March 6, 2014
The diversity of judicial opinion discussed in my recent posts on insurance coverage for cyber attacks, and the introduction of new exclusionary language designed preclude coverage in future cases, suggests that policyholders are well-advised to look beyond traditional liability and property insurance policies for coverage of costs associated with cyber attacks. Insurers are now offering speciality coverages specifically tailored to cover cyber risks. Occasionally, coverage for such risk is available as a special rider to traditional coverages. See Retail Ventures, Inc. v. National Union Fire Insurance Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (coverage under computer fraud rider to blanket crime policy for costs associated with data breach).
More often, carriers are offering protection against cyber risks under new policies that cover only cyber risks. ACE, AIG, AXIS, Chartis, Chubb, CNA, Hartford, Travelers, and others are offering cyber coverage under a variety of names, including Security and Privacy Protection Policy, Cyber Security Liability Policy, CyberChoice, and netAdvantage. The language of these policies is far from standard, and negotiated manuscript language is common, but most insurers are offering both liability and first-party property coverages.
To date, there is no reported case law interpreting these speciality cyber policies. A likely area of contention will be the applicability of exclusions based on shortcomings in the insured’s security measures.