ADJUSTERSINTERNATIONAL.COM • (800) 382-2468 • INFO@ADJUSTERSINTERNATIONAL.COM 3 traditional property and liability policies. To illustrate, consider the well-established distinction between auto risk and other risks faced by a household or commercial enterprise. Driving vehicles on public roads poses distinctly different activities and hazards from those encountered at properties. Therefore, road vehicles are among the types of property not covered under standard homeowners and commercial property policies. Similarly, homeowners and commercial liability policies exclude coverage for bodily injury or property damage arising from the ownership or use of autos. Vehicles are insured separately under auto policies written and rated for the hazards of the road.† Property/casualty insurers are seeking to establish a similar distinction between cyber risk and other types of risk. There are, indeed, several parallels between cyber risk and auto risk: • Both cyber and auto risk arise from activities that, at least at one time, were distinct from other insured activities. It is still not uncommon for organizations to outsource all or most of their transit and systems operations. • The principal causes of auto and cyber loss are distinctly different from those of property and liability losses, and the methods for controlling those losses are also different. • The principal risk factors driving auto and cyber losses — driver quality and systems management — are shared across sectors and less dependent on specific hazards at an insured location. Simply put, there are risks associated with what you do and where you do it. Then there are risks associated with the vehicles and automation you use to do it — which may or may not be your own. Under this logic, computer data and network functionality are distinct forms of intangible property that exist separately from tangible property - even from the computer hardware on which they reside. These “digital assets” are typically limited to data, software, functionality, and related intellectual property rights, as well as potential damage to one’s reputation, financial loss, and legal liability resulting from the failure to safeguard sensitive information.‡ ISO’s approach The Insurance Services Office (ISO) is the United States leading property/casualty advisory organization. In 2019, ISO introduced general liability endorsements that exclude coverage for bodily injury, property damage, and personaladvertising injury arising from: (1) “Access to or disclosure of any person’s or organization’s confidential or personal information.” (2) “Loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” There are three versions of the exclusion in ISO general liability programs: • One with an exception preserving coverage for bodily injury claims. • One applying the exclusion to personaladvertising injury claims only. • A total exclusion with no exception for any type of claim. ISO later developed “cyber incident” exclusions in its commercial property programs. These endorsements exclude coverage for first-party losses arising from: (1) “Unauthorized access to or use of any computer system,” “a virus or other malicious or harmful code.” (2) “A denial-of-service attack that disrupts, prevents, or restricts access to or use of any computer system.” There are two basic versions of the cyber-incident property exclusion. Both include an exception preserving coverage under basic policy limits for damage due to fire and explosion resulting from a cyber incident. One of them provides an additional exception under separate scheduled limits for ensuing damage due to other covered perils. (Note: The exclusions do not apply to built-in additional coverages for electronic data and interruption of computer operations, or to optional coverage for electronic commerce.)§ ISO also has a program of cyber-insurance forms and loss costs, but plays less of a defining role in cyber-insurance than in other lines. While
RkJQdWJsaXNoZXIy NjIxNjMz