Cyber coverage will continue as a multi-policy endeavor

By Chad Hemenway on April 4, 2015
?????????????????????????????????????????????????????????????????????????????????????????????????????????

From L to R: Michael Tanenbaum of ACE, Ron Beiderman of ISO, Josh Gold of Anderson Kill, Jerry Gallivan of Travelers and moderator Joe Cellura, president of North America casualty at Allied World.

NEW YORK—It does not appear as if businesses should be looking for a comprehensive cyber risk policy any time soon.

According to panelists at Advisen’s Casualty Insights Conference during a session on the casualty implications of cyber threats, it became clear businesses will have to deal with a challenging multi-policy approach to finding the right coverage as the industry “moves away from the all-risk approach,” said policyholder attorney Josh Gold of Anderson Kill.

“There is no standard cyber coverage yet,” said Jerry Gallivan, claim manager, business torts claim, at Travelers.

“There is no such thing as one-size-fits-all,” added Michael Tanenbaum, senior vice president of professional risk at ACE.

But the task of finding the right coverage is not easy, considering the different terms and conditions, different triggers and different exclusions depending upon the policy and the insurer issuing the policy. In fact, the panel discussion began with a debate on the definition of cyber.

Gold said cyber claims “take all forms.” Some bit of cyber coverage can be included in multiple policies such as E&O, D&O, crime and property. Policyholders need to look everywhere, in part because the “C in CGL now means commercial, not comprehensive,” Gold said.

He tells clients to map data and then assess the “inventory of coverage” available to “match to the exposure.” But as a rule, first-party losses are covered and for third-party losses there is a “fight over money.”

Gallivan said the definition of cyber is the “action of hacking”—not other losses such as data from paper documents or privacy loss. Cyber “has to do with electronic systems,” he added. However, on hacking, Tanenbaum relayed an interesting statistic: of the cyber claims ACE has fielded, 21 percent actually involve a hacking.

According to Ron Beiderman, vice president of commercial lines coverage products at ISO, the industry’s commercial general liability form has been narrowed several times since the Internet took off and the lines between personal and ad injury began to blur around 1998.

Media-related exclusions and separate media policies followed as chat rooms and blogs gained popularity. Around 2000, ISO defined property damage as tangible property–a category that does not include electronic data.

More exclusions were inserted for spam violations after the Telephone Consumer Protection Act began creating claims. And starting last year, ISO forms began including data breach exclusions.

 

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].