Although the insurance market has developed a dedicated product line that addresses the initial risks faced by companies, such as data breach and business interruption due to network failure, traditional insurance products in their design have not historically contemplated the exposure to protect against cyber risks. Companies can purchase cyber specific cover in the form of extensions to traditional policies or as standalone cyber policies.
In addition, underwriters of traditional insurance business lines have, in some cases, reacted to the emergence of this new class of risk by introducing several endorsements addressing the disclosure or access of confidential personal information within the commercial general liability policy through exclusion endorsements (CG 21 06 05 14, CG 21 07 05 14 and CG 21 08 05 04). The result is a mix of implicit and explicit cover as well as a number of exclusions to contend with. It makes it an exercise in and of itself to ascertain the true level of cover for any given cyber risk scenarios.
Cyber gaps and exclusions in traditional policies, together with the emergence of standalone cyber insurance solutions for new risks, often create a complex picture, where businesses struggle to fully understand the boundaries of their cover.