Cyber-Risk Insurance - New Appleman on Insurance Law Library Edition, Chapter 29

Cyber-Risk Insurance - New Appleman on Insurance Law Library Edition, Chapter 29

By Bert Wells, Rukesh Korde, Pamela Carter, Franciska Coleman

This chapter identifies and discusses many key issues affecting insurance coverage for losses that arise in the context of e-commerce and other business and operations conducted by means of information technology, termed "cyber-commerce" in this chapter.  This chapter begins in Section 29.01[1] with a definition of cyber-commerce and cyber-risk insurance, and continues in Section 29.01[2] with an overview of some of the principal risks faced by those conducting cyber-commerce. 

Regarding first-party losses, as Section 29.01[2][a] explains, the chief risks are loss of electronic data and software; loss of use of hardware; business interruption arising from such losses and other causes; data privacy breaches, most typically involving some kind of disclosure of personally identifiable information of customers; and cybercrime, including hacking, extortion and sabotage, which may be carried out by malware, phishing, spoofing, logic bombs and denial of service attacks, among other techniques.  Section 29.01[2][b] sets forth some of the principal risks of third-party claims connected with cyber-commerce, including liability for loss of a third party's data, software, hardware or use of the same; privacy injury to third parties; advertising injury; intellectual property infringement; and alleged violation of the Computer Fraud and Abuse Act.

Section 29.01[3] surveys the lines of insurance potentially applicable to cyber-related claims, such as first-party commercial property and business interruption policies; third-party commercial general liability and errors and omissions policies; and specialized cyber-risk policies, which typically provide both some first-party and third-party coverages.  Section 29.01 ends with a discussion in Section 29.01[4] of some key considerations relevant to businesses seeking to obtain insurance for their cyber-related risks, including representations and warranties required of the policy applicant, as well as the centrality of policy definitions, exclusions, limits, the duty to defend and policy endorsements. 

Section 29.02 discusses a coverage issue that cuts across both first-party and third-party policies: whether standard form policies provide coverage for losses arising from data corruption or deletion (such as the deletion of an important program or database as the result of a computer virus) and whether such policies cover the resultant loss of use of computer hardware.  As set forth in Section 29.02[2], several courts have held that loss of data or software standing alone cannot be covered property damage because, in the view of such courts, information represented electronically does not constitute "tangible property" nor can it be subject to "physical" injury, as such courts held the policy language requires.  However, as detailed in Section 29.02[3], several courts have taken the opposite view, based either on a differing analysis of scientific descriptions of the representation of data and software in modern information technology, or through a different analysis of the "loss of use" provision of standard insurance policy definitions of "property damage," or based on the self-evident disruption caused by loss of data or software. 

Section 29.02 concludes with a discussion in Section 29.02[4] of the impaired property exclusion, which some courts have used to exclude coverage under the "loss of use" clause in "property damage" definitions, reasoning that the loss of use of hardware or software alleged in the underlying claim can be attributed to an impaired or defective product of the policyholder.  However, as further explained in that section, both the Fourth Circuit and Eighth Circuit Courts of Appeals have taken issue with some applications of the impaired property exclusion, and in particular have found that insurers have a high burden of proof to demonstrate a required element of the exclusion: that mere removal of a policyholder's product would, in fact, cure the loss of use alleged by the third party. 

Section 29.03 provides an exposition of coverage issues that are of particular relevance to first-party policies.  It first sets forth, in Section 29.03[1], overarching points regarding standard-form commercial property and business interruption policies, noting that the exclusions in such policies affecting cyber-risk coverage may be substantial hurdles for insureds to overcome.  Section 29.03[2] explains the principal features of cyber-risk policies in the first-party coverage context.  Finally, Section 29.03[3] turns to the problem of applying first-party policies to losses arising from software that, for whatever reason, may not be fully adapted to the future needs of the policyholder.  A prototypical example was the widespread need of businesses to remediate their software to become "Y2K-compliant" in advance of the year 2000.  A number of courts have rejected arguments that such costs are recoverable under first-party policies.

The topic of third-party insurance for cyber-risks and the coverage issues particularly raised by such insurance is the subject of Section 29.04.  That discussion begins in Section 29.04[1], which among other things surveys the limitations of current standard-form commercial general liability policies, and describes the principal components of the third-party coverage provided by cyber-risk policies.  The combination of multiple insuring clauses and large numbers of exclusions in such policies can produce cyber-risk coverage limited to narrow silos of risk transfer.  Section 29.04[1] observes that some policyholders may be better served by incorporation of cyber-risk coverage in their existing property and liability programs by endorsement rather than procurement of stand-alone cyber-risk policies.  The potential advantages of the former approach may include an increased amount of coverage available (i.e., total policy limits), greater consistency of coverage provisions in excess layers with the terms of the primary layer, enhanced simplicity of administration and reduced expense.  Section 29.04[2] gives an account of coverage for third-party claims arising from loss of data and loss of use of software or hardware, but with respect to errors and omissions policies and cyber-risk policies (coverage for such claims under commercial general liability policies having already been treated in Section 29.02).

Section 29.04[3] then takes up the issue of coverage for third-party claims arising from data security breaches and privacy violations.  A touchstone issue for such coverage under commercial general liability policies is whether the required element of "oral or written publication, in any manner" is interpreted to include mere unauthorized access by one individual, or instead requires use or further dissemination of the confidential data.  Coverage for third-party claims arising from injuries in connection with online advertising and claims of infringement of intellectual property rights are the subjects of Section 29.04[4].  This is followed by Section 29.04[5], which provides an account of the treatment of various types of exclusions for intentional acts, explaining the role of the distinction between the policyholder intending the act and intending any harm that may flow from the act.

This chapter then turns to a discussion of certain emerging issues in the law of recovery of cyber-related claims.  It provides an explanation in Section 29.05[1] as to why the warlike acts exclusion and similar exclusions are unlikely to exclude coverage of losses arising from suspected or actual state-sponsored cyber-attacks.  Cases interpreting similar policy terms such as "warlike operations," "acts of terrorism," "civil commotion" and the like typically require violence and other predicate acts that appear unlikely to be associated with state-sponsored cyber-attacks.  The chapter concludes in Section 29.05[2] with a discussion of unexplained losses, to which cyber-related operations are particularly susceptible, and the types of coverage that may be available for such losses.

Cross References: For practice guidance with respect to cyber insurance coverage issues, see New Appleman Insurance Law Practice Guide Chapter 45.

Access New Appleman on Insurance Law Library Edition on

Access The Store to learn more about the New Appleman on Insurance Law Library

Obtain a FREE DOWNLOAD of New Appleman on Insurance Law Library Edition, Ch. 29, Cyber-Risk Insurance, Table of Contents

            * Bert Wells is a partner in the New York office of Covington & Burling LLP whose practice focuses on advising policyholders about insurance coverage matters and representing them in insurance coverage disputes.  He represents policyholder clients on matters relating to numerous types of property and casualty insurance, including directors and officers, errors and omissions, fiduciary, general liability, property, e-commerce, mortgage guaranty and fidelity insurance, and regarding coverage claims and disputes arising from mass torts, environmental liabilities, class actions, merger and acquisition activity and many other commercial matters.  He is a graduate of the Yale Law School, Oxford University and the California Institute of Technology.

            Rukesh Korde is an attorney at Covington & Burling LLP whose practice over the last decade has focused on the litigation of complex insurance coverage cases.  He has represented a variety of Fortune 500 and others in coverage lawsuits seeking insurance for first- and third-party liabilities as well as cases seeking recovery for insurance bad faith.  He has also provided advice to businesses across the country on business interruption and property insurance claims, including advice about insurance for the September 11 terrorist attacks and the Fall 2008 economic crisis.  Mr. Korde is a graduate of the University of Pennsylvania Law School, the University of Pennsylvania and Columbia University.

            Pamela Carter is a litigation associate in the New York office of Covington & Burling LLP, and has been involved in several insurance coverage cases on behalf of policyholders.  She received her law degree from the Yale Law School, where she was an Editor-in-Chief of the Yale Journal on Regulation and a Senior Editor of the Yale Law Journal.  She served as a law clerk for the Honorable Ralph K. Winter on the United States Court of Appeals for the Second Circuit.

            Franciska Coleman is a litigation associate in the Washington, D.C. office of Covington & Burling LLP whose practice is concentrated in insurance litigation on behalf of policyholders.  She has represented clients in a variety of environmental and asbestos related coverage disputes, as well as in first-party property disputes. She received her law degree from the Harvard Law School and is currently a PhD Candidate at the University of Pennsylvania. 

For more information about LexisNexis products and solutions connect with us through our corporate site.