Some Substantive Contents of Cyber
Policies
Michael
Sean Quinn, Ph.D, J.D., Etc.
2630
Exposition Blvd  #115
Austin,
Texas 78703
(o)
512-296-2594
(c)
512-656-0503
Some
General Propositions
.
There are very few industry-wide standardized
cyber policies of any cyber species, but there are single-company uniformities
in some policies.  This lack of the
generalized use of standardized policies is true even though insurers read
specimens of each others’ policies, and have joint insurer committees
discussing standardization, among many other topics. 
Insurance companies have been forever
conservative about moving into new topical areas. It took hundreds of years to
move from coverage for protecting merchants from bandits while crossing the
desert to creating primitive maritime insurance.  (The maritime portion of this type of
insurance was called “bottomry.”)  Widely
used maritime insurance, as we know it, took more than a 1000+ years to
develop, then came commercial fire insurance a mere 250-300 years later.  In there somewhere was burial insurance for
soldiers, which more or less died out; guild insurance on various perils, some
of which pretty much lived into the 20th century, if labor unions
are the progeny of guilds, and there are other components of this grand
commercial evolution.
General organizational features of cyber
policies have already been set forth.  In
the cyber-world, some insuring agreements, some definitions, and some exclusions
are quite unique. Nevertheless, cyber liability policies have thematic similarities.
First, a generalized list for substantive components of first party policies
will be discussed presently.  After that,
such a list will be presented for liability policies. Some policies are
liability policies only, others are first-party policies only.  Some policies may contain all the covered
categories on the lists, a few of them have less than that, and some policies may
have only one.  
Most cyber policies are package
policies.  This means that there is more
than one form of coverage, and the insured can pick parts of them.  This is not just a distinction between
first-party coverage and third-party coverage. 
There may be, say 10 different liability coverages, and a customer—and
insured-to be—can often pick any one or more of them. (Sometimes the customer
cannot pick just one and not at least one or more.  Imagine this: if a “near to being an insured”
pick Insuring Agreement #2 it must pick Insuring Agreement #6, as well.
Of course, (a) pure excess policies,
though not umbrella policies, and (b) reinsurance policies, whether the first
level of reinsurance, the  “merely re,”
or the next level up, the “retro re,” must work the same way, though for
different reasons.  For excess policies,
the insured under the primary policy is the insured under the excess and the
umbrella. Thus, one would expect that excess policies would match up with
primary policies, and that umbrella policies would also, to the extent they are
not really primary policies.  And one
would expect that that a reinsurance policy would match up with the policy
being reinsured—at least for the most part. Neither of these expectations need
be perfectly descriptive; the unexpected “non-match-up” can happen and be planed,
agreed to, and rational.
Some
Structural Categories for First-Party Policies
These sorts of policies are designed to
help the insured to deal financially with covered events that unfortunately
happen to it and cause losses.  The
nature of the potentially unfortunate event is throughout insurance called “the
risk,” and—throughout insurance—it is also called “the peril.” 
I find this common usage confusing.
Guess what.  The cause of my confusion is
the imperfect—indeed, inconsistent—pattern of usage.  Someone might think the way it should be done
is this: a peril is a category of event, e.g., storms, for which there
is coverage, while the risk is a concrete event of the sort which is a
peril, i.e., the storm that occurred, where that event fits within the insuring
agreement, but still may fit into exclusion.  
The trouble is that this suggestion does not correspond to common though
confused usage, and it does not set aside a term for the relationships between
the potentially injury causing event, the risk, and the probability that the
insured will sustain damages, i.e., its risk. And, of course, yet
another distinction would have to be drawn. 
On the one hand, the insured has risks arising from simply what it does
and where it is done.  If an insured
operates a fishing boat in the Gulf, it (i) faces the risk of storm; (ii)  if there is a storm, and the insured is in
it, the insured faces the risk of destruction;  (iii) and if the storm destroys the boat, the
insured faces the risk of going out of business.  There are three related but different risks
here: (i) event risk, (ii) cause of damage risk, (iii) risk of loss. (Oh well.
Conceptual life goes on. Besides,  there
may be ways to integrate the vocabularies to avoid the semantic tangles. Thus
instead of there being peril; there might be categories of risks.
In any case, here are categories of  risks that can be covered, unfortunate events
that can be caused by these perils:
v  nature
(actually a meta-category, or a peril-set, but never mind,
v   foul ups of the policyholder (including both
negligence and some deliberate acts[i]
of the insured),
v  those
of another insured on the policy,
v   the policyholder’s employees 
v   one or more known or unknown outsiders,
v  either
by their foul up(s) conjoined policyholder’s,
v  the
deliberate acts of the strangers and perhaps others, as well. 
Of
course, more or many more of these perils can participate in the same process
and/or at the same time in creating the same risks or causing the same losses. In
other words, causes of loss in the cyber world are just as combinatorial and
therefore as many as in the real world.
 Both
insurers and insureds want to know the probability of any risk, though for
somewhat different reasons. And then they want to know the probability that a
risk, having occurred, will cause loss.
Here are some typical insurance
agreements in first-party cyber policies (or parts of policies):
§  The
network security of the insured is breached.
§  The
privacy components of the insured are breached.
§  A
regulatory proceeding is inflicted upon the insured.
§  The
insurer in subject to an adverse media event, e.g., an insured is defamed.
§  The
insured’s digital asserts are destroyed, damaged, or rendered unusable.
§  The
business income of the insured is reduced..
§  The
insured is subject to an extortion or X-napping.
§  The
insureds’ system is subject to negligent care of some sort:
o  
Design
o  
Construction
o  
Maintenance
o  
Securitization,    
o  
and so forth
The reader will note
that many of the covered categories, though not all, turn up on both the
first-party cyber policies and the third-party policies,
            Of course, there is a whole variety
of definitions.  Some commonly used terms
are defined: “Damages,” for example; “Claims” for another.  Many of these terms and phrases are found in
real world policies, though the definitions are most often different. Almost
every term which is technical sounding and/or connected to something central in
the cyber world is defined. The definitions are “stacked,” meaning that for
many definitions that explicitly appear on the semantic surface of a policy, in
the insuring agreement, for example—there is at least one definition used in
it.  And then for many of the second
level definition, there is a third, and so on. 
Here are common examples of such terms: “Digital Assets” is like this,
as is “Electronic Publishing” along with “Network Security,” and many others.
Some
Corresponding Categories for Liability Policies
Here are some coverage categories for
cyber liability policies. The insured’s liability rests upon performing “wrongful
acts or omissions” (WAO [this abbreviation covering both the singular and the
plural, as called for]) This whole category rests upon the definition of
“wrongful act” and all of them are first-stage-triggers:
Ø  WAO
injuring the network of another by dispatching “malicious codes,” and similar
“poisons.”
Ø  WAO
causing invasion(s) of privacy.
Ø  WAO
causing release of private information by another by taking, turning over,
distributing, or setting up others to do so.
Ø  WAO
involving Internet media use.
Ø  WAO
of cyber professionals and/or vendors of cyber-services,
Ø  Performance
of any form of hacking, all of which are WAO’s, and/or
Ø  Assisting
another (or others) who actually do the hacking.
In
any given policy, the definitions section and the exclusionary section are the
same for both first-party coverage and third-party coverage.  This is not unusual in package policies
A
Few Elaborations
.
There is more public concern and outrage
regarding privacy invasions and thefts than any of the others. There is also
more interest in these areas where liability insurance might be involved.  Many of the urging one finds in the
advertising literature emphasize this topic. 
It seems to me that sometimes the ads collapse together first-party
concerns with privacy violations with third-party concerns. The idea that
individuals might wish to buy special first-party insurance covering invasions of their own privacy
coming from the cyber world is unheard of, as yet, so as I know.
Nevertheless,
cyber-invasions of people and companies—actual inhabitants of the real, real-world are often categorized as “identity thefts,” and for good reason. Maybe a special first-party type coverage would be a good idea.  Think of the marvelous subrogation cases it would generate. 
Claims-Made
Policies
Cyber policies are all “claims-made”
policies, so far as I know. In general, this alone distinguishes the cyber
policies from most other liability policies, which tend to be occurrence-based.
In the latter, there can be covered injury that occurs during a policy period
but which is not reported to or against the insurer by the alleged victim until
after the policy period expires, sometimes a long time after; there may be
coverage in such instances mostly dependent on the nature of the injury and
other facts about what happened. (Think asbestos). This is not the way claims-made
policies work. For them, the claim usually must occur during the policy
period. 
In spite of the above distinction, there
are many phases of claims under both claims-made policies in the so-called
real-world and in the co-called cyber-world. All of them contain the following
concepts:
           
*     
Event (allegedly) causing injury (the
risk?),
*     
The type category of which that event is
a type (the peril?)
*     
The 
injury or damage, sometimes called the “loss,”
*     
The claim of alleged injury, and often a
demand for compensation, made to the insured or its conduit, and against the
insured (a communiqué of some sort, almost always written, but not always),
*     
The notice by the insured to the
insurer, often also called a “claim”—a claim or demand  for coverage (Many insurers try to insist,
prima facie, anyway,  that the notice or
claim come from the insured and it usually that it must be in writing, though
not always.),
*     
Adjustment, also often called a
settlement process
*     
Resolution or denial.
Some Substantive
Contents of Cyber Policies
There are almost no industry-wide
standardized cyber policies yet, but there are single-company uniformities in
some policies.  This lack of the
generalized use of standardized policies is true even though insurers read
specimens of each others’ policies, and have joint insurer committees
discussing standardization, among many other topics. 
Insurance companies have been forever
conservative about moving into new topical areas. It took hundreds of years to
move from coverage for protecting merchants from bandits while crossing the
desert to creating primitive maritime insurance.  (The maritime portion of this type of
insurance was called “bottomry.”)  Widely
used maritime insurance, as we know it, took more than a 1000+ years to
develop, then came commercial fire insurance a mere 250-300 years later.  In there somewhere was burial insurance for
soldiers, which more or less died out; guild insurance on various perils, some
of which pretty much lived into the 20th century, if labor unions
are the progeny of guilds, and there are other components of this grand
commercial evolution.
Some general organizational features of
cyber policies have already been mentioned. 
In the cyber-world, some insuring agreements, some definitions, and some
exclusions are quite unique. Nevertheless, cyber liability policies have
thematic similarities. First, a generalized list for substantive components of
first party policies will be discussed presently.  After that, such a list will be presented for
liability policies. Some policies are liability policies only, others are
first-party policies only.  Some policies
may contain all the covered categories on the lists, a few of them have less
than that, and some policies may have only one.  
Most cyber policies are package
policies.  This means that there is more
than one form of coverage, and the insured can pick parts of them.  This is not just a distinction between
first-party coverage and third-party coverage. 
There may be, say 10 different liability coverages, and a customer—and
insured-to be—can often pick any one or more of them. (Sometimes the customer
cannot pick just one and not at least one or more.  Imagine this: if a “near to being an insured”
pick Insuring Agreement #2 it must pick Insuring Agreement #6, as well.
Of course, (a) pure excess policies,
though not umbrella policies, and (b) reinsurance policies, whether the first
level of reinsurance, the  “merely re,”
or the next level up, the “retro re,” must work the same way, though for
different reasons.  For excess policies,
the insured under the primary policy is the insured under the excess and the
umbrella. Thus, one would expect that excess policies would match up with
primary policies, and that umbrella policies would also, to the extent they are
not really primary policies.  And one
would expect that that a reinsurance policy would match up with the policy
being reinsured—at least for the most part. Neither of these expectations need
be perfectly descriptive; the unexpected “non-match-up” can happen and be planed,
agreed to, and rational.
Structural
Categories for First-Party Policies
These sorts of policies are designed to
help the insured to deal financially with covered events that unfortunately happen
to it and cause losses.  The nature of
the unfortunate event is throughout insurance called “the risk.” These
unfortunate events can be caused by
v  nature,
v   foul ups of the policyholder (including both
negligence and some deliberate acts
 of the insured),
v  those
of another insured on the policy,
v   the policyholder’s employees 
v   one or more known or unknown outsiders,
v  either
by their foul up(s) conjoined policyholder’s,
v  the
deliberate acts of the strangers and perhaps others, as well. 
In
other words, causes of loss in the cyber world are just as combinatorial and
therefore as many as in the real world.
 Both
insurers and insureds want to know the probability of any risk, though for
somewhat different reasons.
A type of risk that is insured will be called
a “category of coverage” or some verbiage like that.
Here are some typical insurance
agreements in first-party cyber policies (or parts of policies):
§  The
network security of the insured is breached.
§  The
privacy components of the insured are breached.
§  A
regulatory proceeding is inflicted upon the insured.
§  The
insurer in subject to an adverse media event, e.g., an insured is defamed.
§  The
insured’s digital asserts are destroyed, damaged, or rendered unusable.
§  The
business income of the insured is reduced..
§  The
insured is subject to an extortion or X-napping.
§  The
insureds’ system is subject to negligent care of some sort:
o  
Design
o  
Construction
o  
Maintenance
o  
Securitization,    
o  
and so forth
The reader will note
that many of the covered categories, though not all, turn up on both the
first-party cyber policies and the third-party policies,
            Of course, there is a whole variety
of definitions.  Some commonly used terms
are defined: “Damages,” for example; “Claims” for another.  Many of these terms and phrases are found in
real world policies, though the definitions are most often different. Almost
every term which is technical sounding and/or connected to something central in
the cyber world is defined. The definitions are “stacked,” meaning that for
many definitions that explicitly appear on the semantic surface of a policy, in
the insuring agreement, for example—there is at least one definition used in
it.  And then for many of the second
level definition, there is a third, and so on. 
Here are common examples of such terms: “Digital Assets” is like this,
as is “Electronic Publishing” along with “Network Security,” and many others.
Corresponding
Coverage Categories for Some Liability Policies
Here are some coverage categories for
cyber liability policies. The insured’s liability rests upon performing
“wrongful acts or omissions” (“WAO” [this abbreviation covering both the
singular and the plural, as called for]) This whole category rests upon the
definition of “wrongful act”; in any case, however, here are some examples: 
Ø  WAO
injuring the network of another by dispatching “malicious codes,” and similar
“poisons.”
Ø  WAO
causing invasion(s) of privacy.
Ø  WAO
causing release of private information by another by taking, turning over,
distributing, or setting up others to do so.
Ø  WAO
involving Internet media use.
Ø  WAO
of cyber professionals and/or vendors of cyber-services,
Ø  Performance
of any form of hacking, all of which are WAO’s, and/or
Ø  Assisting
another (or others) who actually do the hacking.
           

[The reader should please keep in mind that Quinn Blogs are intended to be thought-stimulating [or, thought-provoking] tools only.  The are not intended to be perfected essays.  They are in-progress disquisitions only.  They are not essays polished to completion. Maybe another time.]