Cyber Insurance:  Why Your
Clients Should Consider It

Michael D. Oliver, Esq. 

You would have to be living under a rock to not have read or heard about the number of electronic computer attacks in the last year.  Whether motivated by boredom, curiosity, challenge, or something more insidious, the average cracker/hacker can clearly cause substantial damage to a business.  In addition to direct attacks, many businesses have moved their primary advertising to the web, and may not realize that their standard Comprehensive General Liability Policy (CGL) does not cover certain acts done electronically on the web.

Among the arsenal of actions a business can take to mitigate against these new risks is a relatively new insurance product, cyberinsurance.  A number of reputable insurance companies are now offering special endorsements or separate products on losses caused by such things as viruses, computer fraud, DOS (denial of service) attacks, and liability from online commerce or from providing computer services or products.

Risks:  Probably the biggest risk run by the average business is 'business interruption' - i.e. the inability of the business to operate as a result of an electronic attack.  For businesses that have shifted their entire operations to electronic means, this is a significant risk.  Imagine for a moment if Amazon.com could not operate for a day?  For many of the newer types of businesses whose products are solely delivered electronically (information retrieval services, forms generation, online content delivery) there is no way to even service a customer except via the Internet.  For other businesses that have shifted to e-commerce for only part of their operations, but can still function in the old phone/fax method in the event of a loss of connectivity, the risk is much reduced.

What many people do not realize is that standard business interruption insurance or addenda on a CGL policy probably does not cover business interruption caused by Internet connectivity loss.

Another type of loss that is often not covered under standard CGL policies is loss resulting from fraud that occurs over the Internet or via electronic means.  This is particularly acute in financial transactions, where the business stores credit card data in a database.  For example, after UETA and ESIGN became effective, electronic signatures are now accepted for many types of transactions.  These signatures are valid or appear to be so without almost any electronic authentication (neither act required digital signatures - a form of authenticated signature).  Many standard policies will not cover losses resulting from reliance on electronic signatures.

Another type of new liability nearly every business faces is liability for breach of privacy rights.  While many of the insurance companies do not have policies that cover risks from government action in this area, a violation of privacy, particularly made electronically (such as sending an email to a list and displaying the email addresses of all other list members) might also give rise to liability for the tort of invasion of privacy.  Putting aside for the moment the difficulty of proving damages in such cases, just the fact a suit is brought will cause significant attorneys' fees and negative publicity.

Insurers:  AIG offers a ProTech policy that is modular, meaning that you can plug in a number of coverages depending on your client's business risk (and how much you have in the insurance budget).  One example is the technology errors and omissions module, which covers errors and omissions for technology development companies, VARs, integrators and independent service organizations.  Chubb also offers a comprehensive Intellectual Property and Communications liability policy that covers many of the types of computer risks a company faces.  Other companies offer similar products.  These policies however almost universally exclude patent infringement.

Costs:  This area of the law is developing, and therefore the insurers have priced their products probably higher than they should be because they are not sure of the risks and potential liabilities.  Therefore, a business should assess the likelihood of liability, the amount of range of probable damages (or losses), and then determine the "self insurance" cost/risk v. the cost of coverage under the policy.

Tails:  Most of these policies are on a claims-made basis.  This means that if a claim is not made during a policy period, the insurance does not apply.  This can become an issue when selling a business if the Purchaser will not negotiate to continue coverage, as there will be an additional fee to provide a tail to the policy to cover any occurrence during the policy period.

Alternatives:  Insurance is not a solution; it is a mitigation device.  All businesses engaged in electronic commerce should: (A) have a good set of contractual documents with limitations of liability and exclusions for consequential damages; (B) have a full technology assessment of their systems and shore up any areas where they are deficient, such as in firewall management and intrusion detection systems; (C) engage in active monitoring of the electronic systems for evidence of tampering or misuse (or outsource this feature); and (D) maintain a comprehensive system of password and locking system to insure that if an attack does occur, the compromised systems are minimized.

Non-covered items:  Most of the special endorsements or policies described above do not cover certain types of liability, such as liability arising from terrorism or terrorist acts, or liability of certain providers in the event of a disaster, such as flooding, or severe weather causing power outages.

Wrap up:  It is critical in assessing whether to purchase cyberinsurance, that your client use an insurance agent that is familiar with technology, both from the policy-language aspect, and from the business aspect.  Many of the cyberinsurance policies are very technical in their terminology, and may not cover what is expected.  A company should meet with their insurance representative that is familiar with these issues for a business and cyber risk assessment, and then determine the scope of protection for quote; see http://www.moodyinsurance.com/techhome.shtml.  Finally, the business should have the policy reviewed by an experienced attorney who can determine in conjunction with the insurance agent whether the policy actually will cover what the business expects that it will cover.  While this upfront process may be tedious and possibly expensive, the benefit will be better protection and peace of mind for that unexpected loss.

Michael D. Oliver, Esq., is a Member of Bowie & Jensen, LLC.


Previous Page          Next Page          Front Page