Alarms over “silent cyber” have been loud and frequent in the past year or two, so it is no surprise to finally see a few new filings of broad cyber exclusions. At this point, the flow is still a trickle and will likely remain so while attention is diverted to more pressing COVID-19 issues. However, the wordings leave no doubt of the insurers’ intent to keep cyber exposures out of general insurance policies.

Some new cyber exclusions are labeled “absolute” yet those with shorter labels are just as comprehensive in cataloging unwanted cyber exposures. By any name, the message is the same. And, based on a recent court decision, the filings are worth the cost and effort.

Silent Cyber Coverage Ruling

This claim involved a custom printer in Maryland with an estimated 50 employees and under $5 million revenue, with an apparent pre-2000 ISO Businessowners policy (BOP) Special Form Computer Coverage Endorsement or like wording, and no separate cyber insurance protection.¹ After a ransomware attack, the printer paid the ransom but later discovered that the virus damaged software, slowed its computer system and left remnants that could cause future damage. The printer filed a BOP claim for the cost to replace the entire computer system, hardware and software. The insurer denied coverage because the system still functioned and was not physically damaged.

The lower federal court took little time finding coverage in the BOP policy.² First, the court found many places in the policy where data and software were considered covered property. Second, the loss of functionality was physical damage to the computer system itself. The court followed past rulings holding that loss of use and impaired functionality demonstrate physical loss or damage to property. The bottom line is that the BOP insurer must pay certain losses from a cyber attack. We do not know how the court would have ruled had there been no Special Form Computer Coverage Endorsement, or if more current ISO BOP forms or wording had been used, as there are several wording changes that relate to cyber exposures in the updated forms.

The decision highlights how courts might find elements of cyber coverage in a non-cyber policy and gives one more reason for insurers to address the potential for “silent cyber” in their products.

New Exclusions in the Market

The latest filings involve no more than a dozen carriers and a wide variety of policies, including BOP/GL, Property, Umbrella, Professional Liability, EPLI and D&O. The wording is, of course, tailored for the type of policy but with the same goal in mind - to exclude cyber coverage from their non-cyber policies. Yet, all are helpful for considering and drafting cyber exclusions.

We highlight just a few of the provisions in these exclusions that caught our eye:³

• Title of the Exclusion – The London Market released IUA 09-081, called the “Cyber Loss Absolute Exclusion Clause” and a few U.S. carriers have also added “absolute” to the heading.⁴ Courts are not usually swayed by the label, but it does set clear expectations for agents, brokers and insureds.
• Data Breach vs. Cyber Attacks – Most carriers have merged data breach and cyber attack into one exclusion, while one or two have left existing data breach exclusions in place. Those taking the single solution approach have used the opportunity to expand on the data privacy aspects of the breach language.
• Cyber Policy Coverages – We noticed a couple of insurers listing excluded losses in a way that mirrored the coverages in their Cyber products. That certainly reduces the risk of duplicate coverage. However, if a type of loss is not listed in the Cyber policy, the exclusion might miss any silent cyber exposure in the general policy. Therefore, a broader exclusion than the coverage provided in the company’s Cyber products may be considered.
• Loss of Computer System Functionality – Since we discussed this issue above in the printer’s claim, we note that most but not all exclusions specifically mention loss or impairment of computer functionality.
• Privacy Laws – With growing state attention to data collection practices, it was interesting to see some exclusions apply to the violation of privacy laws. Will this include California’s CCPA, for example? Some wordings tie the privacy claim to a cyber attack or data breach.

What’s Next for Silent Cyber?

It will be some time before insurers learn if these exclusions will hold up when challenged in litigation. The unique facts of the loss and words in the policy will influence the outcome. Even the ISO data breach exclusions introduced in 2013 have not yet been interpreted by U.S. courts.

We expect to see more cyber exclusions filed in the coming years, by insurers and bureaus, particularly if more courts like the one in Maryland discussed above find coverage in non-cyber policies. For now, COVID-19 issues are using up insurer bandwidth. In the meantime, we will keep tracking filings and court decisions. If you would like to see a few exclusions or discuss the issues, don’t remain silent. Give us a call.

Endnotes

1. Owler.com/company/nationalinkandstitch. We do not know the edition of the base BOP form, as it is not mentioned in the opinion. The fact that the court never discusses “electronic data” language that appears in more current forms leads us to believe that the BOP form edition precedes 2000, like the computer coverage endorsement.
2. National Ink and Stitch, LLC v. State Auto Property and Casualty Ins. Co., No. SAG-18-2138 (D.C. MD 2020). We understand from online articles that the parties settled the dispute without an appeal.
3. All filings were accessible on the SNL filings database ratefilings.com; several search terms were used to identify relevant material.
4. For a copy of the clause and commentary, go to https://www.iuaclauses.co.uk.