Insurers Rethinking IT Coverage For 2002Insurers Rethinking IT Coverage For 2002

The New Year is bringing a host of changes for cyber-crime insurance policies. In 2002, many insurers will exclude online assets from standard commercial insurance policies, shifting the coverage to more costly supplemental policies. What's more, some policies will offer no coverage whatsoever if IT damage is terrorist-related. "I used to think cyber-crime would become a standard feature of commercial property policies," says Robert Hartwig, chief economist at the New York-based Insurance Information Institute. "Instead, the opposite has happened."

The intent of policies covering IT has been to protect against physical loss or damage--a computer zapped by lighting would be covered like any other piece of office equipment. But in recent years, companies have made claims on policies as a result of denial-of-service attacks. That was a problem for insurers, because traditional policies were designed and written when such attacks weren't an issue, says Tom Shields, senior VP of marketing for the financial enterprises division of Zurich North America. "There's the realization," says Shields, "that there's a tremendous amount of exposure which was never intended in the pricing of those policies."

Now insurers have drawn a line in the sand. "They want to make it clear that losses stemming from DOS, viruses, and intellectual property violations are not covered by standard policies," says Hartwig. Insurers started offering separate policies that covered malicious attacks back in 1999. Some supplemental policies have broader coverage compared to last year, such as Zurich's E-Risk Edge policy introduced earlier this month. An extension of the Zurich E-Risk E-commerce insurance program first offered in 1999, E-Risk Edge takes a more comprehensive view of E-business challenges. One new feature is dependent business income coverage, which helps cover business income lost as a result of vendor problems. "Over the course of the last few years, it's become very apparent that people really depend on other vendors to provide Internet-related services," says Shields.

Another new wrinkle for 2002 is lack of coverage for terrorist attacks on computer systems. "You still have coverage if a teenager in the Phillipines sends a virus and brings your systems down," says Hartwig. But companies won't necessarily be covered if a cyber-crime was designed to further a political or religious cause. Says Hartwig, "Most people think about terrorist acts as the destruction of property, but the definition insurers will use won't necessarily mean that."