Like nearly all other forms of insurance, standalone cyber policies contain a number of exclusions and coverage limitations, and should not be looked on as a panacea for all possible cyber risks. Organizations therefore need to stay alert to these common limitations as they seek protection against new and developing risks.
As with any type of insurance, the presence and wording of exclusions and other limitations will vary between insurers. This may be particularly true with cyber insurance, which is still a relatively new product and continues to evolve in response to market conditions and risks. Such exclusions and limitations should be appropriate to the specific risks faced by an organization and tailored to the relevant industry.
A number of the most common and significant exclusions and limitations in a cyber insurance policy are set out below, along with things to consider if they appear in your policy.
Retroactive date
Cyber policies commonly include a retroactive date, the intended effect of which is that insurers have no liability for any acts, incidents or circumstances that were committed, occurred or arose prior to a certain date. For new insurance placements, the retroactive date may be the date of inception of the policy. The consequence of a retroactive date would be that if a cyber attack or cyber event occurring before the retroactive date only comes to light some time after that date, then the organization would still not be covered.
An organization should be aware of the impact of a retroactive date and be very clear as to what might be a suitable date. It should also be noted that this date can also differ between layers of insurance, in circumstances where larger organizations in particular may have “primary” and “excess” layer covers, especially for organizations that add excess cover to an existing tower of insurance.
War or terrorism
Any loss resulting from war or terrorism will generally be excluded, regardless of any other cause or event contributing to the loss, although many cyber insurers will include an exception for cyber terrorism.
An organization may potentially be able to cover this gap by taking out separate political violence cover. If a clear need arises, an insured might also seek specific cover for cyber warfare, cyber terrorism, or cyber extortion, among other things.
An interesting question arises when considering whether a cyber attack from a foreign power or entity falls within a generic war exclusion. An organization should review the wording of the exclusion carefully and seek clarity as to whether insurers intend to rely on such an exclusion if a cyber attack is committed by a foreign nation or hostile organization.
Some exclusions will specify that this general exclusion will not apply to acts perpetrated electronically.
Bodily injury and property damage
Bodily injury is often excluded, as well as loss or damage to hardware or any physical property. This is generally because such losses may be covered by other insurance policies, such as property or liability.
All organizations should review their cyber insurance policies and in particular the exclusions within those policies, to ensure that the wording is precise and that there are no gaps in the coverage afforded by those policies or other policies that the organization might hold. For some organizations, however, cyber insurers may be willing to extend cover to include bodily injury or physical property damage arising from a cyber incident. Companies that face real risks of bodily injury or physical property damage due to a cyber incident, such as energy suppliers, manufacturers or industrial businesses, may seek to negotiate exceptions to bodily injury and property damage exclusions to ensure that they have uninterrupted coverage for injuries and damage caused by non-physical events.
Additionally, some cyber insurers may offer “bricking” cover that pays the cost of replacing hardware that, while not damaged physically, is effectively damaged due to corruption or damage to its software or firmware. In many cases, “bricked” hardware may be unfixable or the cost to repair its software or firmware may be substantially more than the cost of simply replacing the hardware.
Critical national infrastructure
The failure of critical national infrastructure will commonly be excluded from cyber cover. This includes:
- Failure of a satellite
- Electrical or mechanical failures or interruptions, including electrical disturbances, spikes, brownouts or blackouts
- Outage to gas, water telephone, cable, telecommunications or other infrastructure
If, however, certain infrastructure is under the operational control of the insured organization, such as a computer system or back-up power generators, then the insured should seek to ensure that the policy wording clearly affords cover for such infrastructure.
An outage (or equivalent) affecting relevant third-party entities, such as IT service providers, can also be covered in certain circumstances.
Any organization should therefore be seeking to limit the scope of such exclusions to independent critical infrastructure.
Failure to maintain security measures
An organization may be obliged, under the terms of the policy, to maintain appropriate procedures and controls to protect against cyber attacks. Most importantly, when the cover is being presented, insurers are likely to require the policyholder to provide substantial detail (sometimes with hundreds of questions to be answered) in the proposal form about security measures that it has in place.
Furthermore, there may be an exclusion in the policy documentation, allowing the insurer to deny a claim in circumstances where the organization has not in practice maintained the approved level of security protection throughout the policy period. The scope of this exclusion can vary widely from policy to policy, so an organization would be wise to read the proposed wording very carefully. Any ambiguities should be removed, to the extent possible, to ensure that clear standards are set out that can be readily measured and met. The organization should also be aware of whether the standards to be maintained are specified by the insurer or are just a general reference to industry standards.
Organizations often seek professionals to help them with the complex application process, clarify policy provisions and explain how the business can stay compliant and meet the minimum requirements.
Jurisdiction
The nature of a cyber event means that the event and the losses can cross borders. An insured is always advised to be very clear as to which countries or territories the policy is intended to cover. For example, a cyber policy taken out in the UK might specifically exclude losses suffered in the United States. Equally, a cyber policy may restrict its coverage territory to only the United States and its territories.
If required, an organization should negotiate the territorial coverage such that its cyber policy responds, even if the event arguably occurs outside the countries in which it operates.
