Aon Risk Solutions
3
Why are Standard Insurance
Policies Not Enough?
While existing insurance forms can provide a limited amount of
cyber coverage, they are not intended to manage, cover and
respond to data breaches. Typical forms respond as follows:
Commercial general liability (CGL)
Covers third-party losses for bodily injury and tangible property
damage that arise out of the insured’s premises, operations or
products, but generally contains a cyber or data exclusion which
precludes the policy from responding in the event of an
unauthorized disclosure of personal identifiable information (PII) or
confidential third party information. Moreover, it provides no
first-party coverage to the insured for mitigating losses from the
breach while satisfying legal requirements (i.e. notification of
affected individuals).
Professional services liability or errors and
omissions (E&O)
Covers third-party losses resulting from errors, omissions or
negligent actions committed in the course of providing
professional services, as defined in the policy. This professional
services coverage typically does not extend to claims arising from
privacy and cyber related breaches. However, some professions
have a professional obligation to clients that involve safeguarding
clients’ personal or confidential information (i.e. lawyers). In these
narrow circumstances, the policy could respond to third-party
claims alleging that the insured failed to uphold their professional
obligation to keep information confidential as a result of a data
breach. Finally, as with CGL insurance, no first-party coverage is
provided to the insured.
Directors’ and officers’ liability (D&O)
Covers corporations and their executives where they are faced with
third-party management liability claims. The bodily injury/property
damage exclusion (BIPD) contained in most D&O policies can be
problematic where it precludes coverage for claims arising out of an
“invasion of privacy”; this is often a key allegation in cyber breach
related litigation. A public company may have coverage where a
cyber breach results in a shareholder lawsuit; however, no coverage
would likely be available in situations where the company is sued by
individuals seeking damages because they were affected by a
breach. In addition, most policies do not provide coverage for
first-party costs to address the fallout from a data breach.
Property
Covers the insured for tangible property loss or bodily injury
triggered by a physical peril, such as a fire or flood. Data does not
qualify as tangible property in most policies, and the majority of
forms contain a data or cyber exclusion that precludes coverage
altogether for cyber or privacy breach losses. In addition, the
first-party coverage available under the policy will not cover many of
the expenses incurred to deal with a cyber breach, nor will it cover
costs associated with third-party litigation.
Commercial crime
Covers employers for the theft of money, security, and other tangible
property by its own employees. As in a property policy, data
typically does not qualify as tangible property. Further, crime
policies require the insured to suffer a direct loss as a precondition to
coverage – the theft of third-party personal or confidential
information is not a direct loss to the insured. The policy will also not
respond to cover third-party claims.