Enterprise Risk Management (ERM) examines all types of business risks an organization faces that may threaten its survival or solvency.

ERM also evaluates every conceivable treatment to minimize, eliminate, or transfer the organization’s risks and determines the best treatments from among the options. It examines the opportunities available to the organization to enable it to select those that will provide the best return on its investment now and into the future.

ERM enables an organization to attain maximum benefit from its opportunities while minimizing, eliminating, or mitigating risks.

Cyber risk exposures present greater challenges and complexity than traditional property-liability loss exposures because they involve intangible assets, such as business data, personal information, and the organization’s reputation. Restrictive options for insuring these types of assets make them candidates for preventive risk management treatment, in addition to the minimal coverage available for risk transfer through insurance.

A cyber risk loss exposure is any condition that presents the possibility of financial loss to an organization from property, net income, or liability losses as a consequence of advanced technology transmissions, operations, maintenance, development, or support. Enterprises engaged in healthcare, advertising, computer hardware or software design and support, online education, and financial services have unique loss exposures that require expert evaluation. Applying ERM techniques to those exposures will help identify the most appropriate treatments for them.

Overview of First-Party Cyber Risk Loss Exposures

Just as personal data constitutes essential elements of an individual’s identity, an organization is predominantly defined by intangible components such as information about its customers and finances, its competitive intelligence, and its brand. When these are compromised, the organization’s identity is at risk therefore understanding the costs of these risks is essential to organizational's survival.

An organization’s analysis of the financial consequences of cyber loss exposures begins with distinguishing among the various cyber loss exposure categories:

• Property loss exposures are presented by the tangible property and intangible property of an organization and its key partners, providers, and suppliers. In the context of cyber risk, tangible property exposed to loss or damage can include any physical means by which data is stored or disseminated and related media; other types of tangible property, such as money and securities, may be exposed to theft resulting from cyber attack. In addition, and possibly constituting more than one-half to three-quarters of an organization’s total value, intangible property exposed to loss or damage can include data, intellectual property, and the organization’s reputation.
• Net income loss exposures that result in business interruption can relate not only to the organization itself, but also to its key customers and suppliers. Net income exposed to cyber risk loss can be discussed in terms of loss of business income (including contingent business income) and extra expenses.
• Third Party or Liability loss exposures related to cyber risk can be discussed in terms of bodily injury and property damage liability, personal and advertising injury liability, intellectual property liability, and errors and omissions liability.

Cyber property loss exposures and net income cyber loss exposures are considered first-party loss exposures, while cyber liability loss exposures are considered third-party loss exposures. The most significant first-party cyber risk loss exposures include these:

• Damaged hardware, software, and computer networks
• Compromised or stolen data and cyber extortion
• Business interruption and extra expenses
• Post-breach expenses
• Reputational damage

Damaged Hardware, Software, and Computer Networks

In the context of cyber risk, tangible property exposed to loss or damage can include data storage and data dissemination equipment and related media. An organization’s data sharing network and its operation can be particularly vulnerable to cyber risk loss exposures such as physical damage and theft, as well as to software damage or corruption.

Such exposures can significantly add to an organization’s costs, as the most effective mitigation techniques for cyber risks related to tangible property loss entail separation and duplication strategies. Separation and duplication techniques require allocating resources for additional equipment and/or facilities to ensure that the failure of one element of the organization’s data infrastructure does not cause its collapse. 

The insurance contract (policy) involves two parties: the insured and the insurer. The insured is the first party to the insurance contract; the insurer is the second party to the insurance contract. A demand by an insured person or organization seeking to recover for a loss from its insurer is called a first-party claim. When an insured injures a third party or damages property belonging to a third party, the third party’s demand against the insurer, called a third-party claim, is based on the legal duties the insured owes to the third party.

Although intangible property susceptible to cyber loss has no physical form, its value to an organization is often incalculable because of its proprietary nature, the difficulty (or impossibility) of its duplication, and the extent to which it constitutes an organization’s essence. Electronic data (for example, confidential information about customers) is particularly vulnerable to cyber loss exposures; these exposures can include corruption through human error or malice, theft, or a physical cause of loss to the medium on which the electronic data is stored, such as damage caused by malware.

Intangible property exposed to loss also can include intellectual property. For example, an unknown third party could obtain unauthorized access to an organization’s data storage and sharing network and threaten to divulge the firm’s trade secrets, a form of cyber extortion. Another, similar form of cyber extortion entails an unknown third-party wresting control of an organization’s e-commerce or data storage apparatus and demanding ransom in exchange for its surrender.

Loss of business income occurs when an organization’s net income and normal operating expenses change as a result of a loss. In terms of cyber risk loss exposures, organizations typically examine potential losses that can occur to data storage and dissemination networks (hardware, software, data, and related media).

For example, the extent to which a denial-of-service attack compromises an organization’s ability to communicate with customers and/or efficiently fulfill orders can reduce the organization’s short-term net income and long-term profitability, as those affected by the service interruption may defect to a competitor.

An additional example of a cyber risk business income loss exposure is a virus that infects an organization’s network, corrupting data and destroying software. Although software can be replaced, at a cost, the organization will sustain a business income loss if it cannot conduct its normal operations during the period of restoration.

Cyber risk contingent net income loss exposures relate to an organization’s income that is dependent on a location that it does not own or directly operate. For example, an organization whose customer web portal is hosted and/or maintained by a third-party provider could suffer a contingent net income loss if the provider’s server is rendered inoperable for an extended time.

Similar cyber risk contingent net income exposures can apply to an organization’s suppliers, utilities, and third-party outsourcers, including exposures related to the consequences of business interruption resulting from a utility’s off-site power failure, from failure of a third party to properly manage and secure data, and from abuse of wireless networks. All of these loss exposures can result in contingent business income losses.

In addition to normal operating expenses, including payroll, that an organization has during a time of suspended or impaired business operations, an organization may need to incur extra expenses to minimize the effects of the business interruption or continue its operations. An organization may have cyber risk extra expense loss exposures if, as a consequence of a cyber loss, it has to purchase items such as software, hardware, or other data storage or dissemination media or hire labor to recreate lost or stolen electronic data.

For example, if a database is compromised, the data may need to be restored or cleansed by technology specialists at an additional expense.

Because of the costly and pervasive nature of cyber losses, particularly those involving the compromise of sensitive individual consumer information such as Social Security numbers and financial account data, their prevention has attracted increased scrutiny.

In this environment, an organization’s possession of data is viewed not only as a consequence of business, but also as a matter of public trust. As such, governmental entities frequently require organizations to notify customers when their personal data has been subject to potential compromise and also may levy fines against organizations that fail to protect certain kinds of consumer information, such as healthcare-related data.

Additionally, an organization, whether it is required by law or does so voluntarily to engender goodwill, may offer to provide credit monitoring services to its customers after a data breach. An organization that does this of its own accord may view it as a component of encouraging consumers to associate its brand with security and trust.

In the wake of a data breach, an organization may also incur expenses related to an investigation of the breach’s source and the extent of its damage. Although an internal inquiry may be sufficient in some cases, other situations, especially those involving sensitive consumer information, may warrant a more thorough examination by a third-party forensics investigator.

In addition to the more readily quantifiable financial consequences associated with cyber risk loss exposures, an organization exposes itself to substantial reputational risk when it electronically stores, shares, and disseminates data.

Reputation is a key organizational asset because of its intrinsic, intangible value and because of its potential to generate (or erode) future value. The value of some intangible assets, such as trademarks and licenses, is quantifiable.

Reputation, however, is not quantified on a company’s financial statements as an intangible asset. Nonetheless, it is a key asset whose value is based on the beliefs of its stakeholders.

For example, an organization’s reputation as a trusted steward of customers’ personal information might give it a competitive edge over time. Conversely, an organization that suffers a publicized data breach may never fully recover from the associated stigma.

Third-Party Cyber Liability Loss Exposures

An insurance professional should know how to manage not just first-party cyber liability loss exposures, but also third-party cyber liability loss exposures. Although first-party losses occur more frequently, third-party losses are typically more severe.

The third party is often the customer of the first-party organization, but it can also be, for instance, a trading partner, such as a supplier or buyer, who receives a computer virus because of the first party’s failure to manage cyber liability loss exposures. Additional damages may be incurred when the third party is a trading partner.

If a trading partner becomes infected with a virus, it may have to stop being a supplier or buyer to the first party, at least temporarily. This could cause a drop in revenue and an increase in costs for the first party as it searches for substitute suppliers and buyers.

When a first-party organization’s database is breached, thereby causing customers’ private information to be released without permission, customers can sue for a variety of alleged transgressions, including negligence, fraud, conversion, breach of fiduciary duty, invasion of privacy and breach of contract. Invasion of privacy and breach of contract are among the most frequently used allegations in these types of cases.

Invasion of privacy includes an organization’s failure to prevent unauthorized disclosure, deletion, or alteration of personal and corporate information such as credit- or debit-card numbers with matching customers’ names or employee names with matching Social Security numbers.

Costs associated with liability for a breach of this nature include defending a regulatory proceeding brought by a government entity for allegedly violating privacy legislation. Typically in the United States, organizations are required by state law to notify state residents when their personally identifiable information (PII) has been disclosed without authorization.

The federal government has also passed legislation to help safeguard customers’ personal financial information. The Gramm-Leach-Bliley Act of 1999 (often referred to as the Financial Services Modernization Act) contains provisions concerning security protection and standards for customer records maintained by financial services companies. Individual states’ attorneys general and the Federal Trade Commission pursue enforcement actions against first-party organizations regarding the security and privacy of consumer information.

A fine or penalty may be assessed against the first-party organization for failing to comply with a law. Some laws also allow for attorneys’ fees to be awarded to the plaintiff in addition to damages.

Invasion of privacy is broad enough to include documents that contain nonfinancial information, such as photos of celebrities. The third-party individuals in these photos may have relied on assurances of security and privacy from the first-party organization that is storing the photos. In the event that the database containing the photos is breached, the individuals whose privacy has been violated could have a cause of action against the organization.

Breach of contract is a cause of action that third-party customers and trade partners commonly use to sue a first-party organization when it fails to fend off a cyber attack resulting in damages. A contract typically exists between trade partners that includes a promise to protect confidential information in the partners’ care, custody, or control.

The first-party organization does not have to act negligently or breach a standard of care to be found liable under a breach-of-contract cause of action. Failure to fulfill its contractual promise is the key issue.

Even the largest cyber security breaches typically do not cause the stock price of an organization to decline far enough to result in a securities class action (class action lawsuit). However, an increasing number of investors are developing a better understanding of how cyber security losses and the costs of breaches affect an organization’s business. This enhanced understanding will probably cause individual organizations’ stock prices to decrease enough to make class action lawsuits more likely.

Plaintiff investors will likely claim that statements made by a first-party organization were misleading because they omitted facts about the cyber security loss exposures faced by the organization. To be successful in asserting this allegation, the plaintiff will need to connect statements with omitted facts.

In cyber security cases, plaintiffs will have an easier task discovering the omitted facts than in other types of cases because of breach-notification requirements, privacy litigation, and government investigations. For example, the Securities and Exchange Commission (SEC) drafted guidelines requiring organizations to disclose material cyber attacks and their costs to shareholders.

An organization can be held liable when its network security fails to prevent cyber attacks. Such attacks may result in, for example, unauthorized access to corporate information that allows the attacker to delete, corrupt, or steal data; denial of service, making the network unavailable for its authorized users; or the forwarding of a virus or other harmful code to another computer.

Other situations in which an organization can be held liable when its network security fails include these:

• Liability for damage to a third-party’s network resulting from a data breach
• E-media liability for libel, slander, infringement of trademark, and copyright

The scope of network security liability includes failure of a first party to prevent transmission of malicious code. The harmful code could initially infect the first party and then forward itself by traveling through the Internet and contacting other, unaffiliated networks, eventually infecting them.

Although the first party may not be the source of the harmful code in such cases, it may, with proper security measures in place, be able to prevent the code’s spread. By failing to secure the network, however, it may not only enable the code to spread, but also be found liable for breach of a duty to keep malicious code from propagating to other networks.

E-media liability can be incurred when a cyber attack successfully introduces offensive content onto a first-party’s website. This content can take various forms.

If it defames or portrays a third party unfavorably in written form, it is considered libel. If the same content is spoken or transmitted by sound, it is considered slander.

A data breach can result in trademarked or copyrighted content displayed on a breached party’s website in a manner that indicates the party owns the intellectual property when, in fact, it does not. Such a trademark or copyright infringement could cause the correct owner of the intellectual property to sue the party with the breached website.

Corporate directors and officers often do not give cyber liability loss exposures an appropriate amount of attention. Experts say that this failure to recognize the potential impact of a cyber attack not only exposes an organization to financial losses resulting from the incident itself, but also exposes the organization and individual directors and officers to management liability losses.

When directors and officers fail to fulfill their responsibilities and duties as required under the law, they can be held liable for resulting losses. The major responsibilities of corporate directors include fulfilling their fiduciary duties to the corporation and its stockholders.

The fiduciary relationship is the most important aspect of the corporation in analyzing D&O liability loss exposures. In addition to performing specific functions, directors and officers occupy a position of trust for stockholders, the board of directors, and the general public.

Breach of fiduciary duty is a common basis for suing the directors and officers. Directors’ and officers’ fiduciary duties include the duty of care, the duty of loyalty, the duty of disclosure, and the duty of obedience.

Directors and officers are considered to have fulfilled their duty of care (also called the duty of diligence) if they meet these standards:

• Act in good faith and in a manner they reasonably believe to be in the corporation’s best interests, which may include shifting the board’s attention toward cyber liability loss exposures
• Discharge their responsibilities with informed judgment and a degree of care that a person in a similar position would believe to be reasonable under similar circumstances

Directors and officers also have the general duty of undivided loyalty to the corporations they serve. Accordingly, directors and officers cannot usurp business opportunities that properly belong to the corporation. For the same reason, directors and officers cannot own or operate businesses that compete with the corporation.

Further, directors and officers have the general duty to disclose material facts to all persons who have a right to know such facts and would not otherwise be able to obtain them. For example, directors and officers have a duty to make public disclosures of facts that are material, such as a data breach, to stockholders, bondholders, and potential investors in the securities of the corporation.

However, there are certain matters that directors and officers must keep confidential. Normally, directors are not authorized to act as spokespersons for their corporations.

In addition, directors and officers must refrain from discussing confidential or market-sensitive matters with others. Publicly discussing the corporation’s cyber security strategy can compromise the corporation’s cyber security.

Some authorities include a duty of obedience (that is, obedience to the law) in the list of duties of directors and officers. Directors and officers are required to perform their duties according to federal and state laws; for example, compliance with notification laws that mandate informing customers of a data breach is expected.

An established rule of law is that liability should rest ultimately on the party at fault. This rule applies in the insurance context.

Insurance producers bear the responsibility for any acts or omissions on their part that occur in the course of their insurance transactions. If any unreasonable conduct or breach of contract results in financial loss to any other party, the producer is responsible to that party for the full extent of the loss sustained. E&O insurance is the professional liability coverage designed to protect producers from these types of losses.

An error could occur and a loss sustained when placing cyber risk liability coverage because traditional insurance, with which a producer is most familiar, does not apply to emerging exposures such as cyber risk. Producers who are not on the leading edge of this emerging exposure may fail to recognize a coverage gap for a client’s exposure.

Risk Control in Cyber Risk Management

Cyber risk loss exposures permeate every facet of an organization's operations, rendering the consequences of a data breach potentially catastrophic. Therefore, risk control is essential to an organization’s incorporation of cyber risk in its enterprise risk management.

Specialized risk control techniques are usually necessary for an organization to control cyber risk loss exposures involving property, net income, and liability. These risk control measures begin with an organization’s determining the scope of its cyber risk loss exposures, often with assistance from a risk management or security specialist.

A cyber risk security strategy should incorporate the organization’s business objectives and available budget and include an assessment of the appropriateness of the risk control measures for the loss exposures being addressed. Properly structured, a cyber risk security strategy can preserve an organization’s resources, reduce the severity of losses that do occur, and hasten the organization’s recovery from a cyber loss.

Risk control techniques aim to reduce either loss frequency or loss severity, or to make losses more predictable. They fall into six broad categories:

• Avoidance
• Loss prevention
• Loss reduction
• Separation
• Duplication
• Diversification
• Avoidance

Complete enterprise-wide avoidance of cyber risk is impossible. However, an organization can apply this risk management technique to circumstances in which it can isolate its internal or external stakeholders or its data infrastructure from elements that introduce cyber risk loss exposures:

Internal stakeholders—An organization can avoid cyber-related losses related to an employee’s behavior by preventing that employee from accessing its data-storage and data-transmission infrastructure. Similarly, it can configure its media to bar access to selected employees or institute production procedures that are insulated from that infrastructure.

For example, a group of employees responsible for creating an organization’s marketing materials may have access only to dedicated marketing-related data entry and storage devices unconnected to the organization’s internal data network or data-transmission media.

External stakeholders—Insulating its data infrastructure from external access also allows an organization to avoid cyber risk loss exposures. For example, if an organization has identified a particular geographic region as a likely source of a malware attack, it could configure its external data-communication network to refuse transmissions from that region.

Data-storage media—Cyber-related losses related to an organization’s data-storage media may be avoided if storage media are isolated from internal and external data networks and are inaccessible to personnel.

Loss Prevention

Organizations can reduce the frequency of cyber losses by instituting physical, procedural, and personnel controls:

Physical controls—Physical controls place barriers between cyber criminals and their targets. Organizations should provide basic physical protection, such as guards, locked doors, central security alarms, and automatic devices to detect intruders.

Additionally, organizations can physically limit access to its data infrastructure and can implement other administrative and managerial safeguards that control physical access to systems. Cyber criminals may use tactics to which data-storage and data-transmission media are particularly vulnerable, such as damaging them through the magnetic disruption and interruption of electrical power.

Therefore, surveillance should be used for highly sensitive areas where data is stored. Access to such areas should be controlled by requiring personnel to identify themselves with badges or through biometrics.

Procedural controls—Procedural controls specify that tasks be performed in secure ways that reduce losses. In terms of cyber risk, procedural controls apply to how an organization’s data infrastructure is protected.

Security policies should clearly state system-authorization requirements for use of the system, levels of system access, and system-response measures to unauthorized access. If appropriate safeguards are not in place, organizations may never notice clandestine intrusions that are designed to steal information.

Other intrusions that use malware are designed to deliberately and noticeably disrupt operations. Procedural controls that organizations use to thwart such attacks include passwords, antivirus applications and encryption for stored data and data in transit.

Additionally, an organization can specify monitoring procedures in its procedural controls to prevent inappropriate access or use of its data infrastructure. Procedural controls may also be designed for network updates to ensure that new programs are tested before they are used to process actual data, possibly preventing an errors and omissions liability claim.

Other procedures include establishment of a privacy policy and procedures for how, when, and under what terms an organization will allow material from other websites to appear on its own website. These policies and procedures could prevent claims for violation of privacy laws and for trademark or copyright infringement.

Personnel controls—The attitudes, performance, and behavior of employees can leave an organization exposed to a cyber attack, regardless of whether the resulting loss or damage was intended. Some employees are inadvertently the source of cyber losses—for example, employees who unwittingly introduce a virus to the organization’s data infrastructure.

Others deliberately commit cyber crimes, such as stealing intellectual property or committing identity theft. Disgruntled former employees with knowledge of or access to proprietary information are also potential sources of cyber-related losses.

Organizations can institute sound personnel controls to mitigate the cyber risk loss exposures presented by their employees. Personnel controls include such measures as pre-employment screening, training, outlining unacceptable cyber behavior with associated consequences, and termination procedures that include revoking access and passwords. Personnel controls can also extend to how the organization deals with its customers, suppliers, and neighbors.

Loss Reduction

Managerial controls reduce cyber-related loss by establishing an environment that prevents cyber losses or assists in their detection.

Such measures include centralizing responsibility for cyber security and ensuring that systems and procedures that have been adopted are monitored and followed to control-related loss exposures. This effort can include monitoring the cyber risk security plan and ensuring compliance with risk control measures, such as the creation and storage of backup files, and the segregation of responsibilities to prevent any individual from having control of the entire system or inappropriate system access.

Additionally, an organization should continually evaluate and revise its risk control measures. As quickly as risk control measures are instituted to combat cyber risk, the technology that cyber criminals use to overcome them evolves. Therefore, organizations must be prepared to update their techniques accordingly.

A post-data-breach rapid-recovery program aids in reducing the severity of an organization’s cyber-related losses and in restoring operational functionality as soon as possible. Implementing a rapid-recovery program focuses on the organization’s ability to preserve and sustain its operations in the event of a cyber-related loss. Contingency measures should be established to provide equipment, software, or any additional personnel that may be necessary to analyze, repair, cleanse, and restore lost or damaged data.

Also, plans should be developed to address the effects on suppliers and customers. A rapid-recovery program should also include a public relations component so that, if necessary, the organization’s public image, as well as customer and supplier relationships, can be preserved in the aftermath of a data breach.

Separation, Duplication, and Diversification

When an organization implements appropriate segregation of duties, no one person has both custody of an asset and access to the records concerning that asset. This separation restricts the ability of employees to steal an asset and then conceal the theft by altering the associated records. Managers and supervisors have greater access to and can more easily falsify records, but they have fewer opportunities to steal assets.

Additional risk control measures the organization can use as part of a post-data-breach rapid-recovery program include maintaining full backups of its data infrastructure at an alternate location. Additionally, all vital legal and technical documents, as well as copies of data-storage and data-transmission media, should be secured in a fire-resistive, off-site repository, such as those operated by specialized data-storage organizations.

Risk Financing: Retention in Cyber Risk Management

An organization that has not incorporated cyber risk in its enterprise risk management unwittingly treats some or all of its cyber risk loss exposures through retention. Such unplanned retention can have disastrous financial consequences if a data breach occurs, forcing the organization to absorb the costs associated with internal remediation and its liability to third parties. Planned retention, however, may be an effective means of financing certain kinds of cyber risk in some circumstances.

Planned retention is a deliberate assumption of loss exposures (and any consequential losses) that have been identified and analyzed. It is typically the most economical risk-financing alternative because of its associated cost savings. For example, if an organization’s investment in its cyber security infrastructure leads it to retain its cyber liability risk, then it can save money by avoiding the up-front payment of insurance premiums and the costs they include (such as administrative costs, premium taxes, and moral hazard costs).

Retention of cyber liability risk also allows an organization to control the claims process, giving it greater flexibility in the investigation and negotiation of claim settlements. This is ideal in situations in which an organization wishes to litigate cyber liability claims against it in order to preserve its reputation. (In contrast, an insurer may be more willing to settle such claims to reduce defense costs and therefore the payout required on its part.) Additionally, because retention’s effectiveness is correlated with loss avoidance, it encourages enterprise-wide risk control that maximizes the reduction of loss frequency and severity.

An organization’s decision to retain some or all of its cyber losses is informed by its assessment of their frequency and severity.

The frequency of losses is the number of losses that occur within a specified period. Severity relates to the amount of a loss, typically measured in monetary units, such as dollars. Severity can be used to describe the size of an individual loss or a group of losses.

Most large organizations experience numerous relatively small losses. For example, employees at large manufacturers may annually experience many minor injuries, with regular but insignificant financial effects on the organizations.

Conversely, an organization may suffer a catastrophic loss, such as a large fire or a plant explosion, on an infrequent basis. Between these two loss extremes are medium-size losses that may or may not occur regularly.

The general relationships among losses with different frequency-severity characteristics can be illustrated with a triangle. The width of the triangle shows the relative frequency of losses at different severity levels. Usually, the more severe a loss, the lower its frequency.

A formal self-insurance plan requires an organization to have sufficient financial resources and risk tolerance to retain potentially significant losses.

Therefore, organizations with self-insurance plans for cyber risks usually embrace risk control techniques. These techniques may involve developing and maintaining a cyber security infrastructure that includes elements such as physical security measures, data encryption, the separation of data-storage media, duplication of data, and rapid-response data-breach recovery plans as part of the organization’s corporate culture.

In general, self-insurance is best applied to losses that are of both high frequency and low severity. Such losses are somewhat predictable in total over a defined time period, such as one year.

Most cyber losses do not fall into this category, as even relatively minor cyber losses (such as an employee’s misplacement of a single digital-storage device on which customer records were copied) can have serious financial consequences. These consequences can be related to the organization’s duty to inform customers of the loss of their personal data as well as to its need to take potential regulatory action. Additionally, most cyber losses are typically low frequency and therefore relatively unpredictable.

Organizations that are willing to retain a significant share of their own losses in exchange for greater flexibility often employ a specialized form of self-insurance by forming a captive insurer, or captive, to address their risk-financing needs. Most captive insurers purchase reinsurance, usually on an excess of loss basis, to transfer some of their loss exposures to another insurer. Reinsurance provides a captive insurer with many benefits, including the ability to cover large losses, such as those stemming from regulatory action related to a data breach.

A significant advantage of a captive insurance plan is that the parent organization can obtain insurance coverage that is not available from commercial insurers. This is especially valuable in the cyber risk realm, where new threats emerge as quickly as technology evolves and in which an organization’s financial liability for a data breach or cyber extortion incident can be substantial. To obtain these kinds of coverage, the parent pays a premium to its captive, which then issues an appropriate insurance policy.

For example, one specific form of captive insurer, a risk retention group, is a widely used means of obtaining liability coverage for individuals and/or organizations in the same industry. Traditionally, risk retention groups have been formed by professionals for whom liability insurance is either unavailable or prohibitively expensive, such as medical doctors. However, organizations in the same industry can form a risk retention group to obtain cyber liability coverage that is less expensive and more expansive than the coverage available on the open market.

A major advantage of a risk retention group is that it needs to be licensed in only one state in order to provide liability coverage to group members anywhere in the United States. The Liability Risk Retention Act of 1986 supersedes state law that requires an insurer to be licensed in every state in which it sells insurance, thereby saving the risk retention group the expense of complying with regulations in each of the fifty states.

Risk Financing: Transfer in Cyber Risk Management

A sound defense against the potentially catastrophic consequences of data breaches is founded in enterprise risk management. Risk control enables an organization to partially mitigate cyber risks, while an organization can transfer the financial consequences of cyber risk loss exposures that risk control may not fully address.

Insurance is the most prevalent form of cyber risk transfer, through either traditional property and liability coverages—such as those that insurers offer using forms developed by Insurance Services Office, Inc. (ISO)—or specialized cyber risk products. Organizations also may use noninsurance risk transfer methods to manage cyber risk.

Traditional Insurance Coverage

An organization may be able to insure some of its first-party cyber risk loss exposures under policies such as these:

ISO Building and Personal Property Coverage Form (also referred to as the BPP)

The BPP’s Electronic Data additional coverage pays for the cost to replace or restore electronic data destroyed or corrupted by a covered cause of loss, including a virus or harmful code.

ISO Business Income (and Extra Expense) Coverage Form

The Interruption of Computer Operations additional coverage covers loss of business income or extra expense due to a suspension of operations resulting from an interruption of computer operations. The interruption of computer operations must be caused by destruction or corruption of electronic data as a result of a covered cause of loss.

ISO Businessowners Coverage Form (BOP)

The BOP’s Computer Fraud and Funds Transfer Fraud endorsement covers the damage to money, securities, and other property directly related to the use of any computer to transfer funds fraudulently or from fraudulent instruction to transfer funds.

ISO Commercial Crime Coverage Form

The Destruction of Electronic Data or Computer Programs endorsement to this form covers the costs to restore or replace electronic data or computer programs stored in the insured’s computer system if such property is damaged or destroyed by a computer virus or by vandalism committed by a person who has gained unauthorized access to the insured’s computer system.

These policies may offer coverage for third-party cyber risk loss exposures:

• ISO Commercial General Liability (CGL) Coverage Form—Liability loss exposures for electronic data are excluded under the CGL. However, some coverage may be added back by the Electronic Data Liability Endorsement. This endorsement applies only to electronic data losses that result from physical injury to tangible property.
• ISO Electronic Data Liability (EDL) Coverage Form—This form provides broader coverage for an insured’s liability for loss of electronic data caused by an “electronic data incident.”

Cyber Risk Insurance Coverage

Cyber risk insurance emerged as a specialized product category in response to demands from organizations with heightened cyber risk loss exposures, as well as from insurers and producers, to address coverage shortcomings presented by standard commercial property and liability insurance policies. Insurers offer a variety of cyber risk insurance policies whose coverage elements can be tailored to the specific needs of technology-based organizations.

The specific provisions of cyber risk insurance policies differ by insurer. Insurers typically offer policies containing first-party-only coverage (property and theft), third-party-only coverage (liability), or both in a combination policy format. Combination policies in particular allow insurers and organizations to match desired coverage with cyber risk loss exposures.

Insuring agreements related to first-party coverages commonly found in cyber risk insurance policies fall into these categories:

• Cyber extortion
• Cyber crime
• Business interruption
• Terrorism
• Notification or remediation
• Electronic data protection

Insuring agreements related to third-party coverages commonly found in cyber risk insurance policies fall into these categories:

• Electronic media liability
• Network security liability
• Privacy liability
• Technology errors and omissions liability
• Intellectual property liability

Cyber risk insurance policies are usually subject to a claims-made coverage trigger (as opposed to an occurrence coverage trigger). Claims-made coverage triggers are specified in the policy’s insuring agreement and can include any claim made during the policy period. A claim is typically made when the insured first becomes aware of facts that could cause a reasonable person to assume that a loss of a type covered by the policy has occurred. As is typical with claims-made policies, coverage is usually available for prior acts, subject to a retroactive date, found either in the base form or added by endorsement.

Some insurers that provide policies focused more on media liability, intellectual property, and technology-related coverages may offer forms with an occurrence coverage trigger. Occurrence coverage triggers are also specified in the insuring agreements and can include any covered event that occurs during the policy period, such as liability arising out of website content errors and omissions or out of trademark infringement liability.

Several types of insurance limits are available for cyber risk policies. The structure and application of limits offered typically depend on whether the policy has an annual aggregate limit of insurance (also referred to as a policy aggregate limit, or simply an annual aggregate). If a cyber risk policy does not have a policy annual aggregate (as is usually the case with package or modular policies), the insuring agreements work independently, each with its own limit of insurance.

Policy retentions and/or deductibles apply to each insuring agreement, per loss, and are often packaged with specific limits, particularly if the cyber risk policy is modular. Defense expenses are payable within the policy limits, thereby reducing the limit of insurance. Some insurers may offer a blanket limit applicable to separate insuring agreements, which is helpful to an insured that is uncertain as to where the organization’s maximum possible cyber risk loss exposure may lie.

Noninsurance Risk Transfer

Organizations can also use non-insurance risk transfers as a means of cyber risk financing:

A hold-harmless agreement is a type of non-insurance measure that organizations can use to receive reimbursement for cyber risk losses or to transfer their cyber risk loss exposures. For example, an organization could insist that a vendor operating its web server promise to indemnify the organization for sales if the server were to malfunction.

In addition to using hold-harmless agreements, many software firms use liability disclaimers. While disclaimers are not technically considered a non-insurance risk transfer technique, organizations employ them to limit the scope of their liability. For example, organizations that collect their customers’ personal information can use disclaimers and disclosure statements to inform customers of how they may use their personal information and the extent of the organization’s liability should the information be illegally disclosed.

Hedging is also considered a non-insurance risk-transfer technique. It is practical when it is used to offset loss exposures to which one is naturally, voluntarily, or inevitably exposed. An organization can use hedging techniques to offset cyber risks present in its supply chain. For example, an organization that uses a third party to facilitate its transmission and receipt of data faces the loss exposure of bandwidth price variability. To offset this loss exposure, the organization might enter into a futures contract to purchase a fixed volume of bandwidth capacity over the coming year at a pre-agreed price. (A futures contract is an agreement to buy or sell a commodity or security at a future date at a price that is fixed at the time of the agreement.) If the market price of bandwidth capacity increases over the next year, the organization will save money by buying it below the prevailing price. If the market price drops, the organization will pay more than the prevailing price. Either way, the organization’s loss exposure is reduced because the cost variability is eliminated.

Producers must obtain a lot of information from a client to complete a typical cyber risk insurance application. In response to applicant complaints that the application is too lengthy and difficult to complete, some insurers have developed short-form applications, requesting financial and industry classification information. Some short-form applications ask basic questions about an organization’s current security and risk management procedures. An underwriter can use this information to develop a reasonably accurate quote for cyber risk coverage, without the need to quote various limits and deductibles. However, if a client decides to purchase the coverage, a detailed, long-form application must be completed. To add benefit for the applicant, some insurers include cyber risk management guidelines in the application form.

The task of completing a detailed application form can be managed by appropriate personnel from throughout the organization. A list of application sections and the personnel with the applicable information could include these:

• General information, policy limits and retentions, and known data losses should be supplied by the client’s risk manager or financial officer.
• Technological details such as network security, firewalls, intrusion detection, patch management, data encryption, data backup procedures, and similar information should be supplied by IT officers.
• Details regarding securing data on mobile devices (encryption), procedures for handling confidential paper files, and security and privacy training for staff should be supplied by privacy officers.
• Details about disaster recovery plans, incident responses, employee agreements, and discipline procedures should be supplied by human resources staff.
• Information regarding the acquisition and use of website content and social media postings should be supplied by marketing officers.
• Information about contracts with service providers that offer data backup or storage, web hosting, software design, and so forth should be supplied by the organization’s legal counsel.

An organization may want to implement other aspects of an ERM program before applying for cyber insurance coverage. Doing so would make the application more attractive to a prospective insurer. This could influence an underwriter’s acceptance of the risk and qualify the organization for a premium reduction.

Cyber Risk Issues for Agents and Brokers

Nearly all organizations are subject to cyber risk. As technology evolves, cyber criminals find new ways to breach organizations’ information systems, and the costs to organizations to mitigate the damage can be tremendous.

News headlines of the damages from cyber breaches encourage agents’ and brokers’ (referred to as producers throughout) clients to plan for the threat of a cyber breach. Producers can assist clients with cyber risk planning advice, which can be incorporated into their enterprise risk management (ERM) programs. When it is appropriate for a client to transfer some cyber risk, producers can recommend cyber insurance coverage that fills the gaps. A producer can suggest these cyber-related enhancements to a client's risk management plan:

• ERM security measures and procedures to minimize cyber risk
• A manageable retention amount for some cyber risk
• Forms of cyber risk that may be transferred to insurers
• Ongoing risk management measures that reduce insurance premiums and help manage uninsurable risk
• Measures to mitigate damage when a cyber breach occurs

Producers that sell cyber insurance should prepare to address a variety of customer perceptions about and objections to buying cyber risk coverage and should prepare to help customers navigate a cyber insurance application.

A producer should be able to get a good estimate of the appropriate cyber coverage and its cost from an experienced underwriter based on a review of the organization's revenue data and its website.

Perceptions about excessive premiums, insufficient cyber coverage options, and policies with multiple limits and deductibles make selling cyber risk insurance challenging.

With appropriate knowledge, a producer can counter most of a client’s objections to developing a cyber risk management plan. Some commercial insurance policies offer limited cyber coverage. By explaining the extent of existing coverages, suggesting procedures that reduce the risk, and suggesting additional cyber insurance products when appropriate, producers can ensure that their clients' cyber treatment is adequate.

Producers have a professional duty to keep current on trends and regulatory issues related to cyber crime and privacy. They can use this knowledge to adopt an unofficial risk manager role for their small- and mid-size clients. Offering this service can encourage clients to establish security measures and purchase cyber coverages for the threats that are targeted at their types of businesses. Producers can also use this knowledge to offer a cost-benefit analysis to their clients about the ERM programs they recommend.

Producers can help clients recognize and prepare to manage the costs of any cyber breach by using terminology and scenarios that their clients can understand and relate to, such as these:

• Your employee inadvertently forwards an email message containing client personally identifying information (PII)—Government regulations require notification to any customer whose PII may have been breached. In addition to the costs of the notification, your company is liable for any damages suffered by affected customers and any related defense costs. The reputational damage could be extensive. Offering free credit monitoring for a year to affected customers would be worth the cost.
• Your disgruntled employee becomes a spy for your competitor and gives it your client lists, business secrets, and strategic plans—In addition to the costs incurred in the email case, you could lose a competitive advantage, a cost that is hard to predict. You would have human resource costs to fire and replace the problem employee and any manager(s) who should have noticed the breach. In addition, management will have to redesign their organizational strategy and plans.
• A disgruntled customer uses social media to invoke a cyber attack against your manufacturing company that overloads and shuts down your network, halting network communications with your suppliers, distributors, service providers, and customers—The business interruption costs could be significant, along with the costs to restore your network and any lost data, the costs to investigate the attack, and any legal costs to recoup damages. Your organization could suffer reputational damage, causing loss of suppliers and distributors, loss of service contracts, loss of customers whose orders were lost or delayed, and the loss of potential customers influenced by negative word of mouth.

The costs incurred in these breaches must be managed, and a producer’s recommendations for managing them can position a small- to mid-size organization to withstand a cyber breach without filing for bankruptcy.

Many organizations believe that they will never suffer from a cyber breach. Cyber breaches that make the news involve large corporations. A producer can point out that many smaller companies also suffer from cyber breaches. Cyber experts advise that companies should ask when, not if, a data breach will occur. Organizations should prepare for a breach through various risk management techniques.

Typically, an organization's information technology (IT) department assumes responsibility for data protection and assures upper management that their systems are secure. However, cyber breaches have occurred even in highly secured environments. To stress the need for cyber insurance despite system security, a producer might use an analogy to explain the need for a cyber risk plan.

Chief financial officers (CFOs) and chief executive officers (CEOs) are often involved in cyber insurance purchasing decisions. Many executives find it difficult to discuss cyber risk with their IT staff to determine whether they need coverage. Senior management may be stymied by IT jargon or by the complexity of computer systems. A producer should use common terminology to explain a computer network and may want to use a simple diagram that depicts the vulnerable points in a single user’s network where security could be breached.

Completing an application for cyber insurance can be a lengthy and tedious process because information is needed from many departments across an organization. To remove the client’s burden of completing a long application just to get a quote, an experienced underwriter could offer a good estimate of the appropriate coverage and its cost based on the client’s revenue data and a review of the organization’s website. This estimate can assist the client in deciding whether to purchase coverage, and if so, which coverage. If the client is satisfied with the estimate, the completed application will still be required for the coverage to take effect. If a client requests a quote, then the producer must be certain to follow through. Failure to do so could result in an errors and omissions (E&O) claim.

While helping organizations identify their cyber risk needs, producers must recognize their own potential for E&O liability.

Producers can advise clients that the way to best complete a cyber insurance application is for various personnel to complete applicable sections, including the risk manager or financial officer, information technology officers, privacy officers, human resources staff, marketing officer, and legal counsel

Many large organizations recognize their need for cyber coverage and loss mitigation, but small- and mid-size organizations may not be as prepared to manage their cyber risks. Their data can be more vulnerable than the data of larger organizations that have taken extra precautions. Knowledge about cyber risk, cyber coverages, data privacy requirements, and data protection regulations can enable producers to assist clients in examining and securing their cyber risks.

A producer might ask a small- or mid-size organization whether it stores clients’ or employees’ PII in its computer system. Because most organizations have employees’ PII, the producer could mention the ramifications if that data became public, perhaps because a disgruntled employee released the information. The producer could mention various government regulations geared to protect PII and the fines and other penalties that could apply if customer or employee PII is exposed, such as through an employee's oversight.

A producer may recommend that a client enlist the services of a cyber risk consultant to identify and address vulnerabilities in the client's system. The cost of these services would be much less than the financial and reputational costs of a cyber breach. Before presenting coverage options to the client, the producer might also enlist the help of a cyber expert to assess the client’s vulnerabilities.

Gray areas, where the client’s cyber coverage may be questionable, require special attention. Cyber insurance includes first-party property coverage to protect the insured’s business personal property and third-party liability coverage. Cyber products may include business interruption (for the time needed to recover from a data breach) and credit monitoring for customers exposed to a PII data breach. Some cyber policies include technology E&O coverage for organizations that provide software products or services to their clients. The producer must make certain that the coverages considered are appropriate for and address all of a client’s cyber risk exposures.

For example, a pharmacy client that accepts credit and debit cards and manages PII, along with protected health information (PHI), may need a cyber policy (or policies) tailored to those needs. An appropriate policy might include liability coverage for data/privacy breach (for PII and PHI), pharmacists’ E&O coverage, business interruption coverage, and credit monitoring reimbursement. In contrast, a client that provides and maintains software for its clothing retail customers may need technology E&O coverage in its cyber plan, along with PII data breach, business interruption, and credit monitoring reimbursement.

A knowledgeable producer can provide a policy for a small- to mid-sized organization that offers pre-loss risk management advice, loss control services, crisis management and mitigation services, IT forensics investigation, and legal services. Such a package provides one-stop service for smaller organizations that otherwise might not develop these resources.

Producers that sell cyber insurance are subject to various E&O exposures, including those that affect their clients, insurers, and own business operations.

Because of the prevalence of data breaches, producers are responsible for informing their clients that only limited cyber risk coverage is included in their traditional policies. Failure to inform a client of a cyber coverage gap can expose the producer to an E&O claim if a cyber coverage claim is denied.

Producers enter into contracts with insurers, agreeing to place coverage for their clients and assist in handling claims. If a producer leads a client to believe that the insurer will pay a cyber risk claim, even though he or she knows that the insurer will deny it, the producer could be exposed to an E&O claim from the client.

Producers are responsible for maintaining security for clients’ PII that is maintained in the producers’ computer systems. A producer whose customer data is breached in a cyber attack may be exposed to an E&O claim by the customer. A wise producer follows the same ERM procedures that it recommends to its clients and, by doing so, can avoid these E&O claims.

Insurance for Cyber Risk Exposures

The pervasive nature of cyber risks makes it essential for an insurance professional to know where coverage for these exposures exists in both traditional policies and specialized cyber risk insurance products.

Traditional policies continue to serve a valuable purpose of protecting insureds from conventional property and liability causes of loss. However, cyber risk exposures increase an organization’s vulnerability. One risk management solution to address this vulnerability is risk transfer via cyber risk insurance.

Fundamental concepts that explain why it is necessary and how to combine cyber risk insurance with traditional policies include these:

• The nature of first- and third-party exposures
• Cyber touchpoints in traditional policies
• Coverages needed
• The need for specialized cyber risk insurance products
• Considerations for buying cyber insurance

The first party is the organization that may or may not have purchased insurance from an insurer—the second party. The first party’s database contains its customers’ private information.

For the sake of this discussion, these customers are the third parties. Any other person or organization can be a third party that might assert a claim against the first party.

With cyber risk, first-party exposures are expenses the first party may incur to prevent or mitigate a loss resulting from, for example, a breach of its database. Some of the first-party expenses that can be incurred are costs to perform a forensic study, notify customers of a breach, monitor customers’ credit, repair reputational damage, and reconstruct lost or corrupted data.

Third-party exposures are associated with possible causes of action (claims) that customers or other stakeholders could assert against the first party for not preventing the cyber incident. Third-party exposures involve the third party holding the first party liable for any damages that were incurred as a result of the breach. Damages may include attorneys’ fees, court costs, and payment of a settlement or judgment.

Cyber Touchpoints in Traditional Policies

Traditional policies that are frequently requested to provide coverage for a cyber loss include these:

• Building and Personal Property Coverage Form (BPP)
• Commercial General Liability Coverage Form (CGL)
• Business Income (and Extra Expense) Coverage Form
• Businessowners policy (BOP) : A package policy that combines most of the property and liability coverages needed by small and medium-size businesses.
• Crime insurance
• Directors and officers (D&O) liability insurance

Insurance that covers a corporation’s directors and officers against liability for their wrongful acts covered by the policy and also covers the sums that the insured corporation is required or permitted by law to pay to the directors and officers as indemnification.

These traditional policies provide commercial liability coverage, property coverage, or both coverages together as a package. Liability coverage protects an organization from third-party losses, and property coverage protects an organization from first-party losses.

Traditional policies generally do not provide substantial protection from a cyber loss for one or more of these reasons:

• The cyber loss is not a triggering event under a policy’s insuring agreement.
• The cyber loss is not included within the definition of a relevant policy term—for example, property damage is a term defined in a CGL policy as physical injury to tangible property. The definition further states that, for the purposes of this insurance, electronic data is not considered tangible property.
• The cyber loss is specifically excluded.
• The cyber loss is capped at a low limit.

Essentially, most traditional policies are not designed to cover first- or third-party cyber losses. Organizations instead rely on specialized cyber insurance products to cover cyber exposures.

In the market for cyber risk coverages, there is not a consistent standard for determining whether certain loss exposures are first party or third party. For the purposes of this course material, reputation mitigation and response to regulatory action are regarded as first-party loss exposures, even though some policies label them as third-party loss exposures.

While not all cyber coverages are required by every organization, third-party coverages that are often needed include these:

• Defense and payment of liability claims asserted by third parties for allowing a breach to occur
• Protection from allegations of intellectual property infringement in an insured’s online publications and other forms of media liability
• Breach of privacy liability if employees’ or customers’ private information is released to an unauthorized party

First-party coverages that are often needed include these:

• Forensic study to determine the scope of the breach
• Business income for loss of income when operations are temporarily shut down
• Reputation mitigation, such as damage control through public relations and education of customers
• Response to regulatory action, such as investigation into whether the organization implemented the minimum required cyber security measures and sent both adequate and timely notification as well as potential fines or penalties assessed
• Restoration of data that was lost as a result of cyber attack

The Need for Specialized Cyber Risk Insurance Products

A mid-size or smaller organization may not have the capital to pay the costs incurred to resolve a cyber loss if its risk management strategy fails to prevent or fully mitigate a cyber breach. Such a cyber loss could bankrupt an organization and therefore emphasizes the need to transfer cyber risks to an insurer that offers specialized cyber risk insurance products.

These are examples of loss exposures that could be covered with such products:

• Business interruption, including possible contingent exposures resulting from an insured’s suppliers
• Identity theft of customers whose confidential information may have been stolen
• Reputational damage to the insured
• Third-party liability claims from customers alleging the organization failed to prevent unauthorized disclosure of their private information

An insured's risk manager should assess the organization's cyber exposures and estimate the frequency and severity of each exposure because the risk manager needs to establish the necessary limits of coverage.

Buying cyber insurance differs from buying other insurance, such as a personal auto policy, in which the policy is usually written on a standard form and the loss exposures each driver faces are substantially similar. Frequently, the primary consideration of an auto insurance buyer is price.

Considerations for buying cyber insurance are substantially more extensive and often prompt these activities on the part of the organization:

• Identify and assess the organization’s cyber risks. Not all available cyber coverages may be needed.
• Determine what cyber coverage, if any, is provided by policies the organization already has in place.
• Assess the organization’s cyber exposures and estimate the frequency and severity of each exposure to establish the necessary limits of coverage.
• Carefully review the language used in exclusions, which may have been cut and pasted from another policy and inappropriate for a cyber policy.
• Consider coverage that becomes effective retroactively, because data breaches can remain undetected for an extended period of time.
• If the organization outsources data processing to a vendor, determine whether liability coverage for errors made by the vendor should be purchased.
• Review the premium amount to insure restoring data, because the restoration cost is often prohibitive without insurance.
• Seek input from the organization’s information technology, risk management, and finance representatives.
• Use the insurer's risk management services.
• Coordinate cyber insurance coverage with indemnity agreements.
• Determine whether it is worth the additional premium to cover loss of data from unencrypted devices.
• Determine whether it is worth the additional premium to cover governmental fines.

Common Policy Formats

An insurance professional should understand common policy formats in order to properly structure commercial insurance coverage for insureds.

A basic distinction in the format of a commercial insurance policy is whether the policy is a multiline policy or a monoline policy. Another basic distinction is whether the policy is a standard form or a nonstandard form. Beyond these basic distinctions, three common formats for commercial insurance policies are the commercial package policy, the businessowners policy, and the output policy.

Insurance professionals commonly use the phrase “line of business,” or simply “line,” to refer to a specific type of insurance. This usage has resulted in the common insurance terms “multiline policy” (a policy covering two or more lines of business) and “monoline policy” (a policy covering only one line of business).

The phrases used to denote different lines—such as “commercial crime” and “commercial inland marine”—vary by insurer, but often follow the terminology used by either of two insurance advisory organizations: Insurance Services Office, Inc. (ISO), and the American Association of Insurance Services (AAIS).

Both of these organizations develop insurance forms for use by their member insurers and provide many related services. Most organizations are insured under a multiline policy (also referred to as a package policy) for most of their property and liability loss exposures but may also have one or more monoline policies for coverages that cannot be included in their multiline policies.

For example, many organizations purchase specialty coverages, such as flood insurance, in monoline policies because such coverages can sometimes be obtained only from an insurer other than the one writing the multiline policy.

Although many insurers use the standard forms developed by ISO, AAIS, or other insurance advisory organizations, some insurers develop their own forms either because they want to write a type of insurance for which no standard form is available or because they want to differentiate their products from the standard forms.

Additionally, large insurance brokerages have developed their own insurance forms, referred to as “manuscript forms” 1 or “broker forms,” using provisions that are more favorable to insureds than the provisions in standard forms. Generally, insurers accept broker forms only for the largest accounts.

In contrast with ISO or AAIS standard forms, insurers’ or brokers’ independently developed forms are often referred to as “nonstandard forms.” One of the benefits of studying standard forms is that they serve as benchmarks for analysis of comparable nonstandard forms, enabling one to spot important differences from the standard forms.

A commercial package policy (CPP) is a multiline policy composed of two or more coverage parts, each coverage part providing a separate line of insurance.

Under ISO Commercial Lines Manual ( CLM) policywriting rules, widely used by insurers, one of the coverage parts of a CPP must cover buildings and/or business personal property, and another must cover commercial general liability. Other coverage parts for property and liability lines can be added. Examples of additional property coverage parts are commercial crime, commercial inland marine, and equipment breakdown.

Each coverage part consists of these components:

• One or more declarations forms (containing information about the insured and the particular loss exposures insured)
• One or more coverage forms (containing most of the essential terms of coverage)
• For some lines of insurance, a general conditions form
• Any applicable endorsements (modifying the terms of the coverage form or general conditions form)
• Except Exclusions

In addition to coverage parts, a CPP also contains a “common declarations form” for the entire policy and the Common Policy Conditions form. In many cases, insurers combine the common declarations form with the separate declarations forms that apply to the individual coverage parts.

The exhibit shows the coverage parts and forms that might be included in a particular CPP. An insurer can write a monoline commercial insurance policy (such as a monoline equipment breakdown policy) by combining the selected coverage part with common declarations and the Common Policy Conditions.

For an insured who owns a large business is comparing the different types of commercial insurance policies. The insured chooses a Commercial Package Policy as it will provide the option to add lines of insurance for all coverages that are needed.

Components of a Sample Commercial Package Policy

Many small and midsize businesses have similar and relatively uncomplicated insurance needs. Insurers therefore offer policies specially designed for such insureds as an economical alternative to regular commercial package policies.

Such policies are known generically as “businessowners policies,” although many insurers use proprietary names to establish brand identity. A business owners policy, or BOP, is a multiline policy that includes most of the property and liability coverages needed by small and midsize businesses.

Businessowners policies typically provide building and business personal property coverage, business income and extra expense coverage, and the equivalent of commercial general liability coverage. Other coverages are either included automatically or available as options.

Businessowners policies resemble homeowners policies in the way they package standard coverages and in their simplified rating procedures. BOPs have a broad-based public appeal because of an economical packaging of the types of coverages that are most needed by a wide variety of small to mid-size businesses. At the same time, BOPs provide insurers and producers with a highly competitive product that is highly automated with streamlined underwriting.

The first businessowners policies were independently developed by individual insurers. ISO introduced a standardized businessowners program in 1976 and has revised it several times.

AAIS also offers a businessowners program as well as its Artisans Program, which uses a businessowners-type policy tailored to meet the specific coverage needs of eligible contractors. Many insurers, including the market leaders for this line, use independently developed BOP forms. Some insurers have developed specialized BOP forms for specific classes of business, such as contractors, printers, or places of worship.

Underwriting BOP

For many insurers, underwriting BOPs differs from underwriting most other commercial lines. The standardized nature of BOP coverage and the need to control costs to remain competitive have led to the extensive use of computers for underwriting and processing BOPs. Many insurers also use predictive modeling to assess and price BOPs. The policies are generally underwritten in a manner that resembles the underwriting of homeowners coverage as opposed to other commercial lines.

The coverages in an output policy might include buildings and business personal property, business income and extra expense, crime, inland marine, and equipment breakdown. In a CPP, each of these coverages would have to be provided by a separate coverage part or coverage form. Thus, an output policy uses a more seamless approach in providing commercial property insurance.

Also, output policies often provide property coverage enhancements not contained in the standard forms used in CPPs, particularly broad coverage for property while away from the insured’s premises, whether in the course of transit or at a location not described in the policy.

Eligibility for output policies includes most types of commercial organizations, and specialized output policies have been created for certain market segments such as agribusinesses and developers.

Output policies are generally used only for midsize and larger businesses. The CPP, the BOP, and the output policy, although different in their formatting, are composed of similar policy provisions. Policy provisions can be categorized as declarations, definitions, insuring agreements, exclusions, miscellaneous provisions, and conditions. A policy condition is any insurance policy provision that qualifies an otherwise enforceable promise of the insurer.

Of the various types of policy provisions, conditions are the least likely to vary among different types of commercial property policies.

Cyber Risks and the ISO Building and Personal Property Coverage Form

Organizations may purchase traditional commercial property coverages, such as those that insurers offer through forms developed by Insurance Services Office, Inc. (ISO), as part of an enterprise risk management approach to mitigating cyber risks. However, the limited cyber coverage provided by such policies may be inadequate for most organizations.

The ISO Building and Personal Property Coverage Form, also referred to as the BPP, and similar traditional commercial property policies are often used to insure buildings, the insured’s business personal property, and the personal property of others. The insured can buy coverage for any combination of these three categories. However, the BPP and similar commercial property forms exclude coverage for certain types of structures, such as bridges, and certain types of business personal property, such as money and securities.

The BPP’s causes of loss forms work in conjunction with policy provisions to delineate the specific coverage it provides. The Causes of Loss—Basic Form and the Causes of Loss—Broad Form are specified-perils forms, which means that they have a list of covered causes of loss as well as a list of exclusions. The Causes of Loss—Special Form insures against direct physical loss unless the loss results from a specifically excluded or limited cause of loss.

These causes of loss forms combine with general policy provisions to describe the BPP’s coverage. They then refine that description through a series of limitations and exclusions.

Some of these provisions, limitations, and exclusions apply to property such as data and data storage/transmission media and to first-party cyber risk loss exposures, though additional coverage may be available to augment the BPP’s limited coverage for cyber risks.

The BPP’s Property Not Covered section lists several classes of property or kinds of property losses that do not qualify as covered property. Therefore, its Covered Property section and Property Not Covered section must be read together when determining whether a specific kind of property is insured. Some kinds of property are excluded because they can be insured more advantageously under other forms.

The BPP excludes coverage for all electronic data (defined broadly to include information, facts, or computer programs used with electronically controlled equipment), subject to two exceptions:

• Stock of prepackaged software
• Data covered under the Electronic Data additional coverage

These items are also covered up to the regular policy limits as shown on the declarations and not subject to the lower limit of liability applicable to the Electronic Data additional coverage.

The BPP includes an Additional Coverages section that provides insurance for certain consequences of property losses that would not otherwise be covered.

One such additional coverage, Electronic Data additional coverage, provides nominal coverage for the cost to replace or restore electronic data that is destroyed or corrupted by a covered loss, including loss from a virus or harmful code.

However, this additional coverage is subject to a limit that is too low to provide meaningful coverage for most organizations and is the most that the insurer will pay per policy year, regardless of the number of occurrences or locations covered. All electronic-data damage is deemed to have been sustained in the policy year that an occurrence began, even if the damage continues or results in additional loss or damage in a subsequent policy year.

By contrast, the American Association of Insurance Services’ Commercial Output Program (COP) additional coverages provide wider coverage and larger limits for causes of loss such as loss caused by computer hacking and loss caused by computer virus. Additionally, it covers programs, applications, and proprietary programs. They also address loss of income related to a data breach.

Cyber risk loss exposures traditionally have posed coverage problems for insurers because coverage under the BPP and similar property policies is generally limited to physical loss or damage to the insured property.

Many insurers have questioned whether the erasure of computer files or their deliberate corruption by third parties constitutes physical damage within the meaning of the BPP.

The BPP and similar commercial property forms consequently provide only limited coverage for cyber events that may have significant financial consequences for an organization. While these forms may provide coverage to repair or replace computer hardware that is damaged or destroyed by a covered cause of loss, they are not likely to provide the limits necessary to restore a business to its pre-cyber-loss condition.

Examples of cyber losses generally not covered under most first-party commercial property forms include these:

• Ransom costs related to cyber extortion
• Business interruption and extra expense, including possible contingent exposures resulting from an insured's suppliers
• Expenses an insured incurs, such as providing credit score monitoring for customers whose credit data may have been compromised
• Costs related to remediation of any damage that may have been done to the reputation of the insured
• The cost to replace or restore information on valuable papers and records, including those that exist as electronic data

Expenses such as providing credit score monitoring for customers whose credit data may have been compromised is generally not covered under most first-party commercial property forms.

The stock of prepackaged software is covered by the Insurance Services Office, Inc., Building and Personal Property Coverage Form.

The Electronic Data additional coverage section of the Insurance Services Office, Inc., Building and Personal Property Coverage Form does not extend to the named insured's electronic data that is integrated in and operates or controls the building's elevator, lighting, security, and climate control system because these items are covered up to the regular policy limits as shown on the declarations. 

Legal Liability: Torts, Contracts, and Statutes

Every person and all organizations are exposed to liability loss. The possibility of a liability loss is a liability loss exposure. To be able to identify, analyze, and properly handle an organization’s liability loss exposures, one must understand the concept of legal liability and the common sources of liability loss exposures.

Legal liability can be imposed by civil law, criminal law, or both. Legal liability imposed by civil law can be based on torts, contracts, or statutes.

Liability insurance responds to liability imposed by civil law. Insurance for criminal liability is prohibited by law but only for Civil Liability.

In some instances, a single act can constitute both a civil wrong and a crime. For example, if a driver causes the death of a pedestrian, law enforcement authorities may charge the driver with vehicular homicide, a criminal act. The driver may also be subject to a civil action by the estate of the deceased pedestrian for medical bills, funeral expenses, loss of support, and other damages that the law allows. Insurance coverage would not respond to the criminal charges. It could, however, provide payment for the civil claims.

A liability insurance policy typically obligates the insurer to defend the insured against allegations that, if true, would be covered under the policy. Even if the claimant's allegations turn out to be false or fraudulent, the insurer is ordinarily obligated to pay the costs of defending against the claim. In addition, a liability policy contains the insurer's promise to pay damages for which the insured is legally liable and that are covered by the policy. In most liability claims in which the insurer believes that its insured is legally liable, the insurer attempts to settle the claim (by offering to pay a certain amount of damages to the claimant) in order to avoid the additional expense of a trial.

Legal Liability Based on Torts

Torts may be civil wrongs or private wrongs. Most of the claims covered by liability insurance are based on tort law, which protects the rights of individuals. These rights originally included the rights to security of person, property, and reputation. Over the years, legal changes have established other rights of individuals, such as the right to privacy. Where a right exists, others have a corresponding duty to respect it and to refrain from any act or omission that would impair or damage it. Any wrongful invasion of legally protected rights entitles the injured party to bring an action against the wrongdoer for damages.

Underwriting Tip—Tort law varies by state. Liability underwriters should know tort law in general and the specifics of tort law in states in which they underwrite. To properly evaluate applicants for liability insurance, underwriters should also monitor related developments in state courts.

The numerous types of torts fall into three broad categories:

• Negligence
• Intentional torts
• Strict liability torts

Negligence is based on four elements:

• A duty owed to another person
• A breach of that duty
• A close causal connection between the negligent act (breach of duty) and the resulting harm
• The occurrence of actual loss or damage of a type recognized by law and measurable in monetary terms

For example, a motorist who drives at an unsafe and excessive speed and, as a result, causes an accident that injures another motorist has committed the tort of negligence.

A negligent act does not in and of itself qualify as the basis for a negligence tort. All four elements of negligence must be present. For example, a motorist who is driving at an unsafe speed and who narrowly misses another vehicle has not committed the tort of negligence, although the act is negligent. The motorist who is driving negligently may receive a ticket, but the motorist whose vehicle was narrowly missed does not have the basis for a tort of negligence because he or she did not experience actual loss or damage.

An intentional tort is a tort committed by a person who foresees (or should be able to foresee) that his or her act will harm another person. The act does not necessarily have to be performed with malicious or hostile intent. An example of an intentional tort is libel, the publication of a false statement that damages a person’s reputation.

Strict Liability (or absolute liability) is liability that is imposed even though the defendant acted neither negligently nor with intent to cause harm. Common examples of strict liability include liability for abnormally dangerous instrumentalities (such as wild animals), ultrahazardous activities (such as blasting), and dangerously defective products (such as malfunctioning smoke detectors).

Strict liability is also used to describe liability imposed by certain statutes, such as workers compensation laws.

Legal Liability Based on Contracts

In addition to torts, contracts also impose legal liability. If one party fails to honor the promise, the other may go to court to enforce the contract. Liability based on contracts can arise out of either a breach of contract or an agreement one party has made to assume the liability of another party.

Breach of contract is a failure to fulfill one’s contractual promise. A common type of breach of contract involves the promise (called a warranty) made by a seller regarding its product. If the product fails to fulfill its promise, the warranty has been breached, and the buyer can make claim against the seller. The warranty may be either expressly stated or implied by law. For example, the law implies a warranty that every product is fit for the particular purpose for which it is sold. If the product is unfit for its intended purpose and the buyer is injured as a result, the seller may be held legally liable for damages.

Liability for injury or damage resulting from a seller’s breach of warranty is commonly insurable. Other consequences of breach of contract are not insurable. For example, if a builder fails to complete a new store by the promised date, the store owner’s claim for loss of revenue is normally not insurable under the builder’s general liability insurance.

A hold-harmless agreement (or indemnity agreement) typically requires one party to “hold harmless and indemnify” the other party against liability arising from the activity or product that is the subject of the contract.

For example, a building’s lease may obligate the tenant to hold the landlord harmless against any liability claims made by any person injured on the leased premises. The tenant, in this case, is agreeing by contract to pay claims for which the tenant would not otherwise have been legally liable. Construction contracts and other types of agreements also often contain hold-harmless agreements. Contractual liability is liability assumed through a hold-harmless agreement and is commonly covered under liability insurance policies.

Because hold-harmless agreements are only subsidiary issues in negotiations of larger contracts, they often receive little attention from the contracting parties. This can be a problem for underwriters because once an injury occurs, a need arises to litigate the meaning of the accompanying hold-harmless agreement.

In addition to torts and contracts, statutes are a third major basis for imposing legal liability. A statute is a written law passed by a legislative body, at either the federal or state level. Written laws at the local level are usually referred to as ordinances. Statutes and ordinances can modify the duties that persons owe to others. Thus, the duties imposed by statute or ordinance may be used as evidence of a person’s duty of care in a tort action. A statute can also impose legal liability on certain persons or organizations regardless of whether they acted negligently, committed any tort, or assumed liability under a contract.

A statute can give certain persons or organizations an absolute legal obligation to compensate other persons if certain events occur. This type of obligation is a form of strict liability, like that previously discussed, except that it is based entirely on requirements imposed by statute rather than on tort law. An important example of liability imposed by statute is the workers compensation system, which requires employers to pay prescribed benefits for occupational injuries or illness of their employees. The employer must pay these benefits even if an employee’s injury or illness did not result from the employer’s negligence.

An employer's liability for occupational injuries and illnesses is based on statutory liability.

Cyber Risks and the ISO Commercial General Liability Coverage Form

Understanding the cyber risk coverage limitations of commercial general liability (CGL) policies is one of the initial steps in knowing which cyber risks need to be mitigated or insured by endorsement or a stand-alone cyber policy.

The most frequently used CGL forms are developed by Insurance Services Office, Inc. (ISO). In addition, the American Association of Insurance Services (AAIS) has developed CGL coverage forms, and some insurers use their own independently developed forms.

A CGL policy is the foundation on which to build liability protection. The first step in determining whether a specific cyber liability risk is covered by a CGL policy is to gain an understanding of how the policy is structured. Then, the insuring agreements, along with the policy definitions of the terms in the agreements, should be reviewed to determine whether the initial grant of coverage includes the exposure and, if so, whether any exclusions apply that negate or restrict the coverage.

Cyber Risks and the ISO Commercial General Liability Coverage Form

Understanding the cyber risk coverage limitations of commercial general liability (CGL) policies is one of the initial steps in knowing which cyber risks need to be mitigated or insured by endorsement or a stand-alone cyber policy.

The most frequently used CGL forms are developed by Insurance Services Office, Inc. (ISO). In addition, the American Association of Insurance Services (AAIS) has developed CGL coverage forms, and some insurers use their own independently developed forms.

A CGL policy is the foundation on which to build liability protection. The first step in determining whether a specific cyber liability risk is covered by a CGL policy is to gain an understanding of how the policy is structured. Then, the insuring agreements, along with the policy definitions of the terms in the agreements, should be reviewed to determine whether the initial grant of coverage includes the exposure and, if so, whether any exclusions apply that negate or restrict the coverage.

CGL policies are purchased by all types of business owners who want to transfer their risks from a broad range of liability loss exposures.

Included in that range of exposures are claims of liability for bodily injury, property damage, and personal and advertising injury, as defined in the policy. The coverages in the ISO CGL are broken into Coverage A and Coverage B.

Coverage A protects insureds from liability claims alleging bodily injury and property damage. Coverage B protects insureds from liability claims alleging personal and advertising injury.

In Coverage A, the CGL policy starts with a substantial grant of coverage made in the insuring agreement. The agreement explains that the insurer will pay on behalf of the insured what it is determined that the insured is legally obligated to pay as damages because of bodily injury or property damage (for events to which the insurance applies). The insuring agreement in Coverage B also provides a substantial grant of coverage for personal and advertising injury.

The terms in the insuring agreements that are defined in the policy must be examined to ensure the definitions are broad enough to include the types of claims the insured wants to transfer to the insurer. If they are, it should also be determined whether an exclusion negates or restricts needed coverage.

The CGL insuring agreements for both Coverages A and B appear to be broad enough to provide coverage for one of the costliest types of claims: those that arise from a hacker’s obtaining unauthorized access to the private information of an insured’s customers.

However, the term “property damage” in the Coverage A insuring agreement is defined in the policy. The definition should be reviewed to determine whether the coverage granted by the insuring agreement applies to these types of claims. The CGL policy defines property damage as physical injury to tangible property.

The policy definition continues by explaining that, for the purposes of the insurance provided by the CGL, electronic data is not tangible property. Therefore, Coverage A, unendorsed, does not appear to provide coverage for damages arising from, for example, a claim involving a hacker’s successfully gaining access to an insured’s database that contains private customer information.

The unendorsed ISO Commercial General Liability (CGL) policy defines property damage as physical injury to tangible property, not including electronic data.

Coverage B contains the term “personal and advertising injury,” which is defined in the policy.

"Personal and advertising injury" means injury, including consequential "bodily injury", arising out of one or more of the following offenses:

a. False arrest, detention or imprisonment;

b. Malicious prosecution;

c. The wrongful eviction from, wrongful entry into, or invasion of the right of private occupancy of a room, dwelling or premises that a person occupies, committed by or on behalf of its owner, landlord or lessor;

d. Oral or written publication, in any manner, of material that slanders or libels a person or organization or disparages a person's or organization's goods, products or services;

e. Oral or written publication, in any manner, of material that violates a person's right of privacy;

f. The use of another's advertising idea in your "advertisement"; or

g. Infringing upon another's copyright, trade dress or slogan in your "advertisement".

In regard to cyber claims, the definition may be sufficiently broad to include coverage for situations such as a hacker’s obtaining control over an insured’s website. Hijacking an insured’s website could result in the hacker’s publishing content that slanders or libels a third party or disparages the party’s products or services.

Also included in the definition of personal and advertising injury is content that could be placed on the site by a hacker—without the knowledge or permission of the web host—that violates a person’s right of privacy, such as a photograph of a celebrity that the celebrity thought would remain private. The hacker could also add content to the website that infringes on another party’s copyright, trade dress, or slogan, an infringement that is included in the definition of personal and advertising injury.

If a claim appears to be included in the insuring agreement and the policy definitions, the next step is to determine whether an exclusion applies. These are exclusions for Coverage B—Personal and Advertising Injury that may apply to a cyber loss:

• Criminal acts (for which a hacker creates the illusion that an insured committed)
• Contractual liability (liability an insured assumes in a contract, such as an indemnification agreement)
• Quality or performance of goods (failure to conform to statements regarding quality made in the insured’s ad, which may have been written by a hacker)
• Wrong description of prices (that a hacker may have put on a retailer’s website, citing prices below actual costs)
• Infringement of copyright, patent, trademark, or trade secret (which a hacker may do intentionally to create a conflict with the intellectual property owner)
• Unauthorized use of another’s name or product (to mislead potential customers)

In a CGL policy that has been issued to an insured, the limits of coverage are listed on the declarations page and indicate the most the insurer will pay regardless of the number of each of these:

• Insureds
• Claims made or lawsuits filed
• Persons or organizations making claims or bringing lawsuits

There are no separate sublimits for cyber coverage in the ISO CGL form. However, if the insured has chosen to add one of the optional additional coverages for electronic data liability to its CGL policy, those limits will be shown on the declarations page of one of the optional additional coverages.

The standard ISO CGL and most other CGL forms exclude liability coverage for damage to electronic data. This gap in coverage can be partially closed with optional additional coverages.

This endorsement (CG 04 37) partially closes the gap by amending the CGL-policy defined term of “property damage” to include loss of or damage to electronic data. However, the loss of or damage to electronic data must still result from damage to tangible property, such as a computer or server.

Many businesses are exposed to losses to which this type of coverage responds. For example, an insured who owns a building might be sued based on alleged negligence in maintaining the building’s plumbing, resulting in enough water dripping onto a third party’s computers to permanently damage them and the electronic data they contained.

The endorsement does not cover, for example, liability loss exposures arising from the transmission by the first-party insured of malicious code or viruses, because the loss does not result from damage or physical injury to tangible property. Primarily in response to insureds’ demands that insurers pay under this endorsement the expenses and damages incurred when a breach of an insured’s database is successful, ISO offers an edition of this endorsement that explicitly excludes coverage for these types of claims.

The exclusion applies to Coverages A and B of the CGL policy. Neither coverage will respond to claims arising from a hacker’s access to or disclosure of confidential or personal information.

Coverage for these types of claims is possible. However, it may have to be purchased through a stand-alone cyber liability policy. Another option is the Electronic Data Liability Coverage Form.

This separate claims-made coverage form (CG 00 65) provides coverage for liability resulting in loss of electronic data that is caused by an electronic data incident. Loss of electronic data occurs when there is damage to or loss of use of electronic data. An electronic data incident is an accident, a negligent act, an error, or an omission that results in loss of electronic data , except un-authorized access.

The coverage territory of the Electronic Data Liability Coverage Form is broader than Coverage A of the Commercial General Liability (CGL) Coverage Form because it covers all parts of the world.

An endorsement amends the coverage form.

Coverage provided by this separate coverage form is broader than that in the ISO Electronic Data Liability endorsement because the coverage form does not require that the loss of electronic data result from physical injury to tangible property. Physical injury to tangible property is required for the endorsement to cover a loss.

Another advantage of the coverage form is that the coverage territory is broader than Coverage A in the CGL policy. The coverage form’s territory is all parts of the world, as long as lawsuits on the merits of the claim are brought in the United States or its possessions or territories or in Canada.

The insuring agreement of the coverage form stipulates that loss of electronic data does not occur when a party breaches the insured’s database to gain unauthorized access to private information. So, for example, coverage is not triggered when a hacker successfully breaches the database of an insured and obtains its customers’ credit-card information.

Exclusions in the coverage form indicate it is not intended to cover insureds that provide computer products or services. Also excluded are damage to the insured’s own electronic data, assumption of liability in a contract, infringement of intellectual property rights, and unauthorized use of electronic data by an insured.

Multiple third-party cyber liability loss exposures are not covered in the ISO CGL but may be covered by a stand-alone cyber liability policy.

The cyber risk third-party exposures that are not covered by a CGL policy leave substantial gaps in liability protection for many commercial insureds. These gaps may be addressed by policies that are designed specifically to cover these exposures.

When analyzing the coverage portfolio for a commercial insured that has significant cyber loss exposures, an insurance professional must be familiar with the cyber risk protection each traditional policy provides in order to prevent gaps or duplications in coverage.

Several commonly used policy forms provide insurance protection for traditional causes of loss. Some of these policy forms have been updated to add cyber coverage to the perils insured; however, the coverage limits in some of them have been modest. For example, the Insurance Services Office, Inc. (ISO) Commercial General Liability (CGL) Coverage Form provides cyber coverage but for only a few non-property-damage-related perils.

The ISO Building and Personal Property Coverage Form, also referred to as the BPP, provides some cyber coverage but only up to relatively low limit. These are some other traditional insurance policies that warrant closer analysis in terms of cyber coverage:

• Business Income (and Extra Expense) Coverage Form
• Businessowners Policy (BOP)
• Directors and officers (D&O) policy
• Commercial crime policy

Cyber Risks and Other Traditional Policies

The Business Income (and Extra Expense) Coverage Form protects the insured organization from the reduction in income that occurs when operations are interrupted by damage to property caused by a covered peril. The ISO form is examined in this analysis.

The policy covers the loss of net profit and operating expenses that the insured organization sustains because of the necessary suspension of the insured’s operations during the period of restoration. The coverage form also covers extra expenses, which are costs incurred by the named insured to avoid or minimize the suspension of operations resulting from direct damage caused by a covered cause of loss.

The policy contains several key requirements for coverage to be in effect, including these:

• The suspension of operations must be caused by direct physical loss of or damage to property at the insured’s premises.
• The insured’s premises must be described in the Declarations.
• A business income limit of insurance must be shown in the Declarations.
• The loss or damage must be caused by or result from a covered cause of loss.
• With respect to loss of or damage to personal property in the open or personal property in a vehicle, the described premises include the area within 100 feet of such premises.

Some traditional policies, including the Business Income (and Extra Expense) Coverage Form, shift data loss away from the principal coverage grant by excluding coverage when the destruction of data is the cause of the insured’s suspension of operations. Instead, the policy provides coverage for this cause of loss under Additional Coverage—Interruption of Computer Operations, which is subject to relatively low coverage sublimits.

The sublimit for this policy is $2,500 per year, regardless of the number of interruptions or the number of premises, locations, or computer systems involved. With such a low limit, most insureds should not rely on a Business Income (and Extra Expense) Coverage Form for protection from cyber risk loss exposures.

A BOP is available in different forms from several sources; here, the ISO form is analyzed.

The BOP is a package policy that combines traditional property and liability coverages in one policy.The coverages are designed to meet the needs of small and medium-size businesses. The policy consists of two sections: one for property coverages and the other for liability coverages.

The first section has an insuring agreement that states that the insurer will pay for direct physical loss to covered property; however, electronic data is not considered covered property. This allows the insurer to establish a separate and independent limit of coverage in a section referred to as Additional Coverage—Electronic Data.

Although the $10,000 limit is relatively low, it does include coverage for restoring electronic data that has been corrupted by a computer virus or other harmful code. Coverage does not apply if an insured’s employee, or a vendor hired to maintain the system, causes the loss.

There is also coverage for business income and extra expense in a section named Additional Coverage—Interruption of Computer Operations. This coverage is subject to the same $10,000 limit and exclusions.

The BOP’s second (liability) section has an insuring agreement that states that it is the insurer’s obligation to cover what the insured becomes legally obligated to pay as damages because of bodily injury, property damage, or personal and advertising injury. When the database of an insured organization has been breached by an unauthorized user, property damage claims are more likely than claims of bodily injury or personal and advertising injury.

Property damage is defined in the policy as physical injury to tangible property, including loss of use of the property. The definition further states that electronic data is not tangible property. Therefore, liability coverage for electronic data is not triggered or included in the second section of the BOP.

A D&O policy protects a corporation’s directors and officers against liability for their wrongful acts that are covered by the policy.

Wrongful acts are defined as any actual or alleged error, misstatement, misleading statement, neglect or breach of duty, omission or act by directors or officers in their position or capacity for the corporation. These terms describe unintentional wrongful acts.

Intentional wrongful acts on the part of directors and officers that result in a loss are excluded. These latter acts are described as those that are dishonest, malicious, fraudulent, or deliberately criminal.

Unintentional wrongful acts by the directors and officers of an organization are typically covered by a directors and officers (D&O) policy. For example, at one retailer, several corporate officers were negligent in requiring that robust cyber security measures be implemented in regard to customer data. As a result of that negligence, a data breach occurred. Thousands of customers' private information was stolen by hackers, and hundreds of customers suffered stolen identities. Those customers with stolen identities sued the corporate officers in a class action lawsuit. The D&O policy would probably respond by providing a defense and paying a settlement or judgment.

An ISO commercial crime policy provides protection against crime perils for money and securities and for other property that does not include electronic data.

Theft by employees is also excluded unless an employee was acting in good faith on fraudulent instructions from a software contractor that has a written contract with the insured to service its computer system.

Cyber Risk Policies

Insurance professionals must understand the coverage options available in cyber policies to be able to tailor the coverage to fit the unique cyber risk profile of each commercial insured.

Traditional policies offer little to no coverage for cyber risk loss exposures. For example, most commercial general liability (CGL) policies specifically define property damage as physical damage to tangible property.

Most CGL policies also specify that electronic data is not tangible property. Therefore, typical CGL policy terms eliminate coverage for cyber liability risks, so CGL insureds are not protected from a variety of cyber risk loss exposures. Of some help are endorsements or additional coverages that can be added on to the traditional policies.

Directors and officers (D&O) policies are an exception in that they protect directors and officers against cyber liability risks for unintentional wrongful acts. This coverage is not subject to a low sublimit; the losses are paid out of the policy limit. To avoid duplication of coverage, D&O coverage is excluded in most stand-alone cyber risk policies.

Cyber risk policies bridge the cyber coverage gaps in traditional policies. To provide the coverage best suited to an individual insured, insurance professionals must understand these key cyber insurance concepts:

• Cyber coverage in traditional policies
• Typical coverages in a cyber risk policy
• Cyber difference in conditions and excess cyber policies
• Best practices for cyber insurance buyers

Traditional policies cover traditional perils, with few gaps in coverage and with adequate limits to protect the insured from such perils. However, coverage for cyber loss exposures in traditional policies is too restricted in terms of perils covered and limits of coverage available to avoid gaps in protection

In addition, cyber-related activities create new loss exposures not contemplated by traditional policies, such as liability for failing to prevent a denial-of-service attack. Cyber coverages available in common traditional policies include these:

• The Insurance Services Office, Inc. (ISO) Building and Personal Property Coverage Form’s Electronic Data additional coverage pays the cost to restore electronic data destroyed by a covered cause of loss, including a virus or harmful code.
• The ISO CGL Coverage Form does not cover cyber loss exposures, but some coverage is available through the Electronic Data Liability endorsement, which applies to electronic data losses that result from physical injury to tangible property. The ISO Electronic Data Liability Coverage Form provides slightly broader coverage for an insured’s liability for loss of electronic data.
• The ISO Business Income (and Extra Expense) Coverage Form offers the Interruption of Computer Operations additional coverage. If added to the policy, it applies to an interruption of computer operations caused by the destruction of electronic data by a covered cause of loss.
• The Computer Fraud and Funds Transfer Fraud endorsement to the ISO Businessowners Coverage Form (BOP) covers loss resulting from the use of any computer to transfer funds fraudulently or from fraudulent instruction to transfer funds.

Most cyber risk policies share these characteristics:

• The coverage territory for third-party liability claims is worldwide.
• They are claims-made policies.
• Subsidiaries acquired during the policy period are automatically covered.

Cyber insurance policies focus on the direct costs resulting from a data breach. They are not designed to protect an insured from other kinds of damage. Furthermore, most traditional property-casualty policies exclude cyber risk or cover it with low sublimits. This situation can create gaps in an insured’s commercial coverage.

A cyber difference in conditions policy can fill many of those gaps. Difference in conditions policies have been used to cover perils that are normally excluded in commercial property policies, such as floods or earthquakes.

In a cyber context, difference in conditions policies can be drafted to increase coverage in two ways. The first is by providing coverage for perils that are normally excluded by cyber risk policies, such as damage resulting from a discharge of electromagnetic radiation.

The second is by providing additional limits of coverage for specific perils for which the primary layer does not offer sufficient limits. A cyber difference in conditions policy can provide coverage that primary insurers refuse to write, which makes it less critical that the insured’s primary insurers provide such coverage.

A commercial insured can purchase a cyber excess liability policy if it has determined that its cyber risk loss exposures warrant an additional layer of coverage beyond either the policy limits of the primary cyber policy or the self-insured retention amount. The cyber difference in conditions and excess cyber policies are best suited for larger public or private organizations that have the financial capacity to afford a large self-insured retention, which may be as high as $100 million or more.

While the premium for these policies may be relatively inexpensive, the high self-insured retention can cause the insured to incur significant claims expenses. Insurers prefer to write this coverage only for insureds who self-insure to such a high amount because the coverage is so broad that if the self-insured deductible were low, insureds might be tempted to simply pay the low deductible and rely on the coverage for unintended uses, such as maintenance of the insured’s property.

This, in turn, would drive up the insurer’s claims expenses. The high self-insured retention ensures that the coverage is used for its intended purpose and that the insurer does not incur unexpectedly high claims expenses compared with the premium charged for the coverage.

Cyber Coverage's Commonly Available

Third-party liability for damage and defense costs resulting from:

*In some policies:

First-party expenses for:

Cyber insurance buyers—or their trusted advisers—must know what to look for in a cyber risk policy. Best practices include these:

• Assess whether, in general, the cyber policy has broad definitions with few exclusions.
• Buy both first- and third-party coverage, because claims of either type can bankrupt most organizations.
• Verify that the cyber insurance policy provides coverage for unencrypted mobile devices, such as laptops, that may be taken away from the insured’s premises to locations with less security.
• Determine whether to purchase cyber coverage for regulatory actions. Federal and state governments actively fine organizations that fail to protect their customers’ private information or fail to promptly notify customers of a data breach.
• Consider buying coverage to restore electronic data. The cost to reconstruct the information may be prohibitive, but without such coverage, the insured may be forced to suspend its operations.

Risk managers and insurance professionals should be aware that insurance is only one method of managing cyber risk loss exposures. Other methods include treating and monitoring risk, which can be done using cyber-specific risk control measures such as these:

• Developing, distributing to all employees, and updating written data protection and privacy policies
• Confirming that the insured’s data protection policy complies with applicable industry standards and legislation in all jurisdictions in which the insured does business
• Using firewalls to prevent unauthorized access from external networks
• Using and continually updating antivirus protection on all computer systems and servers to protect against viruses, worms, spyware, and other malware
• Confirming that the insured complies with payment card industry data-security standards if it collects or distributes credit card data
• Requiring encryption to be used to protect data on portable devices, such as laptops
• Performing background checks on employees and third-party vendors that have access to the insured’s computer system
• Requiring the third-party vendors that provide data processing to have their own data protection liability insurance and to indemnify the insured for liability attributable to the vendor

Applying Risk Management Techniques to Cyber Risk Loss Exposures

An ERM-compliant consideration of cyber risks entails analyzing them through the five steps of the risk management process:

1. Scan environment
2. Identify risks
3. Analyze risks
4. Treat risks
5. Monitor and assure

A boutique that sells locally handcrafted leather goods such as handbags, wallets, and outerwear is operated as a partnership by its two owners, who lease the store’s only location. The owners are concerned about the growing number of retail data breaches and decide to review their operations to ensure that they have addressed their specific vulnerabilities to cyber risk loss exposures.

The store’s most vulnerable sources of first-party cyber loss exposures are the means by which data is stored and disseminated. This may include cash registers, credit card reading and transmission devices, and their related software. Additionally, significant consequential loss exposures such as business interruption and extra expense costs could stem from a cyber loss that prevents the store from conducting transactions. Further, the reputational exposure resulting from a data breach may be catastrophic for a small retail establishment.

The store’s third-party cyber risk loss exposures relate primarily to the storage and transmission of its customers’ financial information. Such loss exposures include legal costs, fines and penalties, and the potential for a third-party claim by an individual or a group (class action) whose personal information was compromised.

Most commercial insurance products suited for the store’s particular business needs, such as the Insurance Services Office, Inc. (ISO) Businessowners Policy (BOP) and the ISO Building and Personal Property Coverage Form, also referred to as the BPP, provide limited coverage for first-party cyber risk loss exposures, while the liability section of the BOP excludes damages arising out of the loss of, the damage to, or the inability to access or manipulate electronic data.

The BOP and the ISO Commercial Crime Coverage Form may be the boutique’s optimal risk transfer option for these reasons:

• The BOP specifically identifies a virus or harmful code as a covered cause of loss for both property damage and business interruption exposures.
• The minimum limit afforded by the BOP is considerably higher than that afforded by the BPP.
• The insured can purchase an increased limit for first-party exposures.
• The Commercial Crime Coverage Form will pay for loss resulting directly from a fraudulent change of electronic data or computer programs that involves the insured’s money, securities, or other property. Loss resulting directly from a fraudulent instruction directing a financial institution to transfer, pay, or deliver money or securities from the insured's account is also covered.

A plumbing and heating contractor operates in three states, has 100 employees, and serves residential and commercial customers. Most of the contractor’s sales involve the installation and servicing of heating and air conditioning systems. The contractor’s risk manager has undertaken a complete review of its risk management program. At the conclusion of the review, the risk manager expressed concern that the contractor was exposed to potential data breaches and concluded that the company should reassess its risk management measures.

The standard commercial coverage forms, including the BPP and the ISO Commercial General Liability (CGL) Coverage Form, that the contractor had relied on for its primary insurance program did not adequately address its cyber risk loss exposures. For example, the BPP provides minimal coverage for the contractor’s own cyber risk loss exposures, such as its computer systems, its bank accounts, and any business interruption loss or extra expense incurred as a result of a data breach. While the limits offered by the BPP may not be adequate, some cyber risk loss exposures, such as remediation expenses, postbreach costs, and costs involved to restore or repair a damaged reputation, are not covered at all. The contractor may be able to secure additional limits under the BPP for some of its cyber risk loss exposures, but it must also secure a stand-alone cyber contract to specifically address its potential postbreach remediation and reputational expenses.

The contractor’s third-party cyber loss exposures are not covered under the CGL. For example, any compromise of a customer’s personal data that may be attributable to the contractor’s actions is not covered, nor is any theft or loss of customer information. Therefore, the contractor must also purchase a stand-alone cyber liability policy, which may provide adequate limits for both the cyber risk loss exposures not covered under the BPP and the cyber liability loss exposures not covered under the CGL.

The contractor may also secure specific noninsurance risk transfers, such as hold-harmless agreements, with its customers should the contractor ultimately be the source of any unauthorized access of its customers’ data storage and transmission devices. Such an approach may be acceptable to its residential customers, but commercial clients may not be as amenable to these kinds of agreements. Additionally, the contractor should secure an indemnification agreement from the vendors who service and repair its computer systems.

A publicly traded national retailer of children’s clothing is expanding its operations into Europe, Canada, and Mexico. In addition to its physical locations, the retailer maintains an online operation that has grown considerably. The retailer’s cyber risk loss exposures include (but are not limited to) these:

• Damage to or destruction of its computer systems, including software related to inventory control and point-of-sale interruptions
• Loss of income because of a business interruption resulting from damage to or destruction of its computer systems
• Costs related to the forensic investigation of a data breach
• Regulatory notification regarding a data breach
• Potential denial-of-service attacks and cyber extortion threats
• Unintentional release of customer information
• Credit monitoring expenses for individuals whose personal data is compromised by a breach
• Regulatory fines and penalties that could be assessed related to a data breach
• Shareholder suits triggered by a decline in the retailer’s stock valuation in the wake of a data breach

The standard commercial policies covering the retailer’s property and general liability exposures are not adequate for the scope and breadth of its cyber risk loss exposures. Therefore, the retailer should consider these additional cyber risk management measures:

• While the retailer’s property insurance policies may be endorsed to provide the required limit, the covered causes of loss may need to likewise be amended to ensure that coverage is triggered by unauthorized access to the retailer’s computer systems, regardless of any physical damage.
• The coverage trigger for any business interruption or extra expense limit must respond to a data breach and not only to an event of direct physical loss or damage to tangible property.
• The territory clause of the retailer’s policy should not be limited to the United States because the retailer has expanded outside of the U.S.
• The retailer should secure coverage that addresses its costs for any forensic investigation of a breach, the cost of a public relations team to mitigate any reputational damage caused by the breach, and any necessary notification costs associated with the breach.
• The retailer could also require its vendors or service contractors to assume responsibility for any loss or damage to its systems to which they may have contributed.
• The retailer should purchase a cyber privacy insurance policy that provides worldwide coverage for its cyber liability exposures, such as the costs associated with the theft of customer data, the costs incurred from any regulatory proceedings or fines, and the defense costs for shareholder suits resulting from a drop in share price because of a breach.

Glossary