Cybersecurity coverage issues began to arise approximately 20 to 25 years ago, when computers started becoming ubiquitous in the workplace.[1] Historically, the coverage issue was metaphysical in nature: What is “data,” exactly? Could data constitute tangible property, for coverage under traditional commercial general liability (CGL) policies? Could data loss constitute a direct physical loss, for coverage under first-party property policies? These issues continue to arise today, as not all insureds purchase cyber liability policies and instead—or in addition—may seek coverage under traditional policies in case of a cyber breach.[2]
Modern cyber liability policies are usually written to avoid this quandary. Different issues arise, though. These issues include the scope of coverage, which may develop more slowly than the risks of the cyber world; whether any failure by the insured to implement cybersecurity measures may be grounds to disclaim coverage; and the impact of the novelty of policy terms and risks.
This article traces the historical coverage analyses, as an aid to today’s insurers, insureds, and coverage counsel. Next, it reviews common provisions of cyber liability coverages available today and the related issues that have arisen. Finally, now that some cyber liability coverage suits have been filed, the authors gaze into their crystal ball to see what coverage and bad-faith arguments and defenses may be raised.