Policyholder Pulse
Over the past decade, technological innovations have quickly transformed how companies operate their IT infrastructure. Traditional on-site servers and hardware have often been replaced or supplemented by off-site solutions such as cloud computing, SaaS (Software-as-a-Service), virtualized servers, or “Bring Your Own Device” (BYOD) programs. These developments allow a business’s IT operations to be spread across a complex IT ecosystem rather than confined to physical devices located on its premises. They have the potential to reduce costs while expanding the computing capabilities at a company’s fingertips.
But they don’t come without risk. The ever-evolving nature of IT systems can create disconnects between the core features on which policyholders rely to operate their businesses—and that they seek to insure against cyber risks—and the defined terms used within their cyber policy’s coverage grant(s). While businesses may expect their cyber insurance policies to cover the full scope of their IT operations, including both on-premises and off-site resources, there is often the potential for gaps between a business’s actual IT operations and the policy language specifying the limits of covered systems. Accordingly, a central issue when procuring or renewing a cyber policy is how the proposed policy specifies the scope of the insured portions of the policyholder’s IT operations.
Cyber policies typically address this issue through a defined term such as “computer system,” “insured’s computer system” or “insured’s system.” Although the specific terminology may vary, most cyber policy definitions of “computer system” contain the same three key elements. When assessing a proposed policy for potential coverage gaps, it is vital that policyholders—preferably in conjunction with coverage counsel—vet each of these issues to ensure the coverage aligns with the policyholders’ business practices:
- Covered IT Assets: Policies may limit coverage to specific types of IT resources, such as hardware, software and data storage. It’s important to verify that all critical resources—especially those that are virtualized or cloud-based—are included.
- Relevant Entities: The policy should clearly specify which additional entities are included as part of the insured’s IT ecosystem, such as third-party vendors, service providers, and affiliates. If a policy limits coverage to direct relationships with IT service providers, incidents involving subcontractors or related affiliates may fall outside the scope of coverage.
- Nexus Language: Policies often define the relationship between insureds and their IT systems with terms like “owned,” “operated,” “leased,” “licensed” or “controlled.” Businesses should ensure that these terms align with their actual IT operations and related agreements, as discrepancies could lead to disputes over coverage in the event of a claim.
Policyholders should also note that, although “computer system” is a key defined term that can either resolve or create coverage gaps, an expansive definition alone does not guarantee that coverage will be available for every incident affecting IT systems within that definition. Rather, insurers may deploy several other provisions to limit coverage scope. Accordingly, cyber policies must be read as a whole, with attention to how one part may affect another.
Make sure your cyber coverage “computes.” Policyholders should work diligently to ensure that the coverage under their cyber insurance reflects the realities of their IT operations and related agreements for crucial IT services. Consider engaging closely with your brokers and coverage counsel to avoid potential coverage gaps in the event a claim arises.
RELATED ARTICLES
The Dangers of Dialogue: Ransomware Attackers Want to See Your Cyber Insurance Policy
Ohio Appellate Court Ruling Is a Reminder that Cyber Coverage Can Be Found in Unexpected Places