Viewing a single comment thread. View all comments

themadweaz t1_j263f9u wrote

I disagree. I think a cyber exclusion is not necessary in property policies. You made the point itself: direct physical loss. Cyber insurance fits the niche here, and perhaps an optional coverage or endorsement for gl policies makes sense.

But you should not expect that cyber damage would be implicitly covered in a gl or property policy (imho). Unless there is legislation demanding it, in which case an exclusion would need to be added in order to implicitly sell a gl policy with no cyber component.

Exclusions are generally the result of some legislation that makes previous policies more ambiguous. See: recent cannabis exclusions. Since the government has been toying with the laws around the legality of cannabis, it's no longer assumed that it is illegal to produce and thus policies which previously did not cover it now "may" unless an exclusion is present.

Cyber has never been covered, as it isn't direct property loss. Unless the government defines software as a physical property, I see no reason for an exclusion.


fifa71086 t1_j28vpz6 wrote

This is accurate. My company maintain property insurance for the physical devices, but also a tech e&o policy for this exact scenario.


Auedar t1_j29xrnb wrote

I think there is a grey area as well. What if my server gets a virus that shuts off temp regulation, overheats my server, and then it bricks the server by starting a fire/frying the hardware? There is physical damage from the fire, but the origin is from a cyber vector.

I have direct physical loss. Does it still get covered?


Cyberinsurance t1_j2ac6ja wrote

You put the exclusion (or even better expressly carve out “cyber damage” from the definitions to avoid defense costs) since your buyers are less likely to have a risk manager who better understands the coverage. I agree with you that the exclusion isn’t necessary, but without it you will continue to have needless coverage litigation


themadweaz t1_j2ahjmd wrote

I'd fire any risk manager working for a tech company that is unaware cyber insurance exists.

The main issue I see here: cyber is already an established line. You would then need to add all optional coverages, exclusions, endorsements etc that the cyber line is currently offering to the gl policy as well. It would be hard (not impossible) and would make ISO gl worse than it already is. And BOP. And probably Marine... And any commercial auto (cars have computers, right?). It's just not worth it to extend those lines of business when you are offering an additional lob.

Having it as a separate line doesn't prevent an insurer from bundling the two lines, but it adds exceptional extra complexity to already complex lines.

Found this quote that kinda explains my perspective:

"If a company decides to rely on its GL policy to cover cyber losses the only certainty is that it will end up in a fight with its GL insurer"

Btw, I'm not an underwriter. I just used to program rating engines with ISO ERC data. I feel like I have a pretty decent grasp on how ISO decides to implement exclusions, so my comment was only to clarify from that perspective.