Summary: When we first wrote about the introduction of the ISO commercial property and businessowners cyber incident exclusion endorsements back in 2020, the filings had not yet been made for the businessowners program. Since that time, the businessowner cyber incident exclusion endorsement BP 15 60 was filed with an edition date of 02 21.
Because cyber continues to be an evolving exposure, impacting data privacy and electronic data, ISO is now introducing another cyber incident exclusion endorsement and updating several existing endorsements with respect to data privacy and electronic data. These new and revised endorsements will be available for policies effective 1/1/2024. Coinciding with these changes, endorsement BP 15 05 – Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability – Limited Bodily Injury Exception Not Included, is being withdrawn.
Due to the number of endorsements being discussed, we are dividing this analysis into two parts.
Part One discusses the cyber incident, data privacy, and electronic data liability exclusion endorsements.
Part Two discusses the endorsements available to provide some limited coverage for cyber incidents and electronic data liability.
Topics Covered:
Exclusion – electronic data – deletion of bodily injury exception BP 18 09
Background
The cyber exposures of today were not contemplated when ISO developed the coverages reflected in its Commercial Property and Businessowners coverage forms over 30 years ago. In fact, the terms cyber and distributed denial-of-service (DDoS) attacks are somewhat relatively new terms to the industry, and the impact of such attacks can be catastrophic. Also, until fairly recently, an insured had no way to cover cyber attacks. Now, such coverage can be obtained from a cyber insurance policy, such as ISO's Commercial Cyber Insurance Policy CY 00 01 01 18 (CA, FL and VI); or CY 00 02 11 21 (all other states). See the Cyber Forms List here, and the cyber forms analyses can be found here.
ISO has continued to monitor the ever evolving cyber landscape, including so called 'silent' cyber exposures and how policies may be affected. As the use of technology expands, and the use of connected devices increases, and as hackers become more sophisticated, the possibility of related events contributing to property damage and/or bodily injury may be heightened.
A cyber attack targets an enterprise's use of cyberspace (internet, cloudspace), for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment or infrastructure; or destroying the integrity of data or stealing data or information.
A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. Such an attack can be highly effective by attacking multiple systems as sources of attack traffic.
Cyber attacks can cause direct loss, such as totally damaging or destroying an entire computer network of servers or computers; or indirect loss, such as damaging the data lines that serve industrial control systems and causing interruptions to those data lines.
Exclusion – Access or Disclosure of Confidential or Personal Material or Information BP 15 04
The following is added to Paragraph 1. Applicable To Business Liability Coverage of B. Exclusions under Section II – Liability:
This insurance does not apply to:
Access Or Disclosure Of Confidential Or Personal Material Or Information
"Bodily Injury", "property damage" or "personal and advertising injury", arising out of any access to or disclosure of any person's or organization's confidential or personal material or information, including:
- Patents, trade secrets, processing methods, customer lists;
- Financial information, credit card information;
- Health information, biometric information; or
- Any other type of nonpublic material or information.
This exclusion applies even if damages are claimed for notification costs, credit or identity monitoring expenses, forensic expenses, public relations expenses, data restoration expenses, extortion expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal material or information.
Analysis:
This endorsement has been revised from the 05 14 edition. That edition contained a limited bodily injury exception. The revised endorsement BP 15 04 12 23 removes this exception and applies the exclusion to bodily injury, property damage, and personal and advertising injury liability. This change was undertaken in consideration of the current and increased legislation and court activity arising out of the protected rights of privacy, such as the Illinois Biometric Information Privacy Act (BIPA), the EU General Data Protection Regulation (GDPR), and the California Consumer Protection Act (CCPA). This endorsement change is to reinforce coverage intent with respect to these and other laws with respect to protected rights and privacy.
The exclusion removes coverage for damages caused by access to or disclosure of a person's or organization's confidential information. Costs related to these events such as notification costs or monitoring expenses are also excluded.
Exclusion – Access or Disclosure of Confidential or Personal Material or Information BP 15 06
The following is added to Paragraph 1. Applicable To Business Liability Coverage of B. Exclusions under Section II – Liability:
This insurance does not apply to:
Access Or Disclosure Of Confidential Or Personal Material Or Information
"Personal and advertising injury" arising out of any access to or disclosure of any person's or organization's confidential or personal material or information, including:
- Patents, trade secrets, processing methods, customer lists;
- Financial information, credit card information;
- Health information, biometric information; or
- Any other type of nonpublic material or information.
This exclusion applies even if damages are claimed for notification costs, credit or identity monitoring expenses, forensic expenses, public relations expenses, data restoration expenses, extortion expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal material or information.
Analysis:
This endorsement contains the same provisions as endorsement BP 15 04 except that it applies the exclusion only to personal and advertising liability, thereby not applying the exclusion to bodily injury or property damage arising out of such access or disclosure of protected information or material.
Cyber Incident Exclusion BP 15 60
Section I – Property is amended as follows:
A. The following exclusion is added to Paragraph B. Exclusions:
We will not pay for loss or damage caused directly or indirectly by the following. Such loss or damage is excluded regardless of any other cause or event that contributes concurrently or in any sequence to the loss.
Analysis:
The Cyber Incident Exclusion endorsement begins with anticoncurrent causation language. This makes certain that regardless of any other cause of loss that might occur in sequence or conjunction with the cyber incident, the cyber incident will be excluded.
The Cyber Incident Exclusion endorsement adds an exclusion for loss or damage to covered property caused directly or indirectly by a cyber incident.
Cyber Incident
1. Unauthorized access to or use of any computer system (including "electronic data"). 2. Malicious code, virus or any other harmful code that is directed at, enacted upon or introduced into any computer system (including electronic data) and is designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, exploit, use or prevent or restrict access to or the use of any part of any computer system (including "electronic data") or otherwise disrupt its normal functioning or operation. 3. Denial of service attack which disrupts, prevents or restricts access to or use of any computer system, or otherwise disrupts its normal functioning or operation.
Analysis:
The exclusion defines cyber incident to include unauthorized access to, or use of, any computer system; a malicious code, virus or any other harmful code that is directed at, enacted upon, or introduced to, any computer system; and a denial of service attack. The definition is comprehensive in an effort to encompass any type of computer manipulation that would prevent or restrict access, or otherwise disrupt the normal functioning or operation of a computer system, including electronic data. So, if an insured's employee accidentally opened a link in a phishing email, and in so doing malware was spread throughout the insured's computer systems, this exclusion would preclude coverage for such loss.
B. Exceptions And Limitations
1. Fire Or Explosion
If a cyber incident as described in Paragraphs A.1. through A.3. of this exclusion results in fire or explosion, we will pay for the loss or damage caused by that fire or explosion.
2. Additional Coverage The exclusion in Paragraph A. does not apply to the extent that coverage is provided in the:
a. Additional Coverage – Electronic Data; or b. Additional Coverage – Interruption Of Computer Operations.
3. Computer Fraud And Funds Transfer Fraud Endorsement The exclusion in Paragraph A. does not apply to the Computer Fraud And Funds Transfer Fraud endorsement when attached to your policy. 4. Electronic Commerce Endorsement The exclusion in Paragraph A. does not apply to the Electronic Commerce (E-Commerce) endorsement when attached to your policy. 5. Information Security Protection Endorsement The exclusion in Paragraph A. does not apply to the Information Security Protection Endorsement when attached to your policy.
Analysis:
While the exclusion is fairly broad, the endorsement also contains exceptions for loss or damage caused by fire or explosion resulting from a cyber incident; and the exclusion contains an exception so that it does not apply to the extent coverage is provided in the Additional Coverage for Electronic Data, or the Additional Coverage for Interruption of Computer Operations. The exclusion also contains exceptions so that it does not apply to the Electronic Commerce (E-Commerce) endorsement, nor the Information Security Protection endorsement, if either of these are attached to the policy.
C. Vandalism
The following is added to Vandalism:
Vandalism does not include a cyber incident as described in Paragraph A.
Analysis:
A vandalism paragraph is added stating that even should vandalism coverage apply to the policy, such vandalism coverage will not apply to a cyber incident. For example, under the Additional Coverage for Property in Transit, an insured's laptop would be covered for vandalism if in the insured's vehicle. However, if such vandalism included a cyber attack, there would be no coverage for the cyber incident.
Cyber Incident Liability Exclusion BP 18 03
Section II – Liability is amended as follows:
A. The following exclusion is added to Paragraph 1. Applicable To Business Liability Coverage under B. Exclusions:
This insurance does not apply to:
Cyber Incident
"Bodily injury", "property damage", or "personal and advertising injury" arising out of a "cyber incident".
This exclusion applies even if damages are claimed for notification costs, credit or identity monitoring expenses, forensic expenses, public relations expenses, data restoration expenses, extortion expenses or any other similar cost or expense incurred by you or others arising out of a "cyber incident".
Analysis:
Unlike the cyber incident exclusion that applies to property coverage, the liability exclusion contains no exceptions. It is a broad and all-encompassing exclusion, often referred to as an absolute, or total, exclusion. This endorsement is mandatory unless endorsement BP 18 07 or BP 18 08 is on the same policy. These two endorsements are discussed in Part Two.
B. For the purposes of this endorsement, the following is added to Paragraph F. Liability And Medical Expenses Definitions:
"Cyber incident" means any:
- Unauthorized access to or use of any computer system.
- Malicious code, virus or any other harmful code that is directed at, enacted upon or introduced into any computer system and is designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, exploit, use or prevent or restrict access to or the use of any part of any computer system or otherwise disrupt its normal functioning or operation.
- Denial of service attack which disrupts, prevents or restricts access to or use of any computer system, or otherwise disrupts its normal functioning or operation.
Analysis:
The definition of cyber incident is added to the liability section of the businessowners form. Except that there is no reference to "electronic data", the definition is the same as in the property section, discussed above.
Cyber Incident Liability Exclusion for Electronic Data Liability – Broad Coverage BP 18 06
Analysis:
This cyber incident exclusion endorsement can only be applied to endorsement BP 05 96 Electronic Data Liability – Broad Coverage. It excludes coverage for loss of electronic data arising out of a cyber incident. Provisions of the endorsement are similar to endorsement BP 18 03, except this is applicable to electronic data.
Exclusion – Electronic Data – Deletion of Bodily Injury Exception BP 18 09
Section II – Liability is amended as follows:
The second paragraph ("However, this exclusion does not apply…") of Paragraph q. Electronic Data under 1. Applicable To Business Liability Coverage of B. Exclusions is deleted.
Analysis:
Endorsement BP 18 09 12 23 amends the electronic data liability exclusion in the businessowners form by removing the exception for bodily injury. In so doing, this endorsement excludes liability for electronic data in its entirety.
For further reading:
Includes copyrighted material of Insurance Services Office, Inc., with its permission.