Commercial general liability (CGL) coverage is the backbone of most business insurance programs. CGL “Coverage A” insures against third-party claims for damages because of bodily injury (including death) and property damage (typically defined as tangible property). CGL policies are thus supposed to provide a broad grant of coverage for a wide variety of typical tort and product liability claims.
Cyber claims and liabilities are commonly understood to involve the exposure or compromise of personally identifiable information, such as Social Security and credit card numbers and banking information. Consequently, cyber threats are perceived as creating primarily economic or reputational injuries that insurers consider outside the scope of CGL “Coverage A.”
There is a growing concern, however, that cyber risks will increasingly cause bodily injury or property damage, which will in turn inevitably result in claims and lawsuits. Why? Everything is connected. Factories operate using sophisticated computer automation and programmable logic controls (PLCs). Most commercial security and HVAC systems are networked. Home thermostats and security systems can be controlled by computer or smartphone. Some implanted medical devices can be accessed remotely. Modern automobiles are aptly described as moving computers. Any such device or control is vulnerable to compromise, creating a risk of claims.
It takes very little imagination to imagine scenarios under which hackers could exploit such vulnerabilities to cause bodily injury or property damage. A compromised security system could result in robberies and even assaults. Attacks on medical devices carry obvious risks of physical injury. Attacks on generators and machinery could cause malfunctions, resulting in injuries and property damage.
It also takes no imagination to envision the virtual certainty of resulting litigation. Claimants would assert claims for strict liability, negligence and other torts against manufacturers and others, arguing that compromised products and systems were defective or asserting negligence in failing to take preventative measures.
Whether CGL policies will respond to such clams is not a simple question. In addition to other possible issues, insurers have been adding endorsements to CGL policies excluding coverage for cyber-related liabilities. In 2013, the Insurance Services Office (ISO), an organization that develops form policy language, issued two endorsements for CGL policies designed to limit, if not eliminate, coverage for cyber-related claims. ISO Endorsement CG 21 07 05 14 adds an exclusion to CGL Coverage A.
The most pertinent part of the exclusion states that the insurance does not apply to damages arising out of: “The loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” Electronic data includes “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and application software … which are used with electronically controlled equipment” (emphasis added). ISO Endorsement CG 21 06 05 14 contains identical language with a limited bodily injury exception. Because the definition of electronic data in the endorsement includes “programs” and software used with electronically controlled equipment, carriers may well argue that endorsed CGL policies do not cover claims for bodily injury or property damage resulting from hacks to computers, PLCs or electronic controls. Carriers may even argue that bodily injury and property damage claims tied to commonly-experienced software bugs are excluded.
It is difficult to judge the significance of the issue. ISO merely makes the forms available and carriers may or may not use them. However, one insurance executive recently stated, that “It appears that these revisions have been well received by a number of our participating insurers.” There are no reported cases interpreting the exclusionary language in the endorsements, so there is no judicial guidance on how the exclusions will be interpreted. Exclusions are generally interpreted narrowly, and the courts may limit their impact, although no one should assume they will.
There is an important related point. Many companies do not know what their policies contain until there is a claim and they receive a reservation of rights or denial letter. Accordingly, companies may be unaware that their CGL coverage contains the restrictive language.
If a company has taken the prudent step of purchasing cyber insurance, it may not plug the gap. Cyber policy forms vary significantly in the coverage provided. However, many cyber policy forms exclude claims for bodily injury or property damage. Accordingly, even companies purchasing cyber insurance may be at risk.
Insurers are gradually beginning to respond to the issue. One carrier is marketing “difference in conditions” (DIC) coverage said to cover bodily injury and property damage resulting from cyberthreats, which applies when other policies do not cover the risk. Another carrier serving the utility and energy industries is marketing similar coverage. A Lloyd’s syndicate has announced a consortium to provide first-party property coverage for cyber risks.
These offerings, however, do not appear to provide a solution for many insureds. First, they appear targeted to large companies in the industrial and utility space. Second, given that DIC coverage essentially plugs potential gaps between different policies, the DIC carrier will probably have to write all underlying coverage, limiting flexibility. Third, although first-party property coverage can be very helpful, it does nothing to bridge the gap on liability claims. Fourth, it is unclear whether these coverages are actually being placed in the market. Thus, at least for most policyholders, the concern remains.
In the meantime, policyholders should take immediate steps to try to avoid the gap, including the following:
- Reviewing, preferably with experienced professionals, current CGL, cyber and others policies to determine whether they contain problematic exclusions for cyber risks, or have been endorsed to add problematic exclusions.
- If there is a gap, policyholders should immediately explore alternatives. Brokers should first attempt to obtain coverage without problematic exclusions, or at least with more limited exclusions.
- Brokers should also explore cyber coverage, including DIC coverage, that may provide greater protection against the gap.
John L. Watkins is a partner at the law firm of Thompson Hine in Atlanta, GA