Traditional Policies
Insureds have had limited success in finding coverage under existing CGL policies. Such policies often include broad exclusions against typical losses related to cybercrimes. For example, CGL policies may specify that “electronic data is not tangible property,” thereby excluding damage to electronic data. Policies may also include specific exclusions for losses related to “data breaches.”
Other traditional policies, such as D&O, commercial crime, or property policies, also present coverage issues for insureds. For example, cyber criminals typically target the company as an entity, not individual employees, so D&O policies generally do not provide coverage. These policies may also include broad exclusions similar to those that have become more common in CGL policies.
Cyberliability Policies
The insurance industry has not developed a standard cyberliability policy. As a result, the policies come in many different forms and can be very confusing. Here are some common features:
- Policies may include several different grants of coverage, often with separate sublimits. For example, there may be separate sublimits for data losses, privacy notifications, reputational damage, cyber extortion, and so on. Sublimits effectively operate as exclusions from the overall policy limit.
- They are typically “claims-made” policies, and often include retroactive dates.
- They often include vastly different limits for first-party losses (e.g. investigation costs or legal defense costs) versus third-party losses (e.g. credit damage).
- The carrier may propose an “add-on” to an existing policy rather than a separate policy. Add-ons can increase the complexity and potential for confusion.
Because the policies represent a relatively new product, coverage experts have noted that brokers often do not fully understand the coverage. Buyers should be careful to read every line of the proposed policy and should not rely on their broker’s interpretation.