This article is the third of several articles addressing the various cyber insurance coverage issues that might arise in connection with a claim relating to data/security breaches. The focus of this article explores the types of damages that are not covered under the typical cyber insurance policy when there is a covered data/security breach.
As highlighted in our previous articles, cyber insurance policies address both first-party and third-party claims that arise as a result of covered cyber events such as a data/security breach. First-party coverage addresses losses incurred directly by the insured, such as a business interruption loss, while third-party coverage addresses liability which might arise involving outside parties, such as the cost of defending against a lawsuit filed as a result of a security failure. All insurance policies, including cyber policies, have exclusions that provide the types of losses/damages that are not covered under the policy. These exclusions vary depending on the insurer and the policy. Below is a non-exhaustive list of some of the common types of losses/damages that are not covered under a typical cyber policy:
1. Future Lost Profits – If a cyber policy provides coverage for a business interruption loss, then it typically covers “lost income,” which is commonly defined as the net profit before interest and/or taxes that would have been earned had there been no interruption in service as a result of a covered data/security breach. However, most cyber policies’ coverage for a business interruption loss do not account for any losses to future profits as a result of a data/security breach. Future lost profits to a business can take many forms. Below are a few examples of future damages that are typically not covered by a business interruption loss:
Unfavorable Business Conditions – When providing coverage for a business interruption loss, many cyber policies expressly exclude losses incurred as a result of “unfavorable business conditions” caused by the impact of the covered data/security breach. As such, any increased costs of doing business following a data/security breach will not covered as part of a business interruption claim.
Market Share – The foundational feature of business interruption coverage is, as its name suggests, to provide coverage for losses/damages incurred due to the fact that a covered cyber event resulted in an interruption in an insured’s ability to conduct business as usual. However, any future lost profits incurred as a result of any loss in market share due to the interruption will typically be excluded from a business interruption loss.
Value of Data – While business interruption coverage covers a company’s lost income during the period of restoration following a data/security breach, many policies exclude coverage for any subsequent loss to the value of the data itself. Thus, any amount pertaining to the value of the data that was lost or stolen, be it the monetary value of profits, royalties, market share, trade secrets and/or other proprietary information, is often not covered as part of a business interruption loss.
2. Waiting Period Losses – Many cyber policies include a “waiting period” provision that, in part, determines whether business interruption coverage for a data/security breach is provided for under the policy. A waiting period is a set timeframe that begins immediately after a cyber event such as a data/security breach occurs. If the cyber policy includes such a waiting period, then coverage for a business interruption loss will only be triggered after the waiting period has elapsed. Thus, if the business interruption does not continue past the policy’s waiting period (typically between 10-12 hours), then any losses incurred a result of the interruption will not be covered under the policy.
3. Improvements/Upgrades – While many cyber policies provide coverage for costs incurred to regain access to, replace, or restore data that is lost or compromised in a covered data/security breach, policies rarely provide coverage for costs incurred in updating or replacing digital property such as systems/software to a level beyond that which existed prior to the data/security breach.
4. Loss/Theft of Electronic Devices – A common exclusion found in cyber policies is what is sometimes referred to as the “laptop exclusion.” This type of exclusion may exclude coverage for both first-party property and third-party liability claims concerning a data/security breach that was the result of the loss or theft of a company owned laptop, smartphone, or other portable electronic device in possession of a company employee. Some policies will however provide limited coverage for this type of data/security breach if the loss involves a portable device on which the electronic data was encrypted.
5. Physical Property Damage/Replacement – Many cyber policies contain an exclusion concerning real property damage in one form or another. Many policies include a broad exclusion for physical injury to or destruction of any tangible property as a result of a covered data/security breach. Under such an exclusion, the replacement of any computers or associated devices/equipment that are unable to function as intended due to corruption or destruction would not be covered under the policy. Some policies may provide limited coverage for hardware replacement, but will still exclude damage to any other real property; and, often times when coverage is provided for real property damage, it is done so with the express stipulation that the cyber policy will only cover the damage if it is not otherwise covered by another insurance policy, such as a commercial property insurance policy.
6. Bodily Injury – While this type of coverage is standard under a commercial general liability policy, bodily injury caused by a cyber event is often excluded in most cyber policies. While it may seem unlikely that a person would be physically injured by a data/security breach, in a time some have coined “the internet of everything,” when so many consumer products and devices have internet capabilities that allow for an ever-increasing interconnectivity, it is possible that a data/security breach could lead to physical bodily injury that, under most cyber policies, would not be covered. Some policies may provide limited coverage in the event of a claim for mental anguish or emotional distress as a result of a data/security breach; however, as with damage to real property, it is common for a cyber policy to expressly stipulate that coverage for personal injury will only be provided if it is not otherwise covered by another insurance policy, such a commercial general liability policy.
The above examples are some of the common exclusions that a typical cyber policy will include, and which a company should be aware of when assessing the potential cyber risks. As highlighted in our second article, companies should work with their broker or agent to determine the coverage best suited to their needs, and ensure that the cyber policy and other commercial policies in place work together to cover the potential damages that can result from a cyber event.