Why did it take seventeen years to write a cyber exclusion?

Print Friendly, PDF & Email

The history of the Absolute Cyber Exclusion seems to be another good place to go with this series of posts. Thanks to my friends at the Insurance Library, the research is at my fingertips. Strap in, it’s going to be a bumpy ride. Or just a boring story about insurance policy language. Who knows? 

Before we can track down the history of the Absolute Cyber Exclusion, I first wanted to determine when the first cyber policy was introduced. It turns out there is a weirdly specific answer to this question. 

The first cyber insurance policy was introduced on April 15, 1997 according to an article in the Insurance Journal. Here’s how Steve Haase, CEO of INSUREtrust, describes the creation

“We went to the International Risk Insurance Management Society’s convention and launched it on April 15th of ’97. We had a big celebration in Honolulu with our famous Breach on the Beach party. We’re not sure what that is yet, but we had a Breach on the Beach party.”

That must have been some party. 

Since the advent of the cyber insurance policy, insurers and insureds alike have realized that non-cyber insurance policies may also cover a cyber event if “cyber” is not specifically excluded (also known as Silent Cyber or Non-Affirmative Cyber). Not surprisingly, many versions of Absolute Cyber Exclusions have been promulgated to try and correct the Silent Cyber issue. 

ISO is one entity that has attempted to tackle silent cyber exclusions. ISO introduced its first silent cyber exclusions in 2014. While the content of those exclusions are beyond the scope of this article, two interesting points come to mind.

First, I always wondered why it took so long for ISO to respond with cyber exclusions. It turns out I was not the only one. In the linked article, the Insurance Journal asked the following: 

“Some have argued that the insurance industry, including ISO and carriers, may have been slow to respond on [the cyber exclusion issue].” 

There was a seventeen (17!) year gap between the introduction of the first cyber policy and the first ISO cyber exclusion. 

[As post-script, our analysis of the London Insurance Market suggests they introduced an absolute cyber exclusion after ISO.]

Second, and most relevant to this analysis, is the question of whether the ISO cyber endorsements can be considered an absolute cyber exclusion. The National Underwriter Company published legal commentary raising this very question: 

Do you know why there was a seventeen-year separation between the first cyber policy and the first ISO cyber exclusion?

Do you have a view on the effectiveness of the 2014 ISO cyber exclusion?

Let me know (email me at chris@riskgenius.com). I’d love to interview for an upcoming podcast episode.

Next time, we will focus on what non-ISO jurisdictions and corporations are doing to exclude cyber.

Menu