In the wake of a growing number of corporate hacking incidents, the demand for cyber-liability insurance coverage is growing at an astounding rate. This as companies seek alternative measures to mitigate their overall enterprise risk management strategies. The insurance industry is struggling with how best to write those policies, and no where is this more prevalent than at Zurich American Insurance Company (ZAIC). In a motion filed before the Supreme Court of New York (this is a lower court), ZAIC asked to be absolved of indemnifying and defending any claims that arise related to the Sony PlayStation Network hacking incident this past April. ZAIC claims that the general liability policy only covers “bodily injury” or “property damage” caused by incidents other than cyber-related ones.
Most insurance experts agree that providers specifically exclude cyber-related incidents from coverage under a general liability policy, but that the insured’s (i.e. the people who buy the insurance) assume cyber-incidents are covered. Usually, when the insured discovers that a separate rider to the policy will need to be purchased, the incentive to buy coverage becomes cost prohibitive. For large multi-national organizations dealing with terabytes upon terabytes of data, a cyber-policy might actually serve a favorable purpose to mitigate exposure, but for the average small business owner, cyber-coverage, at this point in time, may not be such a good risk alternative. Once insurance companies can figure out how best to sell this coverage to the masses of small business owners, the growth in that niche sector will explode.
Should the scope of the definition of “property damage” be expanded to include a hacking incident?