Summary: When we first wrote about the introduction of the ISO commercial property and businessowners cyber incident exclusion endorsements back in 2020, the filings had not yet been made for the businessowners program. Since that time, the businessowner cyber incident exclusion endorsement BP 15 60 was filed with an edition date of 02 21.
Because cyber continues to be an evolving exposure, impacting data privacy and electronic data, ISO is now introducing another cyber incident exclusion endorsement and updating several existing endorsements with respect to data privacy and electronic data. These new and revised endorsements will be available for policies effective 1/1/2024. Coinciding with these changes, endorsement BP 15 05 - Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability – Limited Bodily Injury Exception Not Included, is being withdrawn.
Due to the number of endorsements being discussed, we have divided this analysis into two parts.
Part One discussed the cyber incident, data privacy, and electronic data liability exclusion endorsements.
Part Two discusses the endorsements available to provide some limited coverage for cyber incidents and electronic data liability.
Topics Covered:
Exclusion – electronic data – deletion of bodily injury exception BP 18 09
Electronic data liability – limited coverage subject to cyber incident exclusion BP 05 95
Electronic data liability – broad coverage BP 05 96
Background
The cyber exposures of today were not contemplated when ISO developed the coverages reflected in its Commercial Property and Businessowners coverage forms over 30 years ago. In fact, the terms cyber and distributed denial-of-service (DDoS) attacks are somewhat relatively new terms to the industry, and the impact of such attacks can be catastrophic. Also, until fairly recently, an insured had no way to cover cyber attacks. Now, such coverage can be obtained from a cyber insurance policy, such as ISO's Commercial Cyber Insurance Policy CY 00 01 01 18 (CA, FL and VI); or CY 00 02 11 21 (all other states). See the Cyber Forms List here, and the cyber forms analyses can be found here.
ISO has continued to monitor the ever evolving cyber landscape, including so called 'silent' cyber exposures and how policies may be affected. As the use of technology expands, and the use of connected devices increases, and as hackers become more sophisticated, the possibility of related events contributing to property damage and/or bodily injury may be heightened.
A cyber attack targets an enterprise's use of cyberspace (internet, cloudspace), for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment or infrastructure; or destroying the integrity of data or stealing data or information.
A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. Such an attack can be highly effective by attacking multiple systems as sources of attack traffic.
Cyber attacks can cause direct loss, such as totally damaging or destroying an entire computer network of servers or computers; or indirect loss, such as damaging the data lines that serve industrial control systems and causing interruptions to those data lines.
Cyber Incident Liability Coverage Subject to Each Cyber Incident Occurrence and Aggregate Limits BP 18 07
Section II – Liability is amended as follows:
A. Coverage provided by this insurance for damages because of "bodily injury" or "property damage" caused by a "cyber incident" is subject to the Each Cyber Incident Occurrence Limit and Cyber Incident Aggregate Limit as described in Paragraph D. of this endorsement.
Analysis:
This endorsement BP 18 07 12 23 allows for scheduling of a limited amount of liability coverage for each cyber incident occurrence, subject to an applicable aggregate limit for all such cyber incidents. The endorsement covers damages because of bodily injury or property damage caused by a cyber incident, but does not provide coverage for personal and advertising injury liability.
B. For the purposes of the coverage provided by this endorsement:
- Paragraph q. Electronic Data of 1. Applicable To Business Liability Coverage under B. Exclusions is replaced by the following:
This insurance does not apply to:
q. Electronic Data
Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate "electronic data".
However, this exclusion does not apply to liability for damages because of:
(1) "Bodily injury"; or (2) "Property damage" caused by a "cyber incident".
2. The following is added to Paragraph B. Exclusions:
Cyber Incident Costs Or Expenses
Damages claimed for notification costs, credit or identity monitoring expenses, forensic expenses, public relations expenses, data restoration expenses, extortion expenses or any other similar cost or expense incurred by you or others arising out of a "cyber incident".
C. The following is added to Paragraph p. Personal And Advertising Injury of 1. Applicable To Business Liability Coverage under B. Exclusions:
This insurance does not apply to:
Cyber Incident
"Personal and advertising injury" arising out of a "cyber incident".
This exclusion applies even if damages are claimed for notification costs, credit or identity monitoring expenses, forensic expenses, public relations expenses, data restoration expenses, extortion expenses or any other similar cost or expense incurred by you or others arising out of a "cyber incident".
Analysis:
By amending the electronic data exclusion, the endorsement adds a cyber incident exception that covers damages because of bodily injury or property damage caused by a cyber incident. However, as further described in paragraph C. of the endorsement, the coverage does not extend to personal and advertising injury liability arising out of a cyber incident.
The limited coverage applies to bodily injury or property damage, and as described in paragraph D. of the endorsement, medical payments expenses arising out of cyber incidents are also covered. However, under no circumstances will there be coverage for any of the associated costs or expenses that accompany a cyber incident as described in paragraph B.2. and C.
D. The following are added to Paragraph D. Liability And Medical Expenses Limits Of Insurance:
-
Subject to Paragraph D.4.a. or D.4.b., whichever applies, the Cyber Incident Aggregate Limit shown in the Schedule of this endorsement is the most we will pay for the sum of all damages because of all "bodily injury", "property damage" and medical expenses arising out of all "cyber incidents".
-
Subject to the Cyber Incident Aggregate Limit, the Each Cyber Incident Occurrence Limit shown in the Schedule of this endorsement is the most we will pay for the sum of all damages because of all "bodily injury" and "property damage" arising out of any one "occurrence" that is caused by a "cyber incident".
Analysis:
As discussed above, the cyber incident each occurrence limit is the most that will be paid for all bodily injury and property damages arising out of any one occurrence caused by a cyber incident, defined in paragraph F. of the endorsement. The aggregate limit applies to all damages because of bodily injury, property damage, and medical expenses arising out of all cyber incidents.
E. If Exclusion – Access Or Disclosure Of Confidential Or Personal Material Or Information Endorsement BP 15 04 is attached to the Policy, the provisions of that endorsement do not apply to the extent that coverage is provided by this endorsement.
Analysis:
This is self-explanatory. If the endorsement is attached, the provisions of endorsement BP 15 04, if also on the policy, will not serve as a barrier to coverage available under this endorsement BP 18 07.
F. For the purposes of the coverage provided by this endorsement, the following are added to F. Liability And Medical Expenses Definitions:
1. "Cyber incident" means any:
- Unauthorized access to or use of any computer system.
- Malicious code, virus or any other harmful code that is directed at, enacted upon or introduced into any computer system and is designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, exploit, use or prevent or restrict access to or the use of any part of any computer system or otherwise disrupt its normal functioning or operation.
- Denial of service attack which disrupts, prevents or restricts access to or use of any computer system, or otherwise disrupts its normal functioning or operation.
2. "Electronic data" means information, facts or computer programs stored as or on, created or used on, or transmitted to or from computer software (including systems and applications software), on hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other repositories of computer software which are used with electronically controlled equipment. The term computer programs, referred to in the foregoing description of electronic data, means a set of related electronic instructions which direct the operations and functions of a "computer" or device connected to it, which enable the "computer" or device to receive, process, store, retrieve or send data.
Analysis:
Paragraph F. adds the necessary definitions of cyber incident and electronic data to the endorsement, upon which the endorsed coverage is based. The definition of cyber incident is the same as that contained in the exclusion endorsement BP 18 03, which was discussed in Part One of the endorsement analyses.
Electronic data is defined in the same manner as in the businessowners coverage form, BP 00 03.
Cyber Incident Liability Coverage and Electronic Data Liability Coverage Subject to Loss of Electronic Data, Each Cyber Incident Occurrence and Aggregate Limits BP 18 08
Section II – Liability is amended as follows:
A. Coverage provided by this insurance for damages because of:
- "Bodily injury" or "property damage" caused by a "cyber incident"; and
- Loss of "electronic data" that results from physical injury to tangible property; is subject to the Limits of Insurance as described in Paragraph D. of this endorsement.
Analysis:
Refer to the above analysis of endorsement BP 18 07. This endorsement BP 18 08 12 23 is similar, but adds in coverage for electronic data resulting from physical injury to tangible property. This coverage is subject to the loss of electronic data limit shown in the endorsement schedule.
As described in paragraph D. of this endorsement, the electronic data limit shown in the endorsement schedule is subject to the each occurrence and aggregate limit that applies to the businessowners policy.
Electronic Data Liability
The following two endorsements, BP 05 95 and BP 18 05, are used to provide some limited coverage for electronic data liability. If either of these endorsements are attached to a policy, neither endorsement BP 18 07 nor BP 18 08 can be on the same policy to avoid ambiguity. It is acceptable to add endorsement BP 05 95 or BP 18 05 to the policy, even if the cyber exclusion endorsement BP 18 03 is on the same policy.
Electronic Data Liability – Limited Coverage Subject to Cyber Incident Exclusion BP 05 95
Section II – Liability is amended as follows:
A. Paragraph q. Electronic Data of 1. Applicable To Business Liability Coverage under B. Exclusions is replaced by the following:
This insurance does not apply to:
q. Electronic Data
Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate "electronic data".
However, this exclusion does not apply to liability for damages because of:
(1) "Bodily injury"; or
(2) Loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate "electronic data" that results from physical injury to tangible property.
B. For the purposes of the coverage provided by this endorsement, the following is added to Paragraph B.1. Applicable To Business Liability Coverage:
This insurance does not apply to:
Cyber Incident
"Bodily Injury" or "property damage" arising out of a "cyber incident". This exclusion applies even if damages are claimed for notification costs, credit or identity monitoring expenses, forensic expenses, public relations expenses, data restoration expenses, extortion expenses or any other similar cost or expense incurred by you or others arising out of a "cyber incident".
Analysis:
This endorsement BP 05 95 12 23 is designed to provide limited coverage for loss of electronic data, as defined, if such loss results from physical injury to tangible property. There is also an exception for bodily injury. For example, a lightning strike destroys an insured's medical office computer systems. This leaves the insured unable to access vital medical records and diagnostic software, which in a worst-case scenario might lead to a patient suffering some bodily injury or even death. This endorsement would provide coverage for such an event at the limit shown in the endorsement for loss of electronic data.
In paragraph B. of the endorsement we find that what is not included in the coverage provided is electronic data loss that arises out of a cyber incident, as defined, or any of its associated costs or expenses.
Paragraph C. adds the electronic data liability coverage of the endorsement to the liability and medical expense limits of insurance. For liability and medical expenses, the loss of electronic data limit shown in the schedule is the most that will be paid under business liability for property damage because of all loss of electronic data arising out of one occurrence.
Paragraph D. adds the definitions of cyber incident and electronic data, and paragraph E. amends the definition of property damage specific to the coverage provided by the endorsement. The definitions of electronic data and property damage remain unchanged from prior editions of the endorsement, but the addition of cyber incident is newly added with the 12 23 edition of the endorsement. The intent of the coverage was never to provide coverage for a silent cyber event so the definition is added as clarification. The cyber incident definition is the same as that contained within the cyber incident exclusion endorsement BP 15 60 02 21.
Electronic Data Liability – Limited Coverage Subject to Cyber Incident Exclusion, Deletion of Bodily Injury Exception BP 18 05
Section II – Liability is amended as follows:
A. Paragraph q. Electronic Data of 1. Applicable To Business Liability Coverage under B. Exclusions is replaced by the following:
This insurance does not apply to:
q. Electronic Data
Damages, arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate "electronic data".
However, this exclusion does not apply to liability for damages because of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate "electronic data" that results from physical injury to tangible property.
Analysis:
Endorsement BP 18 05 12 23 provides limited coverage for electronic data liability in the same manner as endorsement BP 05 95 discussed above. However, endorsement BP 18 05 removes the exception for bodily injury. Using the same medical office example as presented for that endorsement, there would still be coverage for the loss of the electronic data and software; however, no coverage would be available for the customer's bodily injury.
Electronic Data Liability – Broad Coverage BP 05 96
B. For the purposes of the coverage provided by this endorsement, Paragraph B. Exclusions is amended by the addition of the following:
This insurance does not apply to:
8. Unauthorized Use Of Electronic Data
"Loss of electronic data" arising out of theft or unauthorized viewing, copying, use, corruption, manipulation or deletion of "electronic data" by any Named Insured, past or present "employee", "temporary worker" or "volunteer worker" of the Named Insured…
11. Access Or Disclosure Of Confidential Or Personal Material Or Information
"Loss of electronic data" arising out of any access to or disclosure of any person's or organization's confidential or personal material or information, including:
Patents, trade secrets, processing methods, customer lists;
Financial information, credit card information;
Health information, biometric information; or
Any other type of nonpublic material or information.
This exclusion applies even if damages are claimed for notification costs, credit or identity monitoring expenses, forensic expenses, public relations expenses, data restoration expenses, extortion expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal material or information.
C. For the purposes of the coverage provided by this endorsement, Paragraph B.1.q. Electronic Data of 1. Applicable To Business Liability Coverage under B. ExclusionsExclusion does not apply.
Analysis:
The earlier 07 13 edition of this endorsement is discussed here; the first section of the endorsement has not been changed. The revised edition BP 05 96 12 23 breaks exclusion 8. access, disclosure or unauthorized use of electronic data into two separate exclusions to better distinguish the type of electronic data loss that is being covered as opposed to the type of loss of electronic data that is being excluded. With this change, it is clarified that the excluded electronic data loss is that arising out of unauthorized violations that expose confidential information of a person or organization, personal material or information of anyone that is not subject to public access. The exclusion extends to damages claimed for any associated monetary costs or expenses of any type.
Paragraph C. of the endorsement was modified to clarify that the exclusion for electronic data that is contained within the liability portion of the businessowners form does not apply, thereby providing the electronic data liability coverage.
For further reading:
Includes copyrighted material of Insurance Services Office, Inc., with its permission.