What Policyholders Don’t Know Can Hurt Them

The things businesses do not know about their potential liability for what employees do in cyberspace have the potential to become a serious problem.

Recent surveys indicate that many businesses do not realize that simply connecting to the World Wide Web or another network exposes them to potential losses, and that many of those that do recognize the existence of a loss exposure do not have the proper insurance in place to cover it. Even businesses that have reviewed their insurance programs and found coverage are not entirely safe, because coverage they have now may disappear in the near future. Insurance Services Office (ISO) has revised its commercial general liability forms to limit coverage for business activities over the Internet and other computer networks, and insurers who use proprietary forms are doing the same.

Two surveys published within the past year indicate that businesses of all sizes are ill prepared for litigation that may arise from connecting their computers to a network. After surveying small and medium size businesses, the Hartford Financial Services Group reported that 80 percent did not know whether or not they had coverage for third party claims arising out of their use of the Internet. Last month the St. Paul Companies published the results of a survey of chief financial officers, risk managers and brokers. The research concluded that most respondents lacked an adequate understanding of technology risks. They also have difficulty identifying exposures and lack the tools to monitor and manage them.

Evolving liability insurance forms compound that lack of knowledge. The October 2001 editions of Insurance Services Office’s commercial general liability coverage forms, for example, impose some serious limitations on coverage for doing business online. Insurers that use their own forms instead of ISO forms have been following the same course, but they started sooner and have been going farther. Proprietary forms often contain limitations on coverage that go beyond the scope of the new exclusions in ISO’s forms, and many of them appeared in the marketplace while the ISO revisions were little more than a gleam in a committee’s eye.

Important Changes, Obscure Motivation
Not everybody agrees on what the coverage changes mean. It might be nothing more than a natural adaptation of coverage to changing conditions, an effort to eliminate specialized exposures that most businesses do not face without any intent at substantively reducing protection for most businesses. It may, on the other hand, represent a systemic change in the way insurers underwrite and insure information technology exposures, including exposures that almost every business faces every day. Figuring out why the market has changed is the key not so much to predicting whether the lost coverages will return as to forecasting the price policyholders will have to pay. Almost as fast as an exclusion appears, a new coverage materializes to buy it back. The major difference is that the cost is no longer part of a premium the insured would have to pay in any event.

Philip Pierson, founder of Swett & Crawford’s e-Sher Underwriting Managers, views the changes as an adjustment of policy forms to the new realities of business. Insurers, he asserts, are not taking away coverage they provided when they first drafted the forms so much as they are redefining coverage to exclude liability for exposures that did not exist when the forms first appeared, exposures that underwriters never intended to insure. “Coverage that really wasn’t contemplated from a coverage standpoint and from an underwriting and pricing standpoint is now being specifically excluded,” he explained.

Others see the changes in coverage as something more than forms that have started to catch up with the times. The insurance industry, they believe, is starting to treat parts of the liability potential generated by information technology as a catastrophe exposure. Underwriters have coined the terms “cyberhurricane” and “digital earthquake” to describe the potential loss from virus transmission, and they have started to underwrite the liability exposure the same way they do windstorm, earthquake and flood. The result has been depressed limits and exclusionary language that writes coverage out of liability insurance forms.

“The reality is today if you are a policyholder, you have significant large areas of uninsured potential for loss, and some of these have been accelerated by the changes in the reinsurance and insurance market post September 11,” explained Jeffery S. Grange, vice president and global manager, financial fidelity products at Chubb & Son’s Department of Financial Institutions. “Most notably the world’s leading reinsurers long before September 11 were very concerned about the potential for accumulation and aggregation of exposure for systemic events arising out of virus, where virus or other contagion could affect multiple policyholders simultaneously.”

The result may be a minor annoyance to an information technology company, but it can become a major problem for businesses in any other industry. IT professionals will almost certainly recognize the exposure and obtain the appropriate coverage. Their customers, by contrast, may overlook the loss potential and never realize that there is a gap in coverage. “If you’re a company that is doing Web site development your coverage is partially or totally excluded. That isn’t so problematic because there are specialty coverages for a company like that,” commented John Sacia, CEO of Sacia Risk Solutions LLC. “Where it becomes a big problem is just the standard main street business that doesn’t even consider itself an eCommerce company but has a very active Web site. The problem there is that there are elements of normal day to day activities that are excluded under the CGL policy.”

Although the effect of many of the changes ISO has made to its CGL forms is not clear, at least one new provision seems to bear the contention that businesses outside information technology will see a reduction in coverage. The revised definition of property damage includes an explicit statement that electronic data is not tangible property. Within the new definition, transmission of a virus will not trigger coverage because it will not cause physical injury to tangible property. The exposure is very much a part of the everyday activities of businesses outside the information technology field because viruses travel almost exclusively by e-mail. The net result is to leave many businesses without coverage for an exposure they face but cannot accurately quantify.

A legal environment that is even more fluid than the coverage situation only compounds the analysis. No one can point to any judgment imposing liability for lax network security, for example, but the problem has not been around long enough for claims to have gone to trial. All we can say for certain is that there is a ready pool of plaintiff’s attorneys who took the trouble to learn computer law and have not had adequate opportunity to put that knowledge to work. Christopher Trainer, western region practice leader, eBusiness solutions at Marsh, Inc., wonders if cyberliability will turn out to be just what they have been waiting for. “That creates tremendous torts for our friends in the law industry who have mythically geared up for Y2K and thought that was going to be their employment for life,” he said, “but that did not happen. They are very savvy in the issues of computer law, the ways computers work.”

Three Main Sources Exist for Losses
Professionals who make their living writing insurance for information technology exposures identify three main sources of loss. Web content liability is the exposure a business faces simply from having a web site. Losses come mostly from libel, slander, defamation, copyright infringement, trademark infringement and invasion of privacy. Internet professional errors and omissions liability is just what the name implies, the E&O exposure of information technology companies for the professional services they provide. Network security liability encompasses losses from failing to adopt best practices to protect your computer and others on the network from unauthorized access or attack. The most common claims are for transmitting viruses, denial of service attacks and theft of confidential customer information.

In many ways the exposures are not new, but it is much easier for a loss to occur. The Internet has, for example, made copyright infringement more visible and the potential loss much larger. “The exposures are not altogether different, but a lot of times they’re increased and it’s easier for somebody to infringe somebody else’s material,” Carol Beatty, technology underwriting director at the St. Paul, said.

For a thorough rundown of the exposure to liability from doing business in cyberspace, information technology underwriters and wholesalers suggest looking at the policies that are available in the marketplace. Coverages, they say, have evolved rapidly to insure the potential losses that prospective policyholders face. There are policies designed to meet the needs of small businesses whose exposures come principally from using e-mail to transact business. Other forms provide a full range of coverages for information technology professionals such as Internet service providers (ISPs), web hosting company, web site developers and consultants, and application service providers (ASPs). In between you will find a continuum of coverage to match the continuum of loss exposures.

The dynamic nature of the marketplace, however, means that have to repeatedly apply whatever technique you use to analyze exposures. Once is not enough because new loss exposures keep emerging. “We originally called this the World Wide Web,” Larry Harb, president of IT Risk Managers, Inc., commented “but if you think about it in some cases we’ve sort of coined it the wild, wild web because from a legal standpoint I still think it’s wide open, especially from the liability side.”

Full-Time Effort Employed
Turning to professionals who deal full-time with information technology insurance is one way agents and brokers can get the information they need without investing excessive time and effort. These professionals are readily available because underwriters have learned that covering IT exposures is not something you can do on the side. “We determined and realized well over two years ago that in order to fulfill the needs of customers in the area of cyberliability you can’t do it on a part-time basis,” Ty R. Sagalow, executive vice president and chief operating officer of AIG eBusiness Risk Solutions, explained. “You need to put the investment, and it’s a considerable investment, into creating a dedicated unit with a single dedicated purpose of researching and understanding the vast exposures associated with cyberspace and the Internet, and developing solution sets combining risk management advice, insurance and technology.