Cyber-related risk is a hot button issue in the insurance community and the business community at large. Having a cyber component to your company’s insurance program is now the status quo, with many insurers offering stand alone cyber policies, or at the very least, endorsements and other add-ons that help in transferring this risk. These coverages protect against first party losses (e.g. system damage, business interruption, etc.) and third party losses (e.g. privacy liability if sensitive information is breached) that arise from cyber-related perils that are typically excluded under traditional property and general liability policies.
However, simply having cyber coverage in place does not mean that all areas of exposure to cyber-related losses have been covered off. While the threat of system cyber attacks are nothing new to businesses that have an online or technological component, companies may often overlook other areas that security personnel may not realize are connected to the internet or internal computing systems, such as heating and cooling systems, generators, certain pressure vessels, and other systems that have underlying controls. It is these types of systems that frequently lack basic security protocols such as user passwords, and have the potential to cause bodily injury (BI) to individuals or property damage (PD) if they are breached or tampered with in a malicious way. Furthermore, a company may be in for a rude awakening if they experience such as loss, only to find out that, depending on their policy’s wording, their cyber policy does not cover these types of losses, which are already excluded under standard property and general liability policies. For example, many property policies contain exclusions for any loss caused by “the use of a computer system as a means of inflicting harm.”1 Conversely, cyber policies feature broad exclusions for BI and PD. So what can be done to eliminate this gap in coverage?
“Difference in Conditions” (DIC) coverage presents one solution. Although not a typical feature of cyber policies, DIC coverage can be applied to a cyber-related BI or PD loss that (aside from its cyber-related cause) would normally be covered by a traditional property or liability policy, if not for its cyber-related exclusions – in effect, covering any “difference in conditions” between the underlying property/liability policies and the cyber policy. Unfortunately, this is not a typical offering of most cyber policies, so it is always important to review your policy wordings for any exclusions or limitations that may leave your company exposed to an uninsured cyber-related BI or PD claim.
Still trying to make sense of everything? Our experts are here to help! To learn more about cyber insurance and risk management, and to find out what exposures your company may have, speak to one of our advisors today.