Common Cyber Claims Insured Outside Of Cyber Policies
Cyber risk is a broad term, often used to refer to a wide range of computer, and digital/online related claims. Some of these claims have been traditionally insured under typical liability and property policies for years, which gave rise to the term "silent cyber coverage". With cyber insurance now a mature product, many carriers are developing firmer lines in the sand, eliminating any silent cyber within their forms, clearly isolating the risks they insure, however there are still many cyber risks that can be insured both on and off cyber policies. Here are some of the most common "cyber risks" that can be (or in some cases, should be) insured outside of a cyber policy:
Website Accessibility Claims: Once an emerging risk, most companies are now well aware of website accessibility lawsuits. These are claims brought by 3rd parties (usually prospective customers) alleging a company’s website is inaccessible to those with vision or hearing impairment. This surmounts to discriminatory behavior in violation of the Unruh Act or Americans with Disabilities Act. Often aimed at e-commerce companies, these suits are not isolated to large companies either, they are affecting companies of all sizes. It’s also not uncommon for a single company to suffer from multiple suits. Insureds often wrongfully assume coverage for such claims would be afforded by their general liability policy or cyber policy, however, given that general liability policies don’t provide such coverage, and given that most cyber policies contain exclusions for employment acts and discrimination, these claims are often best insured under an appropriate EPLI policy with broad 3rd party discrimination coverage (as previously discussed here).
Breaches of Employee Privacy: When organizations think of protected information, they often think of client/customer data, but it’s important not to overlook employee data. Companies often have a treasure trove of information pertaining to their employees; from social security numbers to dates of birth, to biometric data. When organizations fail to safeguard that information, litigation can ensue. The class action claim against Tesla is one of the most publicized examples but there have also been many smaller suits. These claims can often be covered by a cyber insurance policy assuming the organization’s policy contains sufficient definitions and an appropriate carve-back to any “insured vs insured” exclusion that might be attached, however they can also often be addressed by “employee privacy” endorsements to EPLI policies. Additionally, some insureds may also find coverage for biometric claims under their EPLI policies as well – particularly when the EPLI policy doesn’t contain a biometric claim exclusion.
Media Liability: The growth of online publishing, use of social media and influencers, and emergence of AI, are all contributing to an increased risk of infringement and defamation claims (among others). Most cyber policies today provide broad coverage for media liability claims arising from online activities. In fact, the media liability insuring agreement within cyber policies is so broad that it will often explicitly cover wrongful acts such as improper deep linking, domain infringement, cyber-squatting and other similar unfair competition claims. However, insureds that don’t maintain cyber insurance (and are not considered media or internet companies), may also find coverage for certain claims involving online advertising and publishing under their general liability policy.
Cyber Related Investor Claims and Regulatory Actions. Cyber instigated shareholder suits, derivative actions, and regulatory actions are a very real risk, especially for public companies. Almost all cyber policies contain a securities exclusion which would preclude coverage for any such claims. When inadequate cyber disclosures or cyber related breaches of fiduciary duties give rise to litigation or regulatory enforcement, such claims belong insured under an appropriate D&O policy, which is also why it’s important to ensure that the organization's D&O policy doesn’t contain any problematic cyber exclusions.
Computer Failure/Breakdown: Not all computer failures are the result of a cyber-attack. When electrical surges or other failures affect computer networks and other data processing equipment, the resulting costs to replace the equipment and associated lost income can leave a financial dent. While some cyber policies do include coverage for hardware/system failures, these claims are also often covered by the equipment breakdown coverage contained within property insurance policies.
Computer Fraud and Funds Transfer Fraud: Computer crime can take many forms: direct theft of funds, malicious instructions sent to your bank, or schemes involving impersonation meant to deceive the recipient into wiring funds. Most cyber policies contain very broad computer crime insuring agreements today. In fact, computer fraud, social engineering and invoice manipulation is best insured under a cyber policy today, however in situations where policyholders don’t maintain any cyber insurance, these losses can also be insured under crime policies as well. In the event that you suffer a loss and you lack coverage on your cyber policy, be sure to look at your crime policy (and vice versa).
Cyber-instigated Bodily Injury and Property Damage Claims: Cyber attacks on healthcare facilities, manufacturing plants, and/or construction companies can have devastating effects which can ultimately result in bodily injuries or significant property damages. While these claims were traditionally insured under general liability policies, many carriers are now attaching broad cyber exclusions which preclude such coverage. As a result, these claims have effectively been pushed to cyber insurers, many of whom will now agree to provide coverage for contingent bodily injury and property damage. That said, coverage may still be afforded under general liability policies depending on the specifics of the claim and underlying policy terms.