ISO’s Cyber Incident Exclusion Endorsements - A Solution for the Silent Cyber in Commercial Property Forms?
When the ISO Commercial Property and the ISO Businessowners forms were initially written, the authors did not contemplate the types of cyber risks that could affect Property coverages today. Commercial Property policies cover “direct physical loss of or damage” to covered property. A key issue is whether a cyber-related event causes direct physical loss or damage to covered property.
Courts have reached different results when applying this Property language to cyber claims. When Cyber coverage is found in traditional forms, it is often called “silent cyber,” because many such forms do not directly address cyber coverage - neither by stating that coverage is provided nor by excluding the coverage.
To clarify its Property coverage forms regarding cyber exposures, ISO has drafted two endorsements:
- Cyber Incident Exclusion
- Cyber Incident Exclusion with Ensuing Cause(s) of Loss Exceptions
It is mandatory that one of these endorsements be attached to the Commercial Property or Businessowners policy, thereby addressing some aspects of potential Cyber coverage. We take a look at each ISO option.
1. Cyber Incident Exclusion
(CP 10 75 12 20 and BP 15 60 02 21)
This endorsement includes the more complete exclusion option. The endorsement adds an exclusion for loss or damage caused by a cyber incident. The loss or damage can be caused directly or indirectly, and the exclusion “applies regardless of any other cause or event that contributes concurrently or on any sequence to the loss”.
As used in the endorsement, a cyber incident includes unauthorized access to or use of any computer system, malicious code or any other harmful code used in any computer system, and a denial of service attack.
The exclusion is subject to several exceptions and limitations. The exceptions and limitations include:
- Loss or damage caused by a resulting fire or explosion
- The extent to which coverage is being provided in the Electronic Data or Interruption of Computer Operations Additional Coverages
- The extent to which coverage is provided by the Electronic Commerce Endorsement
- The extent to which coverage on the BOP endorsement is provided by either the Computer Fraud and Funds or the Information Security Protection Endorsements
The exclusion also states that vandalism, to the extent covered in the policy, is not considered a cyber incident as stated in paragraph A. of the endorsement.
2. Cyber Incident Exclusion with Ensuing Cause(s) of Loss Exceptions
(CP 10 76 12 20 and BP 15 61 02 21)
This endorsement is similar to the Cyber Incident Exclusion except that there is an additional exception for certain Other Causes of Loss resulting from a cyber incident. For the Standard Property policy and Basic and Broad Cause of Loss forms (or written on a Named Peril Basis on the BOP Form), the covered Other Causes of Loss generally include enumerated “covered causes of loss” other than fire and explosion - although flood, radioactive contamination, power outage and molten material are never contemplated.
For the Special Cause of Loss form, the covered Other Causes of Loss include “specified causes of loss” (e.g.: lightning; windstorm or hail; smoke; aircraft or vehicles; riot or civil commotion; leakage from fire extinguishing equipment; sinkhole collapse; volcanic action; falling objects; weight of snow, ice or sheet; and water damage) other than fire and explosion, and theft if not otherwise excluded.
The type of coverage provided for these Other Causes of Loss is determined by which per occurrence limit(s) is/are filled out in the schedule of the endorsement. A per occurrence limit may be scheduled for Damage to Covered Property, Business Income and/or Extra Expense. Additionally, the Company has the option to schedule an aggregate limit of insurance to apply to all the coverages scheduled with respect to all occurrences in a 12-month period. These per occurrence and aggregate limits are part of and not in addition to the limits in the policy’s Declaration Page.
It is important to note that loss or damage caused by fire or explosion resulting from a cyber incident is covered at full limits under the Cyber Incident Exclusion with Ensuing Cause(s) of Loss Exceptions endorsement, just as it is under the Cyber Incident Exclusion endorsement.
As these endorsements are designed to be mandatory, ISO companies should plan on attaching one of them to their Commercial Property and Businessowners policies. The proposed effective dates are December 1, 2020 for the Commercial Property endorsements and February 1, 2021 for the BOP endorsements. Before long, many Commercial Property insurers will be speaking up about the “silent cyber” issue.
- See ISO Circular LI-CF-2020-51.