Defining Properly Loss: Under traditional property and general liability policies, data isn't considered property, and losses would not be covered unless there was physical damage to systems. Here what you need to know

Risk & Insurance, Dec, 2001 by Robert W. Hammesfahr, Richard L. Blatt

Much has been said and written recently about bottom line cyber-risks. These are risks that emerging growth companies, and even mature companies, are facing. Your company does not have to be a startup with a dot-com name to be at risk due to e-commerce perils. All your company has to be is a firm that does some part--even a small part--of its business or communication via the Internet, a group that now includes most businesses in North America and Europe, and many businesses in Asia and South and Central America today. Whether your company is a start-up, an emerging or older company, it goes without saying that insurance protections will be increasingly important to the health of your enterprise. And they have to be the right kind of insurance protections.

Sure, you've always bought the business policies you need--property, fire, casualty, etc. That must be enough. Insurance is not cheap, and business in the downturn is tough right now. Plus, these losses are pretty much all covered anyway, right?

Wrong. Cyber liabilities and damages are probably not covered under these policies. You and your business are at risk if proper insurance is not purchased. Today, companies are exposed to a myriad of loss and liability exposures that simply were not a part of doing business years ago when modern insurance products were developing.

In some ways, the risks of today were not even thought of, and they present insurance issues that have arisen outside the box of traditional insurance thinking. For example, the traditional first-party property, fire and casualty coverage that you bought is designed to protect you from loss or damage to your own property, and it is adequate when your plant or your office, or even your hardware, is damaged or destroyed in a fire or a flood. But what if your business is based on the electronic data that is within the hardware? If that is lost, what then? Is the loss covered? The short answer is no.

But isn't data property, you ask? After all, you own the data. Why isn't that covered under your property policy? The reality is that knowledge is different from physical property that traditional first-party policies cover. Even if there were electronic data processing endorsements added to coverage, without a covered peril, coverage would not be afforded. (Magnetic Data Inc. v. St. Paul Fire and Marine Insurance Co., 1989) What this means is that a modem company's most valuable assets, its lifeblood, namely its electronic data and software property, may not be insured from loss unless there is a covered peril, i.e. physical damage.

The same idea holds true for traditional liability policies that are designed to protect you against third-party claims for bodily injury, property damage and other risks. Commercial general liability (CGL) policies are not intended to deal with liabilities arising from electronic activities. Why? The answer is, simply, that these policies were written for the needs of a different business era.

Traditional CGL policies are usually written in two sections: (1) third-party damages arising from an occurrence or claim for bodily injury, or from physical injury to property, including damage or loss of use of tangible property, and (2) damages arising from specific perils causing personal injury or advertising liability. Many perils that exist in the computer age simply are not covered under these policies.

Also, these traditional policies usually provide protection in terms of indemnification for your legal damages. While this protection may be sufficient for traditional types of harm, it is grossly inadequate to protect you against injunctions or restraining orders and the harmful effects they may have upon your company's ability to do business.

Since these policies simply aren't designed to protect you against a whole new group of risks that arise from doing business on the Net and information technology, you will need more coverage. Maybe some real-life examples will be helpful:

* Business Income Loss Coverage: This is coverage that you may need even if you're a bricks-and-mortar company. But imagine that you are a start-up company and that the ink is not even dry on your incorporation papers. You likely will not have any income to speak of, but you will have a need for cash flow to achieve the research and development goals even if the company does not have profits. Traditional business interruption policies are designed to replace lost profits, whereas the business model of an emerging company is geared to its cash burn rate.

As a fledgling company, you will need a policy that is aimed at protecting your ability to pay crucial development costs, such as key employee compensation, product development and the like, when your business model is delayed due to interruption of computer systems whether from traditional perils, such as fire, wind, or other physical perils or cyber interruptions because of hack attacks, viruses or other unauthorized computer, software or Internet access, use or interruption.