It should come as no surprise that the number and severity of data breaches has been on the rise in recent years. While standalone cyber policies specifically tailored for exposures related to data breaches and the disclosure of confidential and personal information through electronic means exist and the number of insurers offering such policies is growing, many companies still rely on standard ISO Commercial General Liability policies (CGL) to cover these cyber risks.
This will likely change in the near future as the Insurance Services Office, which establishes proposed guidelines for insurance terms and pricing in the insurance industry, recently introduced several endorsements excluding from coverage claims arising from the disclosure of personal or confidential information, risks that are typically the focus of standalone cyber policies. For example, CG 21 06 05 14 – Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability excludes coverage, under Coverages A and B of the CGL form, claims arising from any access to or disclosure of any person's or organization's confidential or personal information (i.e. patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information).
Traditionally, companies sought coverage for many data breaches under the "Personal and Advertising Injury Liability" coverage section (Coverage B) of the standard CGL form which provides that insurers "will pay those sums that the insured becomes legally obligated to pay as damages because of 'personal and advertising injury." "Personal and advertising injury" is defined to include oral or written publications, in any manner, that violate a person's right to privacy. The "Bodily Injury and Property Damage" provisions of the CGL form (Coverage A) also provide a measure of coverage for damages because of "bodily injury" that "occurs during the policy period."
ISO's recent endorsements seeking to restrict coverage for data breaches and cyber risks under CGL policies allows careful observers to "read the tea leaves" of where the primary source for coverage for data breach risks is heading: standalone cyber policies. While it is too early to tell how many insures have incorporated ISO's endorsements into their CGL forms, there is an industry push to transfer cyber risks from the domain of general liability coverage to specifically tailored cyber coverage. As with employment practices liability coverage and other forms of specialized insurance risks that have largely been encompassed in standalone policies, as the occurrence of cyber risks and data breaches continue to increase and as standalone cyber polices become more common (and profitable), the industry will likely seek to exclude such coverage from the broad protections afforded by the CGL form. Prudent companies will start to examine their need for a standalone cyber insurance policy before that day arrives.