AAIS COVERAGE PERSPECTIVE

EDP COVERAGE AND THE INTERNET

By Robert J. Prahl, CPCU

The American Association of Insurance Services (AAIS) has revised the Electronic Data Processing (EDP) section of its Inland Marine Guide in an effort to reflect on and clarify key coverage issues involving electronic property. The new section now includes definitions for "computer virus" and "computer hacking" and explains the coverage provided to address those exposures.

The intent of the EDP coverage forms is to provide "open perils" coverage for data processing hardware and software. This is achieved by offering a choice of three principal forms for writing EDP coverage:

* A revised form that provides scheduled but broad coverage for hardware and software that is intended for insureds with total values over $250,000. This is considered the mid-level form in terms of coverage provided.

* A revised form that provides scheduled coverage for hardware, software, and loss of income that is intended for insureds with total values up to $250,000. This is considered the basic form.

* A new form that provides coverage with blanket limits at scheduled locations that is intended for insureds with total values over $250,000. This is considered the most comprehensive form.

The EDP coverage forms may be written as part of a commercial package program or as monoline forms.

All three forms require the use of a schedule of coverages that is designed to schedule all covered locations, indicate the applicable limits for each location, indicate the sub-limits that are built into the forms, and show the applicable deductibles. Sub-limits can be changed simply by indicating a different limit on the schedule of coverages. A company-designed declarations page(s) can be used in lieu of the schedule of coverages,

Also available is a form that can be used to provide loss of income coverage for the scheduled and blanket forms, designed for insureds with values over $250,000. (An income coverage provision is automatically included in the basic form.)

Property covered also includes protection and control systems (air conditioning, fire protection equipment, etc.), telecommunications equipment (telephone systems, facsimile equipment, etc.), and reproduction equipment (equipment for copying or scanning). In the basic form, coverage for this property is available only by endorsement.

Coverage for hardware includes loss to hardware owned by others that is in the insured's care, custody, or control while at a described premises.

What is hardware?

The three forms define "hardware" as a network of electronic machine components (microprocessors) that accept instructions and information and process the information according to instructions. Examples of hardware are:

* mainframe and mid-range computers and servers

* personal computers and workstations

* laptops, palmtops, notebook PCs, other portable computer devices and accessories, including multimedia projectors

* peripheral data processing equipment such as printers, keyboards, monitors, and modems

A supplemental coverage, off-site computers, provides coverage for computers used by employees in their homes, while computers are in transit, and while they are temporarily at a location not described in the schedule of coverages. In addition, the blanket form (comprehensive) provides coverage for a Web site server located at the premises of a Web host. The form contains a built-in sub-limit for this coverage, and the Web host's location need not be scheduled. With respect to the mid-level and basic forms, coverage for the server can be provided, but the Web host's location must be scheduled. Coverage can also be provided by attaching an off-site server endorsement, which does not require that the Web host's location be scheduled. Therefore, the insured can change Web hosts without having to amend the policy.

If an insured installs and operates its Web site server at its own location, the server can be covered on the same basis as the insured's other hardware (e.g., mainframes, network server). In this situation, the location limit for hardware should include the values for the Web site server; then off-site server coverage would not be necessary.

What is software?

"Software" is defined as media, data records, programs and applications, and proprietary programs.

Media include disks or cartridges containing instructions and information. Data records refers to the insured's files, documents, or other information stored on media. Programs and applications refers to "off the shelf" software products such as operating programs (e.g., Windows 2000) and applications (e.g., Word, Excel). Proprietary programs are programs specifically created for the insured.

The reason software coverage is separated into four parts with limits indicated for each type is so that agents and insureds will provide complete values and limits for all types of software. IT professionals usually consider software to be "off the shelf" products that are installed in hardware or that come pre-installed. When determining the value of software for insurance purposes, agents or insureds often use the value of "off the shelf" software. Although this reflects the value of media, operating programs, and applications, often overlooked is the value of data records and modified operating programs and applications that were created for the insured.

Another reason for defining data records and proprietary programs with a specific limit is that it clarifies the intent to cover the cost of research and reproduction records and proprietary programs.

Supplemental coverages and extensions

The three forms also contain broad coverage extensions and supplemental coverages. Coverage extensions include:

* electrical and power supply disturbance

* debris removal

* emergency removal

* emergency removal expense

* fraud and deceit (also known as trick and device or voluntary parting)

* mechanical breakdown

Sub-limits vary by form.

Supplemental coverages include:

* acquired locations

* incompatible hardware/media

* newly purchased hardware

* off-site computers

* off-site server

* foreign transit/location

* pollutant cleanup

* property in transit

* proprietary programs and data records

* protection/control systems

* recharge of fire extinguishing equipment (not covered in basic form)

* reproduction equipment

* rewards

* software storage

* telecommunications systems

* virus and hacking coverage

In both the mid-level and basic forms, some of these coverages are available only by endorsement, and sub-limits vary by form.

The Electronic Data Processing Forms Comparison Table on page 44 provides an overview of the coverages and exclusions contained in each form.

Computer virus and hacking coverage

The approach to coverage for loss by computer virus or computer hacking is to exclude such losses and then provide coverage via a supplemental coverage with a specific sub-limit. In this way coverage is provided, but the exposure can be controlled by the use of a specific limit.

Coverage is provided for direct physical loss to the insured's hardware, software, or Web site caused by a computer virus or by computer hacking. Limits vary by the particular form.

What is a virus? The forms define a computer virus as a self-replicating software code that is introduced or brought into the insured's hardware, software, Web site, or computer network. A virus can result in deletion, destruction, or modification of software; the malfunction or corruption of hardware; or the denial of access to the insured's network or Web site. A virus attack is considered to be an act of vandalism and is often an indiscriminate attack without a specific target.

What is hacking? Hacking is defined as an unauthorized intrusion into the insured's hardware, software, Web site, or computer network. In addition to causing similar loss or damage to the insured's property as described above under a computer virus, hacking can also result in the scanning or copying of information contained in the insured's software. Computer hacking is a targeted attack against a specific entity and can be considered an act of vandalism, theft, fraud, or spying.

It must be emphasized that coverage for viruses and hacking does not apply to certain types of non-physical, economic losses such as loss of exclusive use of any data or proprietary programs that have been copied or scanned, loss of economic or market value of data or proprietary programs, or theft from data records without specific physical loss. In addition, denial of access to the insured's hardware, computer network, or Web site is not covered, unless the insured carries income coverage.

Income coverage

An income coverage endorsement is available as an option with the mid-level and comprehensive EDP forms. (Recall that a more limited income coverage provision is automatically included in the basic form.)

Coverage is provided during the "restoration period" when the insured's business is wholly or partially interrupted by loss or damage to covered property at a scheduled location caused by a covered peril. Coverage also responds when loss or damage to a scheduled premises prevents the insured from using covered property or air-conditioning or electrical systems that are necessary for the operation of covered property. Covered property includes hardware, software, protection and control systems, telecommunications, and reproduction equipment.

Two coverage options are available: earnings and extra expense or extra expense only. Earnings refers to the actual loss of net income that would have been earned and continuing operating expenses normally incurred, including payroll expense.

Extra expense refers to extra expenses that are necessary during the restoration period and that the insured would not have incurred had there been no loss. Also covered are extra expenses to prevent or reduce the interruption of data processing operations by conducting operations at the described premises or at a replacement or temporary location. If the insured is able to reduce the loss by repairing or replacing property or researching or restoring information on damaged documents or records (including those on electronic or magnetic media), the extra expenses incurred to accomplish the reduction will be covered.

The table at right compares the income coverages and exclusions contained in this endorsement vs. those provided automatically in the basic form.

Endorsements

In addition to the three principal forms and the income coverage part, the new EDP section of the Inland Marine Guide contains 11 endorsements:

* Earthquake and Flood Exclusion (the principal forms do not exclude loss by earthquake and flood)

* Upgrade Value

* Electrical and Power Supply Disturbance Limitation

* Incompatible Hardware and Media Off-Site Server

* Foreign Transit and Location Coverage

* Reproduction Equipment

* Interruption of Web Site

* Functionally Comparable Hardware - Valuation

* Coinsurance Provisions

* Telecommunications Equipment

* Power Protection Equipment

As indicated in the comparison table, these endorsements are not necessary with the comprehensive form, and many of them are not necessary with the mid-level form because the coverages provided by the endorsements are built into those forms.

Rating

The rating materials in the Guide provide suggested rating methodologies in a loss costs format for the traditionally non-filed classes.

The new EDP rating section has been updated to reflect new exposures designated in the coverage forms. The rating methodology for income coverage has been updated to use a coinsurance percentage and incorporates a modification that reflects exposures specific to income coverage, such as Web site interruption.

For more information about the AAIS Inland Marine Guide, contact: Robert Schnoll, AAIS marketing manager, at bobs@aaisonline.com or (800) 564-AAIS (2247), ext. 222. *

The author

Robert J. Prahl, CPCU, is director of education for the American Association of Insurance Services.

AMERICAN ASSOCIATION OF INSURANCE SERVICES INLAND MARINE GUIDE ELECTRONIC DATA PROCESSING--FORMS COMPARISON

Coverage Comparison

COVERAGE FORMMid- Level Basic Comprehensive

IM 7200 05 01 IM 7201 05 01 IM 7202 05 01

Scheduled Limits Scheduled LimitsBlanket Limits

Schedule Of Coverages IM 7205 05 01 IM 7206 05 01 IM 7207 05 01

Property Covered

Equipment:

Hardware Covered Covered Covered

Protection and Control Supplemental IM 7232 Covered
Systems Coverage

Coverage

Software:

Coverage Extensions