The loss of confidential information can be crucial to understanding the interactions between cyber and crime coverage, attendees to the NetDiligence Cyber Risk Summit heard on Friday.
Matthew Davies, assistant vice president of Chubb Insurance Company of Canada, said that one major difference between crime and cyber policies is that the former doesn’t address the loss of confidential information, especially one’s own confidential information or clients’ confidential information in the care or control of the company.
Davies was one speaker at a session titled Coverage I: Current Underwriting Issues: Gaps & Intersections, held at the Ritz-Carlton in downtown Toronto.
“A cyber policy is specially designed to address the theft of that information, provided it’s someone else’s information, it doesn’t cover you for loss of your own client list or that rogue employee taking your recipe for the secret sauce or the widget that you just invented,” he said. “But if you had a third party’s information about the design of the widget and you lost that, a cyber policy would respond.”
The differences and overlaps between crime and cyber coverage may be difficult to understand, even for courts, conference attendees heard. Davies pointed to a case in the United States where a crime policy was forced by a court to have to respond to the theft of confidential information. “The judge decided that the confidentially exclusion in a crime policy was not well-written, so he found coverage under that crime policy, which went against all other precedents,” Davies explained. “So the insurance industry pretty much as a unified force rewrote the confidential information exclusion in the crime policy to clarify we have no intent of covering theft of confidential or intangible information.”
The crime policy is about employee fraud largely, he went on to say, that is for the most part meant to protect the business from an employee who embezzles or takes property or money. “The whole idea of the confidential information exclusion as being in these policies for decades, [is] because insurers didn’t want to have to try to quantify what is the value of the client list that was taken by the rogue employee,” Davies suggested.
In summary, crime polices are “long in the tooth, very traditional, have a lot of jurisprudence behind what the words mean in a crime policy,” he said. “Cyber policies being the new kid on the block, we’re waiting to see what those words mean.”
Another speaker, Francine Armel, senior vice president and chief underwriting officer with Creechurch International Underwriters, agreed that “cyber is a newer product. The pricing for it is not based on historical actuarial data because that doesn’t exist yet.”
Armel noted that there is also a direct component in crime policies. “It’s got to be a direct loss. And there’s potential issues if you are trying to claim a cyber loss under a crime policy,” she said.
The session also heard about the interactions between cyber and commercial general liability; contingent business interruption and regular business interruption claims; and cyber and directors’ and officers’/errors and omissions coverage.
The session was moderated by Susan MacEachern, senior vice president of AXIS Insurance. Other speakers included Miki Ho, senior underwriter in the professional indemnity and cyber risk department of Allianz Global Corporate & Specialty, David MacKenzie, partner with Blaney McMurtry LLP and Brian Rosenbaum, senior vice president at the national director of the legal and research practice at Aon Reed Stenhouse.