language under consideration.8 Successful placement of this coverage often requires the
input, not only of the risk management department and the broker, but also in-house legal, IT, resources and compliance personnel
in addition to insurance coverage counsel.
The “good” news is that the market is competitive and cyber insurance products are highly negotiable. The terms of the insurer’s
“specimen” policy can often be significantly enhanced and customized to respond to the insured’s particular circumstances—often for
no increase in premium. In addition, if an IT security or compliance assessment is required as a predicate to placement of coverage,
the insurer typically pays for such assessment. This exercise can be useful to a company, even if the coverage ultimately is not
purchased.
The author is unaware of any cases addressing coverage under these newer policies. An overview of certain types of coverage
available under these policies is provided below. It is important to remember that the actual language contained in the policy issued
to an insured could be substantially different from an insurer’s “off the shelf” specimen policy.
Third-Party “Cyber” Coverages
Privacy and Network Security
“Third-party” cyber liability policies typically cover the insured against liability arising from, for example, data breaches, transmission
of malicious code, denial of third-party access to the insured’s network, and other security threats to networks. The “triggers” of
coverage may include:
• failure to secure data
• network security failure, including unauthorized access to or unauthorized use of the insured’s network
• acts, errors or omissions of employees
• acts, errors or omissions of third party subcontractors, vendors and “cloud” providers
• theft or loss of property (such as data on a laptop or storage media)
By way of example, the new Hartford CyberChoice 2.09SM9 specimen policy provides coverage for loss of customer data, denial
of access, and other cyber risk events. The specimen policy states that the insurer will pay “damages” that the insured “shall
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
become legally obligated to pay as a result of a Claim … alleging a Data Privacy Wrongful Act or a Network Security Wrongful
Act.”10 “Data Privacy Wrongful Act” is defined to include “any negligent act, error or omission by the Insured that results in: the
improper dissemination of Nonpublic Personal Information” 11 or “any breach or violation by the Insured of any Data Privacy
Laws.”12 “Network Security Wrongful Act” is defined to include “any negligent act, error or omission by the Insured resulting in
Unauthorized Access or Unauthorized Use of the Organization’s Computer System, the consequences of which include, but are
not limited to:
(1) the failure to prevent Unauthorized Access to, use of, or tampering with a Third Party’s computer systems;
(2) the inability of an authorized Third Party to gain access to the Insured’s services;
(3) the failure to prevent denial or disruption of Internet service to an authorized Third Party;
(4) the failure to prevent Identity Theft or credit/debit card fraud; or
(5) the transmission of Malicious Code.” 13
“Malicious Code” includes “unauthorized and either corrupting or harmful software code, including but not limited to computer
viruses, Trojan horses, worms, logic bombs, spy-ware, malware or spider ware.” 14
The AIG Specialty Risk Protector® specimen policy15 provides similar types of coverage. The specimen policy states that the insurer will
“pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging a Security Failure or a Privacy Event.”16
“Privacy Event” includes:
(1) a ny failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including,
without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
(2) failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
(3) v iolation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments,
settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.17
“Security Failure” includes the following:
(1) a failure or violation of the security of a Computer System including, without limitation, that which results in or fails to mitigate any
unauthorized access, unauthorized use, denial of service attack or receipt or transmission of a malicious code;
(2) p hysical theft of hardware controlled by a Company (or components thereof) on which electronic data is stored, by a person other than an
Insured, from a premises occupied and controlled by a Company; or
(3) failure to disclose an event referenced in Sub-paragraphs (1) or (2) above in violation of any Security Breach Notice Law.18
“Security Failure” also “includes any such failure or violation, resulting from the theft of a password or access code from an Insured’s
premises, the Computer System, or an officer, director or employee of a Company by non-electronic means in direct violation of a
Company’s specific written security policies or procedures.”19
There are numerous other products currently available on the market that respond to third-party cyber risks, including but not limited
to:
• A
CE’s DigiTech® specimen policy,20 which generally covers against liability for, among other things, failures to: “protect against
unauthorized access to, unauthorized use of, a denial of service attack by a third party directed against, or transmission of unauthorized,
corrupting or harmful software code to, the Insured’s Computer System”21; or “properly handle, manage, store, destroy or otherwise control
… Personal Information.”22
• T
he Philadelphia Insurance Company’s Cyber Liability specimen policy,23 which generally covers against liability for claims related to,
among other things, “[u]nauthorized access of [the insured’s] computer system or unauthorized use of computer systems,” “[a] denial of
service attack against your computer systems” or “[i]nfection of [the insured’s] computer systems by malicious code or transmission of
malicious code from [the insured’s]computer systems”; or “public disclosure of a person’s private information.”24
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
• C
NA’s NetProtect 360SM specimen policy25 which generally covers against liability for claims arising out of, among other things, the
denial of access or use of an “Insured Entity’s Network,” “disruption or degradation of another’s Network” or “the unauthorized
copying, destruction, addition, deletion, alteration or theft of any information”; or claims for acts with respect to “Nonpublic Personal
Information.”26
• A
xis’s PRO® TechNet Solutions™ specimen policy,27 which generally covers against liability for claims arising out of, among other things,
“release, unauthorized disclosure, theft, or loss of Protected Data”; “[u]nauthorized access to or unauthorized use of Protected Data on
the Insured’s Computer System that directly results in theft, alteration, destruction, deletion, corruption or damage of Protected Data”;
“[t]ransmitting or receiving Malicious Code via the Insured’s Computer System”; or [u]nauthorized access to or unauthorized use of the
Insured’s Computer System that directly results in denial or disruption of access of authorized parties.”28
• B
eazley’s AFB Media Tech® specimen policy,29 which generally covers against liability for claims arising out of, among other things,
“theft, loss, or Unauthorized Disclosure of Personally Identifiable Non-Public Information or Third Party Corporate Information” and the
“failure of Computer Security to prevent a Security Breach.”30
In purchasing this type of coverage, consideration should be given to, among other things, the types of data included in the coverage.
Certain types of covered data almost always are expressly included, such as PII. Data can also include confidential corporate data
and even non-electronic data, such as paper records. Another important consideration is whether the policy affords coverage to
information in the hands of third parties, including cloud service providers. Although some insurers may be reluctant to add third
party vendors and subcontractors,31 this coverage is expressly included by some carriers and can be endorsed if not initially included
by others.
Media Liability
Many “third-party” cyber risk policies include defense and indemnity coverage for claims for alleging infringement of copyright
and other intellectual property rights and misappropriation of ideas or media content. Although it is important to recognize that
some coverage may already exist in the “Personal And Advertising Injury Liability” coverage section of the insured’s CGL policies,
as discussed above, more specific—and potentially substantially broader—coverage may be obtainable through the purchase of
specialty cyber coverage.32 Often the coverage includes, or can be extended to include, broad coverage for liabilities, including
infringement and misappropriation claims, arising out of the insured’s media content.
The new Hartford CyberChoice 2.09SM specimen policy states that the insurer will pay “damages” that the insured “shall become
legally obligated to pay as a result of a claim “alleging a e-Media Wrongful Act.”33 “e-Media Wrongful Act” includes “any negligent act,
error or omission” by the Insured that results in the following:
(1) i nfringement of copyright, service mark, trademark, or misappropriation of ideas or any other intellectual property right, other than
infringement of patents or trade secrets; defamation, libel, product disparagement, trade libel, false arrest, detention or imprisonment, or
malicious prosecution, infringement or interference with rights of privacy or publicity; wrongful entry or eviction; invasion of the right of
private occupancy; and/or plagiarism, misappropriation of ideas under implied contract invasion or other tort related to disparagement
or harm to the reputation or character of any person or organization in the Insured Entity’s Electronic Content or in the Insured Entity’s
Advertising; or
(2) m
isappropriation or misdirection of lnternet based messages or media of third parties on the Internet by the Insured, including meta-tags,
web site domains and names, and related cyber content.34
“Advertising” and “Electronic Content” are defined as follows:
(A) A
dvertising means electronic promotional material and media, publicly disseminated on the Internet or any Website or offline
copies of such material and media, either by or on behalf of the Insured including banner and buttons, beacons and tracking,
branding, click tags and cookies, co-branding, directory listings, flash sites, metatags and coded media, rectangles and pop-ups,
search engine endorsements, sponsorships, skyscrapers, and/or endorsements.
*****
(P) E
lectronic Content means any data, e-mails, graphics, images, net or web casting, sounds, text, web site or similar matter disseminated
electronically, including matter disseminated electronically on a Website, Computer System or the Internet, and including content
disseminated by other means of media transmittal by the Insured Entity provided that it is a duplication of content already disseminated
electronically on the Insured Entity’s Internet Website, Computer System or the Internet.35
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
The ACE DigiTech® specimen policy “Electronic Media Activities Liability” coverage part provides a similar type of coverage. The
specimen form covers the insured’s “Wrongful Acts,” which is defined to include “any error, misstatement, misleading statement,
act, omission, neglect, breach of duty, or Personal Injury offense actually or allegedly committed or attempted by any Insured … in
the course of the provision of Electronic Media Activities [defined to include “the electronic publishing, dissemination, releasing,
gathering, transmission, production, webcasting, or other distribution of Electronic Content on the Internet …”], which gives rise to
any of the following Claims against an Insured”:
a. product disparagement, trade libel, infliction of emotional distress, mental anguish, outrage or outrageous conduct;
b. false light, public disclosure of private facts, or the intrusion and commercial appropriation of a name, persona or likeness;
c. p lagiarism, piracy (excluding patent infringement), or the misappropriation or unauthorized use of advertising ideas, advertising material,
titles, literary or artistic formats, styles or performances;
d. the infringement of copyright, domain name, trademark, trade name, trade dress, title or slogan, service mark, or service name; or
e. negligence with respect to the Insured’s creation or dissemination of Electronic Content.36
Again, there are numerous other products currently available on the market that cover infringement of copyright and other intellectual
property rights, including but not limited to the Cybersecurity By ChubbSM37 specimen policy, Axis’s PRO® TechNet SolutionsTM38
specimen policy and Beazley’s AFB Media Tech® specimen policy.39
It is important to note that patent infringement typically is excluded under cyber liability policies, but it may be purchased separately.
Regulatory Liability
Many “third-party” cyber risk policies include defense and indemnity coverage for claims for civil, administrative or regulatory
proceedings, fines and penalties. By way of example, the Beazley AFB Media Tech® specimen policy provides the following
coverage:
The Underwriters agree with the Named Insured …
*****
To pay on behalf of the Insured:
laims Expenses and Penalties in excess of the Retention, which the Insured shall become legally obligated to pay because of any
C
Claim in the form of a Regulatory Proceeding, first made against any Insured during the Policy Period or Optional Extension Period (if
applicable) and reported in writing to the Underwriters during the Policy Period or as otherwise provided in Clause X. of this Policy,
resulting from a violation of a Privacy Law…. 40
“Regulatory Proceeding” is defined to include:
a request for information, civil investigative demand, or civil proceeding commenced by service of a complaint or similar proceeding
brought by or on behalf of the Federal Trade Commission, Federal Communications Commission, or any federal, state, local or foreign
governmental entity in such entity’s regulatory or official capacity in connection with such proceeding.41
The CNA NetProtect 360SM specimen policy provides a similar coverage grant:
If the Insuring Agreement has been purchased, as indicated in the Declarations, the Insurer will pay on behalf of the Insured all sums in
excess of the Deductible and up to the applicable limit of insurance that the Insured shall become legally obligated to pay:
*****
as Damages and Claim Expenses resulting from any Privacy Regulation Proceeding both first made against the Insured and reported
to the Insurer in writing during the Policy Period, or any Extended Reporting Period, if applicable, alleging any Wrongful Act by the
Insured or by someone for whose Wrongful Act the Insured is legally responsible[.]42
“Privacy Regulation Proceeding” is defined to include “a civil, administrative or regulatory proceeding against an Insured by a federal,
state or foreign governmental authority alleging violation of any law referenced under the definition of Privacy Injury or a violation of a
Security Breach Notice Law.”43
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
First-Party “Cyber” Coverage
Information Asset Coverage
“First-party” cyber coverage may include damage to or theft of the insured’s own computer systems and hardware, and may cover the
cost of restoring or recreating stolen or corrupted data. For example, the AIG netAdvantage® specimen policy states that the insurer
will pay the insured’s “actual information asset loss … resulting directly from injury to information assets” that results “from a failure
of security of your computer system.”44 “Information asset loss” is defined to include “software or electronic data, including without
limitation, customer lists and information, financial, credit card or competitive information, and confidential or private information”
“that are altered, corrupted, destroyed, disrupted, deleted or damaged….”45 CNA’s NetProtect 360SM specimen policy states that the
insurer will pay the insured “all sums” for “reasonable and necessary expenses resulting from an Exploit [defined as Unauthorized
Access, Electronic Infection or a Denial of Service Attack that results in Network Impairment, each as separately defined]” that are
“required to restore the Insured Entity’s Network or information residing on the Insured Entity’s Network to substantially the form in
which it existed immediately prior to such Exploit.”46 Many other products offer similar types of coverage.
Network Interruption and Extra Expense
Cyber policies often include coverage for business interruption and extra expense caused by malicious code (viruses, worms, Trojans,
malware, spyware and the like), DDoS attacks, unauthorized access to, or theft of, information, and other security threats to networks.
For example, the AIG netAdvantage® specimen policy covers the insured’s “actual business interruption loss … which [the insured]
sustains during the period of recovery (or the extended interruption period if applicable), resulting directly from a material interruption
[defined as “the actual and measurable interruption or suspension of [the insured’s] computer system, which is directly caused by a
failure of security”].”47 “Business interruption loss” includes “the sum of: (1) income loss; (2) extra expense; (3) dependent business
interruption loss; and (4) extended business interruption loss”48 each as separately defined.49
The Hartford CyberChoice 20SM specimen policy covers “Business Interruption Loss … that the [insured] incurs during the Period of
Restoration directly resulting from a Network Outage [defined to include “the actual and measurable interruption, suspension in
service or the failure of the Organization’s Computer System directly resulting from a Network Security Wrongful Act”].”50 “Business
Interruption Loss” includes both “Actual Loss” and “Extra Expense,” each as separately defined.51
Again, many other products offer similar types of coverage.52
When considering business interruption coverages, it is important to note that, as with many terms and conditions, the length of the
period of recovery is often negotiable (it may be increased from 120 to 180 days, for example). In addition, a cyber specimen policy
may sublimit certain business interruption losses arising from the security failure of a third party provider’s network.53 A policyholder
may be able to remove the restriction or increase the sublimit.
Remediation
Cyber policies that cover privacy and network security also routinely pay remediation costs associated with a data breach. Such
response costs include:
• the costs associated with post-data breach notification—notification required by regulation and voluntary notification
• credit monitoring services
• forensic investigation to determine the existence or cause of a breach
• public relations efforts and other “crisis management” expenses
• legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem
Importantly, these “remediation” coverages, which are often grouped under labels such as “Crisis Management,” “Notification &
Credit Monitoring Fund” and “Public Relations Expense Fund,” frequently are not subject to retentions or co-insurance.
The following discusses these coverages in more detail.
Cyber risk policies frequently provide coverage for the costs associated with notification of a data breach and credit monitoring
services. For example, Beazley’s AFB Media Tech® specimen policy provides coverage for “Privacy Notification Costs … resulting
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
from the Insured Organization’s legal obligation to comply with a Breach Notice Law because of an incident (or reasonably suspected
incident) described in [the Information Security & Privacy Liability] Insuring Agreement.…”54 “Privacy Notification Costs” is defined
to include a number of “reasonable and necessary costs incurred by the Insured Organization,” among them costs “to provide
notification to individuals who are required to be notified by the applicable Breach Notice Law” and costs of “offering of one (1)
year of credit monitoring services to those individuals whose Personally Identifiable Non-Public Information was compromised or
reasonably believed to be compromised as a result of theft, loss or Unauthorized Disclosure of information giving rise to a notification
requirement pursuant to a Breach Notice Law.”55 Hartford’s CyberChoice 2.09SM specimen policy similarly states that the insurer “will
reimburse the Insured Entity, for reasonable and necessary Notification and Credit Monitoring Expenses,”56 which are defined to
include:
the amount of reasonable and necessary expenses incurred by the Insured Entity i) to notify its customers or clients of a Data Privacy
Wrongful Act to comply with a Notification Law; or ii) for credit monitoring services offered by the Insured Entity to individuals
after a Data Privacy Wrongful Act to comply with Notification Laws; or iii) to provide courtesy notifications to individuals when such
notifications are not mandated by Notification Laws but are reasonably necessary to preserve the reputation and good name of the
Insured Entity and to mitigate the potential for a future Claim.”57
Cyber risk policies often provide coverage for the investigatory costs associated with determining the cause and scope of a breach
or attack. For example, Hartford’s CyberChoice 2.09SM specimen policy states that the insurer “will reimburse the Insured Entity for
reasonable and necessary Cyber Investigation Expenses,” 58 which include “reasonable and necessary expenses the Insured Entity
incurs to conduct an investigation of its Computer System by a Third Party to determine the source or cause of the Data Privacy
Wrongful Act or Network Security Wrongful Act.”59
Beazley’s AFB Media Tech® specimen policy includes coverage for costs “to hire a computer security expert to determine the
existence and cause of any electronic data breach.”60
The costs associated with a cyber attack often include crisis management activities. Cyber insurance policies typically provide
coverage for such activities. For example, the AIG netAdvantage® specimen policy Crisis Management Module Form covers “crisis
management expenses”61 as defined to include “amounts for which an organization incurs for the reasonable and necessary fees
and expenses incurred by a crisis management firm in the performance of crisis management services for an organization” arising
from a “failure of security” or “privacy peril,” each as defined.62 The Hartford’s CyberChoice 2.09SM specimen policy states that the
insurer “will reimburse the Insured Entity, for reasonable and necessary Crisis Management Expenses” that “directly result from
a Data Privacy Wrongful Act.”63 “Crisis Management Expenses” is defined as amounts for which the Insured Entity incurs for the
reasonable and necessary fees and expenses in the procurement of Crisis Management Services for the Insured Entity arising from
a Data Privacy Wrongful Act.64
Again, coverage is often included in specialty cyber policies. For example, Beazley’s AFB Media Tech® specimen policy includes
coverage for “up to one hundred thousand United States dollars (USD 100,000) for the costs of a public relations consultancy for
the purpose of averting or mitigating material damage to the Insured Organization’s reputation, subject to twenty percent (20%)
coinsurance[.]”65 CNA’s Net protect 360SM specimen policy likewise covers “Public Relations Event Expenses … to respond to adverse
or unfavorable publicity or media attention arising out of a Public Relations Event,” which is defined as “any situation which in the
reasonable opinion of an Executive did cause or is reasonably likely to cause economic injury to the Insured Entity.”66 Hartford’s
CyberChoice 2.09SM specimen policy similarly states the insurer “will reimburse the Insured Entity, for reasonable and necessary
Crisis Management Expenses” that “directly result from a Data Privacy Wrongful Act…”67 “Crisis Management Expenses” includes
“reasonable and necessary fees and expenses in the procurement of … services performed by any public relations firm, crisis
management firm or law firm hired or appointed by us, to minimize potential reputational harm … including, without limitation,
maintaining and restoring public confidence in the Insured Entity….”
It warrants mention that some policies require the insured to use designated vendors or require the written consent of the insurer to
use remediation service providers. In addition, there may be a time limitation for certain services, credit monitoring in particular.
Extortion
Cyber policies often cover losses resulting from extortion (payments of an extortionist’s demand to prevent network loss or
implementation of a threat), which may be an increasingly valuable protection. For example, the AIG netAdvantage® specimen
policy indemnifies the insured “for those amounts” the insured pays “as extortion monies resulting from an extortion claim…”68
“Extortion claim” is defined to include “any threat or connected series of threats to commit an intentional computer attack…”69
The Hartford CyberChoice 20SM specimen policy likewise covers “amounts which the Organization pays as Extortion Payments
directly resulting from a Cyber Extortion Claim.”70 Cybersecurity By ChubbSM includes coverage for “E-Threat Expenses
resulting directly from an Insured having surrendered any funds or property to a natural person who makes a Threat directly
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
to an Insured.”71 The ACE DigiTech® specimen policy states that the insurer “will pay Extortion Expenses incurred by the
Insured”72 CNA’s Net protect 360SM specimen policy covers “all sums … for Network Extortion Expense resulting from a Network
Extortion.”73
Beware the Fine Print
Cyber insurance coverages can be extremely valuable, but they deserve—indeed require—a careful review. The specific policy terms
and conditions must be analyzed carefully to ensure that the coverage provided meets the company’s specific loss scenarios and
potential exposures and to ensure that important facets of coverage are not vitiated.
Some insurers, for example, may insert exclusions based on purported shortcomings in the insured’s security measures if identified in
the underwriting process or known to the insured prior to policy inception.74 One specimen form policy excludes any claim “alleging,
arising out of or resulting, directly or indirectly” from “(1) any shortcoming in security that [the insured] knew about prior to the
inception of this policy,” “(2) [the insured’s] failure to take reasonable steps, to use, design, maintain and upgrade [the insured’s]
security,” or “(3) the inability to use, or lack of performance of, software: (a) due to expiration, cancellation, or withdrawal of such
software; (b) that has not yet been released from its development stage; or (c) that has not passed all test runs or proven successful
in applicable daily operations.”75 It remains to be seen whether broad exclusions of this kind will be upheld and enforced by the
courts, particularly given that the new policies are specifically marketed to cover the risk of liability for negligence in connection with
failure of network security. In addition, there may be exclusions for war, warlike operations, terrorism or hostilities that need to be
carefully considered given that many cyber attacks originate from foreign nations, a number of which are under the auspices of foreign
governments.76 On a more mundane point, many cyber policies contain contractual liability exclusions found in many “traditional”
policies. These exclusions should contain adequate exceptions to cover, for example, customer or employee claims arising out of a
privacy or network security breach.
Other provisions that warrant close attention are the claims reporting/extended reporting period (“ERP”) options, the retroactive
date, and the defense and settlement provisions. Cyber specialty policies are written on a “claims made” basis, so it is important that
a policy contain an affordable ERP provision. A 60 day automatic ERP should be included and ideally the policyholder would have
the opportunity to purchase up to 36 months for an additional premium. In addition, most cyber products policies limit coverage to
breaches that occur after a specified “retroactive date,” which may be commensurate with the policy inception date. It is important
to request “retroactive” coverage for network security breaches that happened, but were not discovered, before the policy inception.
This is important given that recent studies indicate that months, sometimes years, elapse between a network security breach and the
discovery of the breach.77
As to defense of claims, many, although not all, insurers reserve the right to select or pre-approve defense counsel. Other insurers
present the insured with a “panel counsel” list such as those typical in the D&O coverage context. Again, however, the policies vary
considerably and some insurers permit the insured to select counsel. As to settlement provisions, “hammer” clauses78 – also typical in
the D&O coverage context – are often included in specialty cyber policies. Insurers are often willing to amend specimen forms such
that the insurer will agree to pay a higher percentage of post-settlement-offer defense costs (80 percent as opposed to 50 percent, for
example) in the event the policyholder refuses a settlement offer.
The adequacy of limits and sublimits warrants careful attention—as does the issue of retentions. Owing to the modular format of the
coverages provided under cyber policies, for example, a policy specimen may state that separate retentions will apply where a cyber
event triggers coverage under more than one coverage section. It may be possible, however, to achieve an amendment whereby only
one retention applies to all loss arising out of an event that triggers multiple coverage sections.
As noted above, the cyber insurance market remains relatively soft, and favorable enhancements to coverage can often be achieved in
these and other areas. Indeed, cyber coverage is highly negotiable.
Conclusion
Every company is at cyber risk—a fact amply illustrated by the recent instances involving some of the world’s most sophisticated
organizations. Exposure to cyber liability is by no means limited to financial institutions, health care providers, retailers and other
industries that maintain confidential information of third parties. When targeted by an attack or facing a claim, companies should
carefully consider the insurance coverage that may be available. Insurance is a valuable asset. Before an attack, companies should
take the opportunity to carefully evaluate and address their risk profile, potential exposure to cyber risks, risk tolerance, the sufficiency
of their existing insurance coverage and the role of specialized cyber risk coverage.
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
(Endnotes)
1.
See Scott Godes, Esq. & Jennifer G. Smith, Insurance for Cyber Risks: Coverage Under CGL and “Cyber” Policies, ABA Section of Litigation
2012 Insurance Coverage Litigation Committee CLE Seminar, at 2 (Mar. 1-3, 2012), available at http://www.americanbar.org/content/dam/aba/
administrative/litigation/materials/2012_inscle_materials/17_1_risks.authcheckdam.pdf (last visited May 13, 2013) (noting that “[i]nsurance
companies have become more aggressive in asserting (even if wrongfully so) that ‘traditional’ insurance may not cover security liability or
adequately cover privacy risks”).
2.Harry Cylinder, Evaluating Cyber Insurance, CPCU eJournal (Dec. 2008), available at http://www.cpcusociety.org/file_
depot/0-10000000/0-10000/3267/conman/CPCUeJournalDec08article.pdf (last visited Dec. 20, 2012).
3.See Cyber Insurance 3.0, supra, at 2 (“Cyber insurance, the fastest-growing specialty line in the commercial market, is rapidly becoming vital
to the financial health of organizations.”); Where to Find the Best Possible Cyber Coverage, supra (“As cyber insurance has evolved, the
coverage has become more comprehensive and insurers are looking for ways to distinguish products with a variety of bells and whistles.”).
4. EC 00 10 07 05 (2004).
5.For example, ISO’s “InternetLiability and Network Protection Policy,” includes five coverage modules: (1) Web Site Publishing Liability; (2)
Network Security Liability; (3) Replacement Or Restoration Of Electronic Data; (4) Cyber Extortion; and (5) Business Income And Extra Expense.
See EC 00 10 07 05 (2004), at Section I.
6.In addition to stand alone cyber policies, many insurers are now making cyber coverage available as part of the traditional insurance policies
that these businesses are already purchasing, such as business owners policies (“BOP”), which typically provide property, general liability,
crime, auto, and inland marine floater coverage, and management liability insurance (“MLI”) policies, which can provide errors and omissions
liability, directors and officers liability, employment practices liability, fiduciary liability, and other liability coverages. For an excellent summary
of these issues, see The Betterley Report, supra at 21. Some of these cyber coverage include “services only” (i.e., no risk transfer) “services
plus breach response coverage” or “services plus breach response plus liability.” Id. at 4.
7.The Betterley Report, supra at 3 (“The types of coverage offered by Cyber Risk insurers vary dramatically.… More than most insurance policies,
Cyber Risk requires experienced risk professionals to craft the proper coverage.”).
8.Kevin P. Kalinich, J.D., AON Network Risk Insurance 2012 Update, Privacy and Security Exposures and Solutions, at 4 (“Few privacy and
security risks are alike, and many entities have unique needs, which vary greatly depending on the scope of business, number and type of
personally identifiable information records at issue, use of third-party contractors, applicable regulatory rules and regulations, and the use of
technology.”), available at http://litigationconferences.com/wp-content/uploads/2012/10/1000-Network-Security-Privacy-Risk-Insurance-2012Update.pdf (last visited Sept. 4, 2013).
9.The Hartford CyberChoice 2.09SM Specimen Network Security liability Insurance Policy Form #DP 00 H003 00 0312 (2012) is available at http://
www.hfpinsurance.com/servlet/Satellite?c=Page&cid=1150848583573&pagename=HFP%2FPage%2FHFP_ProductPage&pagetab=30 (visited
Dec. 20, 2012) (hereinafter “Hartford CyberChoice 2.09SM Specimen Form”).
10. Hartford CyberChoice 2.09SM Specimen Form, Section I (A).
11. Id. Section III (N(1)). “Nonpublic Personal Information” is defined as follows:
(1) a natural person’s first name and last name combination with any one or more of the following:
(a) social security number;
(b) medical or healthcare information or data;
(c) financial account information that would permit access to that individual’s financial account; or
(2) a natural person’s information that is designated as private by a Data Privacy Law.
Id. Section III (DD).
12. Id. (N(2)). “Data Privacy Laws” is defined to include “any Canadian or U.S., federal, state, provincial, territorial and local statutes and
regulations governing the confidentiality, control and use of Nonpublic Personal Information including but not limited to” the following:
(1) Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) (“HIPAA”); or
(2) Gramm-Leach-Bliley of 1999 (“G-L-B”); also known as the Financial Services Modernization Act of 1999; or
(3) State privacy protection laws, including but not limited to the California Database Protection Act of 2003 (Cal. SB 1386) and Cal.Civ.Code
§ 1798.82, that require commercial Internet sites or online services that collect personal information or medical information (as defined by
such laws or acts) to post privacy policies and adopt specific privacy controls or to notify those impacted by identity or data theft, abuse or
misuse; or
(4) Federal and state consumer credit reporting laws, including but not limited to the Federal Fair Credit Reporting Act and the California
Consumer Credit Reporting Agencies Act; or
(5) The Fair and Accurate Credit Transaction Act of 2003.
Data Privacy Laws does not include any foreign law, regulation or statute other than the laws and regulations of Canada.
Id. (K).
13.Id. (CC).
14 Id. (AA).
15The AIG Specialty Risk Protector® Specimen Policy Form 101014 (11/09), Security and Privacy Coverage Section, is available at http://www.aig.
com/ncglobalweb/internet/US/en/files/Specimen%20Security%20%20Privacy%20Coverage%20Section_tcm295-315822.pdf (last visited
Mar. 31, 2013).
16. Id. Section 1.
17. “Confidential Information” is defined as follows:
“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a
Company or Information Holder is legally responsible:
(1) information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s
name, address, telephone number, social security number, account relationships, account numbers, account balances, account histories
and passwords;
(2) information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of G-L-B
(Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
(3) information concerning an individual that would be considered “protected health information” within Health Insurance Portability and
Accountability Act of 1996 (as amended) and its implementing regulations;
(4) information used for authenticating customers for normal business transactions;
(5) any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
item of information that is not available to the general public.[]
Id. Section 2.(d). “Security Breach Notice Law” includes “any statute or regulation that requires an entity storing Confidential Information on
its Computer System, or any entity that has provided Confidential Information to an Information Holder, to provide notice of any actual or
potential unauthorized access by others to Confidential Information stored on such Computer System, including but not limited to, the statute
known as California SB 1386 (§1798.82, et. al. of the California Civil Code). Id. Section 2.(m).
18. Id. Section 2.(n).
19. Id.
20. The ACE DigiTech® Digital Technology & Professional Liability Insurance Policy, Form #PF-26996 (05/09) is available at http://www.acegroup.com/
us-en/assets/ace-digitech-declaration-policy-specimen.pdf (last visited Dec. 20, 2012) (hereinafter “ACE DigiTech® Specimen Form”).
21. ACE DigiTech® Specimen Form, Sections I.C, II. OO.3, II.X. “Computer System” is defined to include “computer hardware, software, firmware,
and the data stored thereon, as well as associated input and output devices, data storage devices, networking equipment and Storage Area
Network or other electronic data backup facilities.” Id. Section II.G.
22. Id. Section II. OO.4.a.i. “Personal Information” includes:
1. an individual’s name, social security number, medical or healthcare data, other protected health information, driver’s license number,
state identification number, credit card number, debit card number, address, telephone number, account number, account histories, or
passwords; and
2. other nonpublic personal information as defined in Privacy Regulations;
in any format. Personal Information shall not include information that is lawfully made available to the general public for any reason, including
but not limited to information from federal, state or local government records.
Id. Section II.Z.
23.The Philadelphia Insurance Company Cyber Liability Coverage Form #PI-CYB-001 (05/10) is available at https://www.phly.com/products/
CyberSecurity.aspx (last visited Mar. 20, 2013).
24. Cyber Liability Coverage Form, Sections I.E., III.W.
25.A copy of the CNA NetProtect 360SM Specimen Policy Form #G-147051-A (2007) (hereinafter “CNA NetProtect 360SM Specimen Form”) is on
file with the author.
26.CNA NetProtect 360SM Specimen Form, Sections I.A.2., I.A.4, X. “Nonpublic Personal Information” is defined to include: “information
not available to the general public from which an individual may be identified, including without limitation, an individual’s name, address,
telephone number, social security number, account relationships, account numbers, account balances, and account histories.” Id. Section X.
27.A copy of the Axis PRO® TechNet Solutions™ Specimen Policy Form TNS-7000 (03-10) (hereinafter “Axis PRO® TechNet Solutions™
Specimen Form”) is available at http://www.axisproinsurance.com/programs/technet_
applications.asp (last visited Dec. 20, 2012).
28. Axis PRO® TechNet Solutions™ Specimen Form, Sections I.A.1, I.A.3, X.M.
29.A copy of Beazley’s AFB Media Tech® Specimen Policy, Form # F00226 (2011) is available at https://www.beazley.com/forms_and_resources_
search_page.html?business=165&type=156 (last visited Dec. 20, 2012) (hereinafter “AFB Media Tech® Specimen Policy”).
30. AFB Media Tech® Specimen Policy, Section I.C (1., 2.). “Security Breach” includes:
1 Unauthorized Access or Use of Computer Systems, including Unauthorized Access or Use resulting from the theft of a password from a
Computer System or from any Insured;
2 a Denial of Service Attack against Computer Systems or Third Party Computer Systems; or
3. infection of Computer Systems by Malicious Code or transmission of Malicious Code from Computer Systems,
regardless of whether any of the foregoing is a specifically targeted or generally distributed attack.
Id. Section VI.II.
31.
See The Betterley Report, supra at 6 (“There is a great deal of concern over accumulation risk (that is, the same cause of loss affecting multiple
insureds, leading to massive claims)…. With much data moving to the cloud, this accumulation risk is becoming more severe, a trend that
concerns us greatly.”).
32.
See Richard S. Betterley, Intellectual Property and Media Liability Insurance Market Survey (2013), at 6 (“Most Advertising Liability coverages
are written to narrowly focus coverage on actual advertising activity …. Since alleged infringement can occur in many situations not involving
advertising, it is apparent that a CGL policy, even with advertising liability coverage, is an ineffective source of coverage. Another problem
with commercial liability coverage is that an infringement can be construed as an intentional act, quickly denied by the GL carrier.”).
33. Harftord CyberChoice 2.09SM Specimen Form, Section I (B).
34. Id. Section III (Q).
35. Id. Section III (A., P.).
36. ACE DigiTech® Specimen Form, Section II. OO.2.
37.Cybersecurity By ChubbSM Specimen Policy Form #14-02-14874 (02/2009), at Section II (“Content injury”). A copy of this specimen policy is
available at http://search.chubb.com/formsearch/formZoneResults.aspx?formType=&productName=cyber&usState= (last visited Dec. 20, 2012)
(hereinafter “Cybersecurity By ChubbSM Specimen Form”).
38. Axis PRO® TechNet Solutions™ Specimen Form, Sections A.2., V. KK.2.
39. AFB Media Tech® Specimen Form, at Section I.F.
40.
Id. at Section I.E. “Privacy Law” is defined to include: “a federal, state or foreign statute or regulation requiring the Insured Organization to
protect the confidentiality and/or security of Personally Identifiable Non-Public Information.” Id. at Section VI.BB.
41. Id. at Section VI.FF.
42. CNA NetProtect 360SM Specimen Form, Sections I.A.2.B.
43.Id. at Section X. “Security Breach Notice Law” is defined to include “any statute or regulation that requires an entity storing Nonpublic
Personal Information on its Network to provide notice to specified individuals of any actual or potential unauthorized access with respect to
such Nonpublic Personal Information, including Sections 1789.29 and 1798.82 – 1798.84 of the California Civil Code (formerly S.B. 1386).”
Id. “Privacy Injury” includes reference to, among other things, “any federal, state, foreign or other law, statute or regulation governing the
confidentiality, integrity or accessibility of Nonpublic Personal Information.” Id.
44. AIG netAdvantage® Specimen Policy, Information Asset Module Form #90612 (2006), Section 3.
45. Id. Section 5 IA (b, c).
46 CNA NetProtect 360SM Specimen Form, Section II.B.
47. AIG netAdvantage® Specimen Policy, Business Interruption Module Form #90593 (2006), Section 3, Section 5 BI (k).
48. Id. Section 5 BI (b). “Period of recovery is defined as the following:
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
“Period of recovery” means the time period that:
(1) begins on the date and time that a material interruption first occurs; and
(2) ends on the date and time that the material interruption ends, or would have ended if you had exercised due diligence and dispatch.
Provided, however, the period of recovery shall end no later than thirty (30) consecutive days after the date and time that the material
interruption first occurred.
Id. Section 5 BI (l).
49. Id. Section 5 BI (d, e, g, j).
50.Hartford CyberChoice 20SM Specimen Form, Section I (D), Section III (ff). “Period of Restoration” is defined as follows:
Period of Restoration means the period of time that:
(1) begins with the date and time that Computer Systems have first been interrupted by a Network Outage and after application of the
Waiting Period set forth on the Declarations; and
(2) ends with the earlier of
(a) the date and time Computer Systems have been restored to substantially the level of operation that had existed prior to the Network
Outage; or
(b) 30 days from the time that Computer Systems were first interrupted by such Network Outage.
The Waiting Period represents the number of hours the Organization’s Computer Systems are interrupted before the Insurer is first obligated
to pay Damages and Defense Expenses (other than Extra Expense) covered by Insuring Agreement (D). The Waiting Period incepts
immediately following the interruption of the Organization’s Computer Systems.
Id. Section III (D).
51.Id.
52.
See, e.g., Hartford CyberChoice 20SM Specimen Policy Form #CC 00 H003 00 0608 (2008) (hereinafter “CyberChoice 20SM”) (a copy is on file
with the author), at Section I (D), Section III (D), (ff); Cybersecurity By ChubbSM Specimen Form, Section I.D, Section II.
53.For example, AIG’s Specialty Risk Protector® product states that “the maximum liability of the Insurer for all Loss arising from a Security
Failure of the Computer System of an Outsource Provider [defined as “an entity not owned, operated or controlled by an Insured that such
Insured depends on to conduct its business”] shall be $100,000.” Specialty Risk Protector® Specimen Policy Form 101014 (11/09), Network
Interruption Coverage Section, at Part 2(f) and Part 4. A copy of the policy form is available at http://www.aig.com/ncglobalweb/internet/US/
en/files/Specimen%20Network%20Interruption%20Coverage%20Sectiong_tcm295-315824.pdf (last visited Mar. 31, 2013).
54. AFB Media Tech® Specimen Policy, Section I.D.
55. Id. Section I.D. 2.(a), 4.(a), Section III.(EE).
56. CyberChoice 20SM, at Section II.(A).
57. Id. at Section III.(EE).
58. CyberChoice 20SM, at Section II.(D).
59. Id. Section III.(I).
60. AFB Media Tech® Specimen Policy, Section I.D.1.
61. AIG netAdvantage® Specimen Policy, Crisis Management Module Form #90594 (2007), Section 3.
62. Id. Section 5, CM(a), (b)(1).
63. Hartford CyberChoice 2.09SM Specimen Form, at Section II.(B).
64. Id. Section III.(G)(1).
65. AFB Media Tech® Specimen Policy, Section I.D.3.
66. CNA NetProtect 360SM Specimen Form, Section I.B.1., Section X.
67. Hartford CyberChoice 2.09SM Specimen Form, Section II.(B).
68. AIG netAdvantage® Specimen Policy, Cyber Extortion Module Form #90595 (2006), Section 2.
69. Id. Section 5 CE(b).
70. CyberChoice 20SM, Section I (E).
71. Cybersecurity By ChubbSM Specimen Form, Section I.G.
72. ACE DigiTech® Specimen Form, Section I.F.
73. CNA NetProtect 360SM Specimen Form, Section II.A., Section X.
74.
See Ben Berkowitz, Recent hacker attacks have more companies eyeing cyber risk coverage, Reuters (June 14, 2011), available at http://
www.reuters.com/article/2011/06/14/us-insurance-cybersecurity-idUSTRE75D5MK20110614 (last visited Dec. 26, 2012) (“As with any kind
of insurance, data breach policies carry all sorts of exclusions that put the onus on the company. Some, for example, exclude coverage for
any incident that involves an unencrypted laptop. In other cases, insurers say, coverage can be voided if regular software updates are not
downloaded or if employees do not change their passwords periodically.”).
75. AIG netAdvantage® Specimen Policy, Base Form #91239 (2006), Section 4 (t).
76.
See, e.g., Mandiant, APT1, Exposing One of China’s Cyber Espionage Units, at 2 (“Our analysis has led us to conclude that APT1 is likely
government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a longrunning and extensive cyber espionage campaign in large part because it receives direct government support.”) (hereinafter “Mandiant,
APT1”).
77.Verizon, 2013 Data Breach Investigations Report, at 6 (2013) (reporting that 66% of breaches “took months or more to discover”); Mandiant,
APT1, supra, at 3 (reporting that one particularly prolific Advanced Persistent Threat group, APT1, “maintained access to victim networks for
an average of 356 days.”).
78.The hammer clause is a provision that gives the insurer more control in claims handling. A “soft” version of the clause provides that if the
insured declines to settle then the insurer can cap its liability for the amount of the settlement offer plus some portion of defense costs
following the settlement.
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
About the Author
Roberta D. Anderson is a partner in the Pittsburgh office of K&L Gates LLP, a law firm that regularly represents
policyholders in insurance coverage disputes. The opinions expressed in this article are those of the author, and should
not be construed as necessarily reflecting the views of her law firm, or the firm’s clients, or as an endorsement by the law
firm or the law firm’s clients of any legal position described herein. Ms. Anderson can be reached at Roberta.Anderson
@klgates.com.
This article was published in the April 2014 Insurance Coverage Law Report.
For more information, or to begin your free trial:
• Call: 1-800-543-0874
• Email: customerservice@SummitProNets.com
• Online: www.fcandslegal.com
FC&S Legal guarantees you instant access to the most authoritative and comprehensive
insurance coverage law information available today.
This powerful, up-to-the-minute online resource enables you to stay apprised
of the latest developments through your desktop, laptop, tablet, or smart phone
—whenever and wherever you need it.
NOTE: The content posted to this account from FC&S Legal: The Insurance Coverage Law Information Center is current to the date of its initial
publication. There may have been further developments of the issues discussed since the original publication.
This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding
that the publisher is not engaged in rendering legal, accounting or other professional service. If legal advice is required, the services of a competent
professional person should be sought.
Copyright © 2014 The National Underwriter Company. All Rights Reserved.
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com