Cyber insurance for business interruption losses is of great importance to business This year business interruption ranked as the leading threat to companies globally, with cyber incidents acting as the primary trigger for associated losses. Domestically, cyber incidents, — cybercrime, data breaches and distributed delay of service attacks — surveyed as the single most critical risk to businesses. Commerce’s increased reliance on technology-driven solutions only compounds the detrimental impact of these disruptions.
Miller Friel recently had the honor of presenting on cyber insurance for business interruption losses in a recent Stafford CLE Presentation entitled Business Interruption Coverage for Cyber-Related Losses. This CLE webinar addressed the unique risks that cyber-related losses pose to business operations and how to mitigate those risks with business interruption (BI) coverage. Mark Miller of Miller Friel presented the corporate policyholder perspective, and two insurance company lawyers, Mary Borja of Wiley Rein and Eric Eric Stern of Kaufman Dolowich, provided insurance carrier perspectives.
An analysis of several recent high-profile cyber incidents demonstrates that business interruption and financial losses associated with cyber-attacks can be immense. Case in point, after a 2013 to 2014 cyber attack at Yahoo, Yahoo was forced to renegotiate its deal with Verizon at a loss of $350 million. Cyber insurance for business interruption losses and associated financial losses is certainly a timely issue.
What Are Insurers Doing to Provide Cyber Insurance for Business Interruption Losses?
The answer to this question is easy: very little. Mary Borja, giving the insurers’ perspective explained that cyber insurance has developed as a series of specific coverages, for very specific cyber issues. She describes cyber-coverage like this picture.
Her analogy is that cyber insurance, as currently structured is like a series of doors. Each door represents a different cyber insurance coverage grant. To find out what you have, you must open a door to see.
This door picture is a good analogy. But, with cyber insurance, no one knows exactly what an insurer will do with respect to coverage until a claim is made, or the door is opened. Make a claim, open a door, and see what the insurers will cover. This is not the best approach, but it is the current state of cyber-insurance.
What Can Businesses Do Now?
Even with the current state of cyber insurance, there are certain things that businesses can do no to maximize the value of their cyber insurance coverage.
1. Look Beyond Cyber Specific Coverage
Insurance company lawyers are not happy when a new court decision comes out finding coverage for a cyber attack under a non-cyber policy. Eric Stern addressed some of the insurance decisions addressing cyber-related losses, focusing predominantly on “all risk” property policies, which provide coverage for a wide variety of business interruption losses.
Representing insurers, Eric argued for a narrow reading of coverage, stating that the policies require “direct physical loss or damage to property” for coverage to be triggered. According to insurers, there must be direct physical loss to property for coverage to apply. The only problem with this argument is that this is not what the policies provide. All risk property policies expressly cover both direct physical loss of property, and damage to property. Accordingly, if a cyber-incident renders property, or a computer system, unusable for the purposes intended, business interruption coverage should be provided. There is simply no requirement of physical injury to the computer system in order for coverage to be triggered.
In the cyber context, Eric noted a number of decisions finding coverage for cyber-related losses under all risk property policies. See Am. Guarantee v. Ingram, 2000 U.S. Dist. LEXIS 7299 (D. Ariz. 2000) (holding that physical damage is not limited to physical destruction or harm but includes “lack fo access, loss of use, and loss of functionality”); Lambrecht v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003) (alternatively finding that hard drives were physically damaged because they could no longer hold or store information); NMS Services, Inc. v. The Hartford, 62 Fed. Appx. 511 (4th Cir. 2003) (holding that there was coverage under a business property policy for an insured’s loss of business and costs to restore records lost when a former employee hacked into the insured’s network); Southeast Mental Health Center Inc. v. Pacific Ins. Co. Ltd., 439 F. Supp. 2d 831 (W.D. Tenn. 2006) (insured proved necessary direct physical loss where the insured’s pharmacy computer data was corrupted due to a power outage).
The takeaway for policyholders is that “all risk” property policies can and oftentimes do provide coverage for cyber-related business interruption losses.
2. Pay Attention to Cyber Coverage Grants and Exclusions
The participants agreed that there is no standard cyber-policy form, so a review of applicable policy language is critical.
Mark Miller noted six specific limitations to coverage that are particularly important with respect to financially related losses, including: (1) scope of coverage grants, (2) time limitations to coverage, (3) the fraud exclusion, (4) the profit or advantage exclusions, (5) prior notice exclusions, and (6) conditions to coverage.
To find out more about the steps that policyholders need to take with respect to cyber-related claims and policies, please feel free to contact us.