Summary:
ISO has introduced proposed filings which will add two mandatory cyber incident exclusion endorsements and in addition will amend the spoilage coverage endorsement so that the provisions of either of the two cyber exclusion endorsements will also apply to such coverage. The endorsements being filed will apply to both Commercial Property and Businessowners policies. However, the filing has not yet been made for the Businessowners endorsements so there is no proposed effective date at this time for those endorsements. The proposed effective date for the commercial property endorsements is 12/1/20.
One of the two cyber incident exclusion endorsements must be attached to every policy providing property coverage, with the exception of the Mortgageholders Errors And Omissions Coverage Form CP 00 70.
Topics Covered:
Cyber Incident Exclusion With Ensuing Cause(s) Of Loss Exceptions
Background
The cyber exposures of today were not contemplated when ISO developed the coverages reflected in its Commercial Property and Businessowners coverage forms over 30 years ago. In fact, the terms cyber and distributed denial-of-service (DDoS) attacks are somewhat relatively new terms to the industry, and the impact of such attacks can be catastrophic. Also, until fairly recently, an insured had no way to cover cyber attacks. Now, such coverage can be obtained from a cyber insurance policy, such as ISO's Commercial Cyber Insurance Policy.
A cyber attack targets an enterprise's use of cyberspace (internet, cloudspace), for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment or infrastructure; or destroying the integrity of data or stealing data or information.
A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. Such an attack can be highly effective by attacking multiple systems as sources of attack traffic.
Cyber attacks can cause direct loss, such as totally damaging or destroying an entire computer network of servers or computers; or indirect loss, such as damaging the data lines that serve industrial control systems and causing interruptions to those data lines.
Cyber Incident Exclusion – CP 10 75 12 20 and BP 15 60
Exclusions:
We will not pay for loss or damage caused directly or indirectly by the following. Such loss or damage is excluded regardless of any other cause or event that contributes concurrently or in any sequence to the loss.
Analysis:
The Cyber Incident Exclusion endorsement adds an exclusion for loss or damage to covered property caused directly or indirectly by a cyber incident, regardless of any other contributing cause or event, concurrently or in any sequence to the loss. While this is a broad exclusion, there is an exception for loss or damage caused by fire or explosion resulting from a cyber incident; and the exclusion contains an exception so that it does not apply to the extent coverage is provided in the Additional Coverage for Electronic Data, or the Additional Coverage for Interruption of Computer Operations. The exclusion also contains an exception so that it does not apply to the Electronic Commerce (E-Commerce) endorsement if attached to the policy.
Cyber Incident
1. Unauthorized access to or use of any computer system (including electronic data). 2. Malicious code, virus or any other harmful code that is directed at, enacted upon or introduced into any computer system (including electronic data) and is designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, exploit, use or prevent or restrict access to or the use of any part of any computer system (including electronic data) or otherwise disrupt its normal functioning or operation. 3. Denial of service attack which disrupts, prevents or restricts access to or use of any computer system, or otherwise disrupts its normal functioning or operation.
Analysis:
The exclusion defines cyber incident to include unauthorized access to, or use of, any computer system; a malicious code, virus or any other harmful code that is directed at, enacted upon, or introduced to, any computer system; and a denial of service attack. The definition is comprehensive in an effort to encompass any type of computer manipulation that would prevent or restrict access, or otherwise disrupt the normal functioning or operation of a computer system, including electronic data. So, if an insured's employee accidentally opened a link in a phishing email, and in so doing malware was spread throughout the insured's computer systems, this exclusion would preclude coverage for such loss.
Vandalism
The following is added to Vandalism, if Vandalism coverage is not otherwise excluded under the Standard Property Policy or the Causes Of Loss – Basic, Broad or Special Forms and if applicable to the premises described in the Declarations:
Vandalism does not include a cyber incident as described in Paragraph A.
Analysis:
A Vandalism paragraph is added stating that even should vandalism coverage apply to the policy, such vandalism coverage will not apply to a cyber incident. For example, under the Additional Coverage for Property in Transit, an insured's laptop would be covered for vandalism if in the insured's vehicle. However, if such vandalism included a cyber attack, there would be no coverage for the cyber incident.
Cyber Incident Exclusion With Ensuing Cause(s) Of Loss Exceptions – CP 10 76 12 20 and BP 15 61
This endorsement contains all of the attributes of the Cyber Incident Exclusion endorsement, but contains a number of additional provisions that can be added to the coverage via a Schedule that allows for scheduling per occurrence sublimits of coverage; and a combined 12-month aggregate:
SCHEDULE
Limits Of Insurance
(For Cause(s) Of Loss Other Than Fire Or Explosion)
Cyber Incident Loss Or Damage To Covered Property Coverage
Per Occurrence Limit of Insurance for Cyber Incident Loss Or Damage To Covered Property Coverage: $
Cyber Incident Business Income Coverage
Per Occurrence Limit of Insurance for Cyber Incident Business Income Coverage: $
Cyber Incident Extra Expense Coverage
Per Occurrence Limit of Insurance for Cyber Incident Extra Expense Coverage: $
Cyber Incident Aggregate Limit Of Insurance
Aggregate Limit Of Insurance For Cyber Incident Loss Or Damage To Covered Property Coverage, Cyber Incident Business Income Coverage and Cyber Incident Extra Expense Coverage: $
Analysis:
The Schedule of this endorsement allows for the addition of optional coverage per occurrence sublimits and a 12-month aggregate combined limit for cyber loss incidents. The per occurrence limits of insurance and the aggregate limit of insurance in the Schedule are included within the Limits of Insurance shown in the Declarations.
B. Exceptions And Limitations
1. Fire Or Explosion
If a cyber incident as described in Paragraphs A.1. through A.3. of this exclusion results in fire or explosion, we will pay for the loss or damage caused by that fire or explosion.
2. Other Causes of Loss
If a cyber incident as described in Paragraphs A.1. through A.3. of this exclusion results in: (1) A Covered Cause of Loss, other than fire or explosion; and, if made part of the Policy, other than Flood, Breakdown or Contamination or Power Outage, if this Policy is written on a Named Perils basis.
Paragraphs B.2.a.(2) and (3) do not apply if this Policy is written on a Named Perils basis; (2) A "specified cause of loss", other than fire or explosion; or (3) Theft, and
Analysis:
In addition to the exception covering loss or damage resulting from fire or explosion, the endorsement allows for Additional Other Causes of Loss resulting from a cyber incident exception. There is also an option for the individual per occurrence sublimits to be subject to a 12-month aggregate limit of insurance for all loss or damages caused by all property damage, business income and extra expense occurrences during that period. Both the individual per occurrence sublimit and the aggregate limit would need to be scheduled on the endorsement. According to the ISO rules for this endorsement, the sublimits of insurance may be equal to or less than the limits of the policy.
Further exceptions are added for:
- a cyber incident resulting in a specified cause of loss other than fire or explosion; and theft;
- or if written on a named peril basis, a covered cause of loss other than fire or explosion;
- and if added to the policy, a covered cause of loss other than flood, breakdown or contamination and power outage.
The Causes Of Loss Flood, Limited or Broad Radioactive Contamination, Breakdown or Contamination, Power Outage and Molten Material do not apply to the Other Causes Of Loss provided in the endorsement.
b. A per occurrence Limit Of Insurance is shown in the Schedule of this endorsement for:
(1) Cyber Incident Loss Or Damage To Covered Property Coverage, we will pay for the loss or damage caused by the cause of loss as listed in Paragraphs B.2.a.(1) through B.2.a.(3), whichever applies;
(2) Cyber Incident Business Income Coverage, we will pay for the actual loss of Business Income you sustain due to the necessary "suspension" of your "operations" during the "period of restoration". The "suspension" must be caused by direct physical loss of or damage to Covered Property at the premises described in the Declarations.
The loss or damage must be caused by or result from a cause of loss as listed in Paragraphs B.2.a.(1) through B.2.a.(3), whichever applies; and
(3) Cyber Incident Extra Expense Coverage, we will pay necessary Extra Expense you incur during the "period of restoration" that you would not have incurred if there had been no direct physical loss or damage to Covered Property at the premises described in the Declarations. The loss or damage must be caused by or result from a cause of loss as listed in Paragraphs B.2.a.(1) through B.2.a.(3), whichever applies.
Analysis:
The coverage options do not apply if such coverage has not already been added to the policy. For example, if the policy does not already have coverage for Business Income, then this endorsement cannot be used to provide business income coverage only for a cyber incident.
Paragraph b.(1) adds coverage for a cyber incident if caused by a (1) a covered cause of loss other than fire or explosion and if added to the policy, a flood, breakdown or contamination or power outage, if the policy is written on a named perils basis; or (2) "specified cause of loss", other than fire or explosion; or (3) theft. Therefore, if a covered cause of loss results in a cyber incident, this additional coverage would cover the cyber incident loss or damage to covered up to the selected per occurrence sublimit.
Paragraph (2) adds coverage for a cyber incident resulting from a covered business income loss. If a business income loss from a covered cause of loss results in a cyber incident, then the business income coverage will extend to include loss or damage from the cyber incident. For example, if a tornado renders a building unusable but certain personal property, including the insured's computers, are still in the building and a hacker takes over the system and prevents the insured from resuming operations, then the cyber incident for business income coverage would cover this period of suspension.
Paragraph (3) adds coverage for a cyber incident resulting from a covered extra expense loss. For example, if a flood damages an insured building and a looter steals the insured's computers and hacks into the insured's systems, this coverage would allow the insured to expend whatever amount is necessary to resume operations more quickly, such as a new computer system or experts to break the hacker's code.
D. Limits Of Insurance
-
Subject to Paragraph D.2., the most we will pay for loss or damage under each of the coverages shown in Paragraphs B.2.b.(1) through B.2.b.(3), in any one occurrence, is the per occurrence Limit Of Insurance shown in the Schedule of this endorsement for each coverage.
-
The Cyber Incident Aggregate Limit Of Insurance, if shown in the Schedule of this endorsement, is the most we will pay for the total of all loss or damage for the coverages shown in the Schedule of this endorsement, caused by all occurrences in a 12-month period (starting with the beginning of the present annual policy period), regardless of the number of occurrences during that period of time.
-
The limit(s) of insurance described in Paragraphs D.1. and D.2. above are part of, not in addition to, the applicable Limits Of Insurance shown in the Declarations.
Analysis:
The endorsement provides for selecting a per occurrence limit of insurance for each of the coverages in the Schedule. The limit will apply as an individual cyber incident limit for each coverage. The insured also has the option of choosing a combined Cyber Incident Aggregate Limit of Insurance, which will be a single aggregate limit for all of the optional coverages (property damage, business income and extra expense). The scheduled aggregate limit applies to the total of all loss or damage for all of the scheduled coverages caused by all occurrences within a 12-month period, beginning with the present annual policy period. By providing a 12-month period, this would indicate that the loss or damage could begin within the current policy period, but extend beyond the policy expiration as long as it is within the 12-month period. For example, a business income loss begins 6 months into the policy period but the suspension of business continues until 3 months following policy expiration, the entire loss or damage will be subject to the 12-month aggregate. If the suspension continues on beyond 12 months, the coverage will cease at the end of the 12 months, and the aggregate limit will apply to the 12 months of coverage. Again, the per occurrence limits and the aggregate limit of insurance shown in the Schedule are part of, and not in addition to, the Limit of Insurance shown in the Declarations.
Spoilage Coverage – CP 04 40 12 20 and BP 04 15
B. Exclusions
1. Only the following Exclusions contained in Paragraph B.1. of the Causes of Loss Form applicable to this Coverage Part apply to Spoilage Coverage:
a. Earth Movement; b. Governmental Action; c. Nuclear Hazard; d. War And Military Action; and e. Water.; and the Cyber Incident Exclusion or the Cyber Incident Exclusion With Ensuing Cause(s) Of Loss Exceptions, whichever applies.
Analysis:
There is only one change applying to the spoilage coverage endorsement; that being a provision is added to the exclusions clarifying that the cyber incident exclusion endorsements also apply to spoilage coverage.
Includes copyrighted material of Insurance Services Office, Inc., with its permission.