What Are Common Exclusions On a Cyber Liability Policy?
Claims that should be covered by other insurance, such as:
• Bodily injury/property damage (BI/PD): should be covered by GL, property, workers comp, employers liability.
• Products liability: should be covered by GL or a dedicated products liability policy
• Securities violations: should be covered by a D&O poliy
• Pollution: should be covered by a pollution liability or environmental impairment liability policy
• Employee benefits and ERISA violations: should be covered by a fiduciary liability policy
• Professional services: should be covered by an E&O policy
• Contracts: contracts that aren’t listed as “insured contract” should likely be covered by an E&O policy
• Harassment, discrimination, workplace torts: should be covered by an EPLI policy.
Bodily injury and property damage
Coverage for these types of losses is usually isolated to policies like general liability (GL) or workers comp. Wherever possible, the preamble to this exclusion should be amended to “for” (rather than “arising out of, based upon, attributable to, etc…”). There are exceptions to this exclusion. It can be carved back to provide for coverage for damage to hardware and peripherals that results from a covered cyber attack. It can also be carved back to cover certain contingent bodily injury claims like mental anguish. Here, too, the mental anguish would have to result from a covered cyber attack, hence the word “contingent.”
Contract exclusion
A cyber policy is not meant to be an E&O or GL policy so most claims alleging breach of contract will be denied. That’s not to say that all contracts are excluded. Carvebacks to this exclusion include coverage for alleged breaches of confidentiality/security, PCI compliance in merchant service agreements and certain intellectual property provisions in the insured’s contracts with third parties.
Intellectual property exclusion
Just like with the first two, this exclusion has exceptions. Most cyber policies include some sort of content liability coverage so claims alleging copyright infringement related to the content is often covered. The policy will never cover patents. Coverage for other types of IP will vary depending on the carrier. Software copyrights are often excluded but some carriers are willing to offer coverage for these claims by adding it as a carveback to the IP exclusion.
Intentional acts and fraudulent/dishonest acts
The mantra you may have heard is “insurance never covers intentional acts.” But this is insurance, after all, so naturally there are exceptions.
Some carriers will provide coverage if a data breach is caused by the intentional, bad acts of an insured person such as an employee. This is often referred to as “rogue employee coverage” and it is an important one to argue for if the carrier is not offering it. Certain carriers will cover the acts of rogue employees but will also restrict coverage, stating that if a specific group of people (e.g. the CEO, CFO and risk manager) knew about the act, then the policy instead won’t cover any insured at all. This is preferable to rogue employee coverage not being provided at all but there is room for improvement.
Similar to the fraud/dishonesty “conduct” exclusions, this exclusion should state that coverage will only be denied after a “final, non-appealable adjudication in the underlying action.” If the carrier is also willing to ease the imputation requirements — that is to say “no act of any insured will be imputed to any other insured,” that is preferable.
Core internet infrastructure / telecommunications failure
This is the ‘war’ exclusion of the cyber insurance world. Meaning: there are certain risks that are two large and unpredictable for an insurer to assume from you. (Not to say the war exclusion isn’t in there, too. It is.)
It excludes coverage for failures in the infrastructure of the internet. The rationale is that the cyber policy is designed to protect against isolated incidents and not regional internet outages. If the internet in the northeastern US shut down for a number of days and insurance carriers offered coverage for that business interruption, losses would be comparable with a natural disaster. In an effort to reduce the number of pathways a hacker has to put our financial system in gridlock, carriers have agreed to not cover these types of claims in standard cyber insurance policies. Incidents such as a failure of a DNS root server (e.g. Dyn in 2016) should ideally be covered but are often excluded. There’s variability among carriers regarding what’s included in the “core internet infrastructure.”
Unlawful collection, web scraping, unsolicited communication
Many policies simply say they won’t cover criminal acts and others drill down into the specifics. Unlawful collection of data is often excluded. This can be problematic for many data-driven tech companies who are worried about such allegations, whether based in fact or unfounded. Web scraping is often called out by name as an excluded activity. Similarly excluded are any violations of the Telephone Consumer Protection Act and CAN-SPAM.
Theft of funds
While legal liability related to a system intrusion would be covered by the policy, as would first party expenses such as breach notification costs, reimbursement of any money, securities, etc that were stolen is a no go. That is the domain of crime insurance. Some carriers are willing to expand coverage, however, segueing us nicely into