themadweaz t1_j2ahjmd wrote

I'd fire any risk manager working for a tech company that is unaware cyber insurance exists.

The main issue I see here: cyber is already an established line. You would then need to add all optional coverages, exclusions, endorsements etc that the cyber line is currently offering to the gl policy as well. It would be hard (not impossible) and would make ISO gl worse than it already is. And BOP. And probably Marine... And any commercial auto (cars have computers, right?). It's just not worth it to extend those lines of business when you are offering an additional lob.

Having it as a separate line doesn't prevent an insurer from bundling the two lines, but it adds exceptional extra complexity to already complex lines.

Found this quote that kinda explains my perspective:

"If a company decides to rely on its GL policy to cover cyber losses the only certainty is that it will end up in a fight with its GL insurer"

Btw, I'm not an underwriter. I just used to program rating engines with ISO ERC data. I feel like I have a pretty decent grasp on how ISO decides to implement exclusions, so my comment was only to clarify from that perspective.


themadweaz t1_j263f9u wrote

I disagree. I think a cyber exclusion is not necessary in property policies. You made the point itself: direct physical loss. Cyber insurance fits the niche here, and perhaps an optional coverage or endorsement for gl policies makes sense.

But you should not expect that cyber damage would be implicitly covered in a gl or property policy (imho). Unless there is legislation demanding it, in which case an exclusion would need to be added in order to implicitly sell a gl policy with no cyber component.

Exclusions are generally the result of some legislation that makes previous policies more ambiguous. See: recent cannabis exclusions. Since the government has been toying with the laws around the legality of cannabis, it's no longer assumed that it is illegal to produce and thus policies which previously did not cover it now "may" unless an exclusion is present.

Cyber has never been covered, as it isn't direct property loss. Unless the government defines software as a physical property, I see no reason for an exclusion.