Exclusions: What Your Cyber Policy Does Not Cover

As the threat of hacking and cyber attacks on the databases of all organizations grows, so has the uptake of cyber insurance policies. But when buying a policy and anticipating a claim, it’s important to know exactly what’s covered.
All insurance policies have exclusions for what’s not covered but, since cyber insurance is new to most companies, you may not know what isn’t covered by them.
This article will look at the most common exclusions of these policies, which –because they are still in their infancy – will vary from insurer to insurer. But for the most part, these are the typical exclusions that cut across all insurance companies.
The International Risk Management Institute in a recent blog post noted that cyber insurance buyers should be aware of the following exclusions:

Bodily injury and property damage – This coverage, standard under a commercial general liability policy, is excluded in cyber insurance as a person cannot be physically injured by having their data exposed when your business’s database is infiltrated.
However, the gray area is if someone whose data has been exposed sues you for a claim of mental anguish or emotional distress, which are often claimed by plaintiffs in data breach lawsuits. Some policies will cover this and others won’t.

Employment-related claims – These are mostly covered by an employment practices liability insurance policy, and are thus excluded from a cyber liability policy. However, if your employees’ personal information was compromised, your policy would likely cover employment-related privacy violations.

War, invasion and insurrection – Most commercial property and liability policies exclude damage resulting from these events, as well as terrorism. But, as the IRMI points out, many cyber attacks could be construed as an act of terrorism.
Talk to us about working with the insurer to include coverage for “electronic terrorism,” so that this area is a little less questionable. “Wording of this kind would preserve coverage for hacking/intrusion-driven losses,” the IRMI wrote recently.

Patent, software and copyright infringement – This is typically covered by intellectual property insurance forms, and not by a cyber policy.
However, some broadly written cyber policies will cover defense costs associated with copyright infringement claims if they are the result of actions by a non-management employee or an outside third party.

Failure to take required security measures – When applying for a cyber policy, the application will include a number of questions regarding the steps you’ve taken to safeguard your data. If an insurer can later show that you failed to implement these security measures, a claim may be denied.
If you have a policy that has this type of exclusion, you need to be vigilant about keeping up your security measures. Not all policies have this exclusion, so if you are in the market for a cyber policy, we may be able to help you find one that doesn’t have it.

Loss of electronic devices – This is sometimes referred to as the “laptop exclusion.” Some insurers exclude coverage for data breaches that were the result of an employee losing a company-issued portable electronic device. A study by the Ponemon Institute in 2015 found that nearly 30% of all data breaches were the result of a laptop or smart phone loss.
The above are the main exclusions that a typical policy will include, but because these policies are relatively new, there is often room for negotiation with the insurance company about them.
Regardless, if you think any of these areas could create a liability for your company, talk to us and we may be able to find a policy that best suits your needs.