Cyber and Data - The Bodily Injury Problem

By Cathy Trischan

In 2021, a hacker got into the computer system of a water treatment facility near Tampa, FL. The hacker tried to change the levels of sodium hydroxide (lye) added to the water supply to a dangerous level. Thankfully, an employee noticed the hacker’s actions before the water supply was contaminated.

When we think of the myriad problems that can result from cyber events such as hacking, ransomware attacks, or the introduction of malicious code, we tend to think about costs to comply with privacy laws, costs to restore data in systems, and business interruption. Bodily injury is not typically one of the primary concerns, but perhaps it should be.

Historically, the Commercial General Liability Policy (CGL) has been the primary policy turned to for bodily injury coverage. For certain types of businesses such as hospitals and medical offices, a malpractice policy is also needed, but for many businesses, the CGL would suffice.

Increasingly, though, coverage for bodily injury is being removed from the CGL if the loss results from a cyber event or damage to data.

MODIFICATION OF THE ELECTRONIC DATA EXCLUSION

One way that coverage for bodily injury can be removed is through an insurer’s use of Exclusion – Electronic Data – Deletion of Bodily Injury Exception (CG 21 85 12 23). This optional endorsement replaces a previous endorsement that served essentially the same purpose, Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included (CG 21 07 05 14). This endorsement creates a coverage problem even without the presence of a hacker or malicious code.

The Insurance Services Office, Inc. (ISO) CGL Policy (CG 00 01 04 13) includes the following electronic data exclusion applying to Coverage A.

This insurance does not apply to: Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.

However, this exclusion does not apply to liability for damages because of bodily injury.

The Exclusion – Electronic Data –Deletion of Bodily Injury Exception endorsement deletes the last line, the bodily injury exception to the exclusion. Imagine that your insured is an electrician working in a medical office. He causes damage to the data in a computer that controls a piece of medical equipment, and a patient is injured. With this endorsement, there is no coverage for the electrician for the bodily injury.

CYBER INCIDENT EXCLUSION

In 2023, ISO introduced a conditional mandatory endorsement, Exclusion – Cyber Incident (CG 40 35 12 23). If you do not yet see this on your policies, chances are good that you soon will. This exclusion will be incorporated into the upcoming CGL revision that will be available for use in 2026. Among other things, the endorsement excludes bodily injury arising from a cyber incident. A cyber incident includes:

▲ Unauthorized access to or use of any computer system

▲ Malicious code

▲ Denial of service attack

Let’s revisit the Tampa water treatment facility. With this endorsement on the policy, had the attack been successful, there would have been no coverage for any bodily injury that resulted.

There are two endorsements that can be used in lieu of the Exclusion – Cyber Incident Endorsement. Both provide some coverage for bodily injury and property damage resulting from a cyber incident. Each endorsement includes an Each Cyber Incident Occurrence Limit and a Cyber Incident Aggregate Limit.

▲ Cyber Incident Liability Coverage Subject To Each Cyber Incident Occurrence And Aggregate Limits (CG 04 25 12 23)

▲ Cyber Incident Liability Coverage And Loss Of Electronic Data Liability Coverage Subject To Loss Of Electronic Data, Each Cyber Incident Occurrence And Aggregate Limits (CG 04 95 12 23)

This second endorsement has the added advantage of providing coverage for loss involving damage to electronic data resulting from physical injury to tangible property, subject to a separate Loss of Electronic Data limit. Imagine the electrician previously mentioned is sued for the loss of data in the computers he damaged. With this endorsement, there is coverage.

CYBER POLICIES

If keeping coverage for bodily injury due to a cyber incident in the CGL is not possible, one can look to the contingent bodily injury/ property damage coverage in a cyber policy to fill some of the gap. Unfortunately, not all cyber policies include this coverage, and those that do typically offer coverage that is far less broad than the bodily injury coverage in a CGL. In addition, a sublimit typically applies.

As you can see, being on the lookout for ways that bodily injury coverage can be removed from the CGL is more important than ever.

Til next time!

Cathy Trischan, CPCU, CRM, CIC, ARM, AU, AAI, CRIS, MLIS, TRIP is IA&B’s commercial lines education consultant. She works with our CIC and CISR programs, as well as our live CE webinars. Catch her at one of our upcoming courses: IABforME.com/education