Insurance policies, by the very nature, tend to limit coverage. A Commercial and General Liability (CGL) policy is designed to cover certain risks, but does not cover others. It typically will protect your business from a customer being injured on your premises, but it does not cover physical damage to your property from a storm.
Coverage that is not covered by the CGL will then cause the insured to obtain additional coverage for those specific risks, such as property damage to the business, which may require additional coverage, if you are located in a flood prone area and require flood insurance over and above your general property damage policy.
A business may purchase a cyber risk policy to protect against the risk of their systems being hacked and personal data being compromised. But when a data breach occurs, like the many that have happened this year to large retail organizations, coverage may be demanded from more sources than merely the cyber risk policy.
At a recent conference on insurance law and cyber risk, it was pointed out that CGL claims could be caused by breach of privacy allegations, and Director and Officer policies could be triggered by shareholder complaints based on loss resulting from the breach and those loses causing the stock price to decline.
Errors and Omissions policies could also be implicated if there professional negligence that may have contributed to the breach or failed to adequately protect from the consequences that flow from that breach.
Because these risks are new, many entities may have both inadequate security controls and inadequate indemnification, both of which can lead to many policy coverage disputes should a claim occur.
Claims Journal, “Coverage Implications Related to a Data Breach,” Denise Johnson, November 24, 2014