The new exclusion for cyber risks is being added to the Commercial General Liability policy.  Now what?

Insurance industry reports now are confirming that general liability insurers increasingly are adding data breach exclusions to their policies in an attempt to restrict coverage for privacy risks.

Insurers are incorporating an exclusion developed by the Insurance Services Office Inc., or ISO, an industry trade group that develops standard insurance contract language. The exclusion applies to a variety of damages, including notification costs, credit monitoring expenses and public relations costs associated with data breaches.

The relatively new cyber policies are complex and have not yet been tested in courts.

The rapid introduction of these exclusions either through renewals or new purchases may force corporate policyholders to review more closely whether they should purchase separate, specialized data breach/privacy insurance, which policies fairly recently entered the market. Those policies, however, are complex in their construction and wording and have not been tested in the courts. As a result, and because data breaches have resulted in large losses when they occur, policyholders likely will face serious disputes about the coverage provided by those policies when claims are made.

So what should corporate policyholders be doing?

  1. Review new policies and renewals very carefully to determine the extent to which data breach/privacy claims are either covered or excluded. While the ISO exclusion is likely to be the provision relied upon by most insurers, variations of that exclusion may be incorporated that alter the scope of coverage provided. For example, the exclusions may vary from industry to industry.
  2. If separate data breach/privacy insurance is being considered, carefully review policy forms and compare the coverage provided by different insurers in the market. These policies differ in their langiuage and coverage, and policyholder should conduct detailed reviews to determine exactly what coverage is being purchased.
  3. To the extent that a policyholder has an outstanding data breach/privacy claim, the policyholder may be able to argue that the new exclusions are evidence that coverage existed in policies without the exclusions.