You mean I am actually supposed to read this thing?
If you are like most of my clients, the thought of “actually reading” an insurance policy is right up there on your list of things to do like walking bare foot over hot coals or a root canal so I am the one that usually gets stuck reading my client’s policy! Lucky me! To save time when I first read over an insurance policy I start with the Exclusions Section. “All Risk” policies typically cover property for any cause of loss unless a peril is specifically excluded. By scanning the list of exclusions I can easily get a feel for potential gaps in coverage that could affect my client. In the last few years some unfamiliar Exclusions are creeping onto the list.
Insurance carriers won’t insure what they don’t understand.
Among other things, unless an insurance carrier can totally understand and quantify what risk they are assuming by your insurance policy, they don’t want any part of it. That is why common policy exclusions are Nuclear Hazard, Governmental Action, War and Earth Movement (i.e. Earthquakes). In the past few years most policies have added some new excluded perils such as Malicious Code, System Penetration and Denial of Service. In plain language most policies won’t insure your business against a virus, data breach or hacker attack.
Holes, Holes and Bigger Holes!
The gap in coverage i.e. “holes” in the general liability bucket stem in part from how a claim is triggered. General Liability policies state “This insurance applies to ‘Bodily Injury’ and ‘Property Damage’ only if the damage occurs during the policy period.” Actual damage from a hacker may not show up for several years (but the expenses start immediately) and is most likely to span multiple policy terms meaning many cyber claims might not even trigger a claim on a traditional general liability policy. There are also numerous exclusions and endorsements that a carrier can drive a fly a 747 freighter through if they want to side step a claim. Personal & Advertising Injury has exclusions for “material published before the policy period”…like a web site maybe? Forget about recovering if you allow others to access intellectual property of others via your web site and you have a security breach - you are on your own.
Almost all businesses need cyber insurance!
Like employment practices and pollution coverage most general liability and property policies have effectively excluded most if not all potential cyber claims. So the bottom line is if you have a web site you should consider cyber insurance….If you store sensitive data you must have it! There may come a time when carriers are more familiar with Cyber Risk and they will include adequate coverage and definitions on standard business policies but until that time you most likely will need a stand alone cyber policy. Don’t wait until it is too late to have the “cyber” conversation with your insurance professional.