Sean Quinn, Ph.D, J.D., Etc.
1300 West Lynn St. #208
difference between these requirements in cyber policies and real world
policies. All claims-made liability policies—including excess policies—begin
with similar concepts. Some liability claims-made policies as originally
written require that (i) the alleged injury asserted by the alleged victim
against the insured and (ii) the claim for compensation against the insured
must all occur during the policy period. In addition, the insured’s claim
notification to the insurer must also occur during the policy period. The requirement that the insured’s claim or
notification to the insurer be in writing is often waived.
Most claims-made policies have a policy
period lasting a year. Some of the
policies require that the injury causing event occurred during the policy period,
along with the alleged injury, the claims against the insured, and notification
to the insurer. This is a very difficult set of criteria to meet. Seldom do that many things occur during a
short period of time.
A second way a system specified in the
contract might work is that the claim is something made by the person or entity
asserting injury against the insured and the insured’s making that assertion
known to the insurer within the policy period.
In this system, there is no requirement that the injury occur during
the policy period. The injury would be required to occur during a specified
retroactive period. In other ways the
date of the beginning of the policy period would remain the same. Retroactive
periods are an add-on to a given policy that would be sold to the insurer to
modify the base policy by lengthening it.
A third way for a policy to work is that
the injury and the notice must both occur during the policy period. If this were the way the system worked, no
claim would have to be filed during the policy period. The insured would simply
be notifying the insurer of claims, which it believes may arise.
A fourth way for the contract-created
system to work is that there is an extension period during which the claim
and/or the reporting can happen after the policy period ends. This extension
comes after the termination date of the basic policy.
A fifth way it might work is that there
is an extension period “backward in time” so that at least one of the three
events required—the injury, the claim, and the notice–can occur during that
extension period. Usually that is the
is that there are extensions moving in both directions on the same policy.
common in both real-world policies and in the cyber-world. The expense is,
obviously, to some extent at least, determined by the length of times specified
in the extensions. Different extensions can involve different costs, and that
can happen on the same policy.
temporal size of the extensions is prima facie fixed by standard, antecedently
existing forms. These do not exist in the cyber world, but each insurer will
have its own forms. Of course, the extensions in real world appear in
endorsements, and they can be further extended.
Extensions deviating from the
generally received extension temporal specs found in the standard forms is on
the rare side.
policies even without any industry-wide standardized forms. You would expect
there to be more deviation here regarding extensions in policies, but that is
not happening. The most reasonable guess is that there are not actuarial
statistics to make assorted extensions more reasonably acceptable. The same
standardized arrangements regarding extensions will, in the future, will likely
evolve in the context of cyber-insurance as it already appears in the real
world. For one thing, most of the
insurers producing cyber insurance policies also already produce real world
policies, e.g., Chubb, St. Paul, some AIG companies, Travelers, Liberty Mutual,
claims-made policy, just like any other policy. They can also renew the policy
and refuse to renew either or both of the extension periods. Sometimes contracts of insurance, whether
real or cyber world, can impose contractual obligations on the insurer to renew
coverage. Obviously, all sorts of
insurance policies, including cyber policies, have monetary policy limits; some
reduce policy limits by defense costs; some have deductions; others have self-insured
retentions, and there are yet other commonalities. (I have never seen an
insurance policy of any kind without either deductions or self insured
retentions. I cannot recall running
across a policy with both, but in theory that is possible.)
Structures: Cyber and Otherwise
hundreds of years, contracts of insurance have had the same structures. They
have not always been divided up in the same way, but they have been for maybe
100-150 years or more. Most of what is written here is as applicable to excess
policies, of whatever level, as it is to primary policies. The structure of
policies is quite simple:
One or more sections explicitly stating what coverages are included in the
policy, e.g., what perils are insured, who is insured, the upper limits on the
policy, as already said, the deductible, i.e., how much will be taken off what
the insurer will pay) or the self-insured retention (i.e., how much the insured
must pay before the insurer has any obligations),[i]
the price of the policy, the size of the policy, sometimes the name of the intermediary,
and various miscellaneous information, e.g., email addresses, normal usable
phone numbers, emergency numbers, and so forth, for the insured providing
notice to the insurer. In English
language lingo, they are called “dec sheets” or “dec pages.”
point mentioned here; it concerns what professionals are insured under a
policy. Sometimes on dec sheets there
are lists of what or who is insured. In cyber world policies, various kinds of
classes of professionals insured are set forth. This can be very important for
There are one or more specifications as to what is insured, e.g., an insuring
agreement, with a fully complete panoply of coverages, or a number of
different insuring agreements, each with one or very few insured perils
listed. The purpose of some of these insuring agreements is, as it were, to
provide the insurance customer with a shopping basket. These divisions make no
difference to the substance of the policy.
party policies, are “all risk” policies, and others name the perils insured
under the policy; sometimes there is one such peril, sometimes more. In the universally established lingo of
insurance, the latter type is called a “named peril policy.” This
linguistic fact comes as a surprise to no one, nor does it matter. All
cyber-policies are named peril policies; none of them purport to be an all
risk policy, whether first-party or third party.
Another way in which cyber-policies are like real-world policies is that they
can be “package” policies. In other words, they can list several insured
perils, and the insured may be purchasing all of them, some of them, or some
combination of them. There might be some
for liability coverage, and some for first-party coverage, or they might divide
between first and third party in given policies but then have different first
party perils in one of them and different third-party perils in the other. Cyber
policies are now, at least quite often, package policies to some degree.
insuring agreements of cyber policies concerns how the insurer will compensate
the insured. (i) Some parts of some cyber policies are “pay on behalf of”
policies, e.g., when it comes to the costs of defense, but not other parts of
the policy. This obligation can stretch out over a whole policy and sometimes
it is restricted. (ii) Some sections of the same policy are reimbursement
sections and some may be reimbursement policies all the way through. There is no reason to doubt that some
cyber-liability-policies are and will be formulated in terms of reimbursement
even as to the duty to defend. Sometimes this is a good thing. If the insured
has plenty of money, can afford paying for a defense, and wants to keep all of
the policy limits for damages if they have to be paid at some time in the
unpredictable future, then a reimbursement arrangement for the duty to defend
may be rational. One can easily imagine such things applying to cyber-world
liability policies. (iii) “We-will-pay” terms for setting forth the
insurer’s duties are different yet; they may simply say the insurer “will pay”
for XYZ, but it is not said when.
All insuring agreements in cyber insurance policies use definitions. The amount
and complexity of policy definitions is a distinguishable feature of cyber
policies. Partly this is true because they are named policies, but there are
other reasons, as well. As we shall see in the next bullet point all
definitions used in insuring agreements are stacked. To expand the point, in the last 100-150
years, all the policies I can remember, have used definitions. As the decades have gone by, more and more
definitions get used. Thus, as of now, absolutely all insurance policies are
filled with and heavily depend upon definitions. Different signals in the
insuring agreement call attention to them: bold letters, underlining, quote
marks, italic, and perhaps others. Cyber
policies work the same way without exception.
In cyber contracts of insurance, there are many more definitions than
are usually found in real world policies—sometimes there are as many as 50 or
more. These definitions are often quite complex, difficult to understand, and structured
as stacks. Stacking means that one starts with the signaled definition; it is
connected to one or more other definitions which define that definition; and
those definitions are linked to even more definitions. This stacking can be
very extensive. Of course, there can be
(and are) stacks in real-world policies, but there are not so many definitions
in given stacks. Fortunately, not all
definitions are stacked or stacked to serious depths, but the definitions are
Exclusions. All insurance
policies contain exclusions. In many 19th century policies, they were there but
not named such. Sometimes they were
built into the description of the peril and that is still done; sometimes they
were built into the definitions and that is still done. Like definitions, the
use of exclusions is more lengthy and more numerous in cyber-policies than in
real-world policies. By my observation, there may be as many as 50±, and the
definitions used in them are often stacked.
As one might expect, some of the definitions found in cyber-policies are
also found in real-world policies; this is true of both claims-made policies
and others. Here are several examples:
Deliberate conduct where the injury is
Serious criminal conduct
Wartime injuries, and more.
There is always a section for conditions.
Significantly, in the long existing common law of contract conditions
are distinct from other provisions in insurance policies. They are not really
statements of promised rights and duties.
They are simply descriptions of acts the insured must perform in order
to qualify for coverage. It is not a breach of contract for an insured not to
perform one of the requirements; the insurer has no right to performance; and the
insured has no duty to perform.
Nevertheless, setting aside subtleties, conditions are often treated as
covenants. This is not necessarily a bad
thing, since breaches of immaterial covenants by the insured do not end the
insurer’s duty to perform. This change
has proved especially helpful in dealing with the most notable policy
condition, the as-soon-as-practicable notice-to-the-insurer requirement.
any case, here are some conditions to be found in cyber policies. They may
differ a bit from policy to policy, but not much, and many of them resemble the
conditions to be found in real-world policies:
requirements explanations as to how to provide notice,
as to how losses of business income/profits (business interruption) are to be
conduct of legal actions against the insured,
resolutions clause (usually arbitration),
appraisal (triggered more often by insureds that insurers),
to be disclosed to the insurer by the insured during policy period,
matters, permissible waivers (usually none),
(how-to + consequences),
the application is to be included in the policy and
warranted to be truthful and so forth.
these conditions in a cyber policy is significantly different from that found
in a conditions section in real-world policies. None is conceptually different.
Instructions on how to give notice in a
complex high-tech case may be different from a simple requirement to give
simple notice, but the basic ideas are the same. Though conceptually similar,
specifications regarding the measurement of business interruption are different.
That is quite often left unstated in detail; the foundation of that type of
claim is different from most first-party contracts of insurance in the real
world, where the foundation for all such claims is physical injury to tangible
property, unlike what is required in the cyber world.
behavior. They do not usually say anything about the substance of the policy.
They are probably not intended to do that.
Sometimes substantive matters can be “hidden” there, and often
procedural matters have implications for substantive matters.
Sometimes there are extra sections. In one cyber-liability-policy I studied
recently, there was an extra section devoted to the insurer’s duty to defend,
emphasizing limits and exclusions, or what were in effect exclusions. These
sections are nearly always found in liability policies, although they are
sometimes formulated in terms of reimbursement rather than the insurer paying
for the defense “on behalf of” the insured. That section of the policy was not
to be found in the insuring agreement where it usually is, nor was there
anything about that duty in the section containing definitions. I was and am
puzzled by this organization.
separate section is how loss adjustment is to be conducted. These sections identify what insureds are to
do about cooperating with adjusters and those on whom they depend, e.g.,
forensic types, accountants.
to remediate, as much as reasonably possible, mentioned in the conditions
section, it is to be found here. These clauses are usually quite brief, even in
cyber policies. This is true even though
remediation may well be much more esoteric in dealing with cyber losses than with
most real-world cases, even those involving complex physical destruction.
considerable number of disputes about remediation matters; insureds are well
advised to provide remediation plans to their insurers and try to get approval. Often they will be neither approved nor
rejected, and it will be said that it is for the insurer to determine what to
do and how to do it. The insured’s,
having submitted a remediation plan to the insurer, can have later significant
often to be found in a separate section, if not the conditions section, is how
to count the number of causes of loss, and how to think about situations
when there are groups of different causes.
The reason this is important is that most cyber policies require that
the relationship between cause and effect be “direct.” Some try to count this as the cause being the
sole cause of the effect. This is
nonsense, of course; the word “direct” has no such meaning. Significantly, the word “direct” and
“directness,” “result directly from,” and so forth are often not defined in
Robin Pearson, INSURING THE
INDUSTRIAL REVOLUTION: FIRE INSURANCE IN GREAT BRITAIN, 1700-1850 (2004). (Note
in wrong place.)0
Originally posted on 06/24/2014 @ 5:29 pm