The starting point for any organization seeking to understand cyber insurance claims and coverage is to understand potential cyber-related losses. It is only through this analysis that corporate policyholders can understand what cyber insurance should cover. For illustration purposes, we examined four prominent cyber-related incidents and the fall out associated with each incident.
1. Cyber-Related Losses
In 2013 and 2014, roughly 1 billion Yahoo user accounts were breached. This resulted in a series of governmental investigations, numerous lawsuits alleging, among other things, gross negligence and breach of various data protection laws. Yahoo was also forced to renegotiate its sale to Verizon at a $350 million loss
In 2013, 40 million debit and credit card numbers were stolen at various Target stores across the country. This resulted in a plethora of consumer lawsuits, bank lawsuits, state AG claims, and a series of credit card company claims seeking reimbursement for losses they suffered as a result of Target’s breach. Target faced roughly $240 million in reported loses for fraudulent charges, with overall expenses exceeding $290 million. Target also suffered massive financial losses in the 4th quarter of 2013.
In 2015, Anthem suffered a customer database breach impacting 69 to 80 million customers. This resulted in more than 50 class action lawsuits, a series of state AG claims and a number of prominent governmental investigations. Reported losses were in the billions of dollars. A significant portion of Anthem’s loss was the cost of notifications to customers as required by law.
In 2011 cyber criminals targeted Sony’s PlayStation network, resulting in the loss of personal and credit card information. 102 million people were impacted, and the gaming system was temporarily interrupted. This resulted in the filing of roughly 65 class action lawsuits, with reported losses of $171 million.
2. What Cyber Insurance Should Cover
this sampling of incidents illustrates, in a very basic way, some of the main areas that cyber insurance should cover. These include:
- Coverage for the costs of defending and settling governmental Investigations, including the recovery of regulatory fines and penalties imposed;
- Class action and consumer lawsuit defense and settlement coverage;
- Coverage for credit card reimbursements;
- Coverage for notification expenditures;
- Coverage for remediation costs and forensic investigations;
- Coverage for losses caused by the interruption of business, lost business, and related financial losses.
3. How Insurance Carriers Have Responded to Cyber Claims
The insurance industries response to each of these kinds of losses is, for the most part, to vigorously fight against coverage. The number of cases working their way through the courts on cyber insurance denials is astounding, as are the reasons for denials.
For example, with governmental investigations, insurers routinely contended that no coverage is afforded unless the policyholder has been sued. Then, even if the policyholder is sued by the government, insurers argue that damages associated with governmental settlements are not covered because of alleged policyholder wrongdoing. Similarly, for credit card reimbursement exposures, insurers argue that contractual liability exclusions preclude coverage, even though case law holds to the contrary. And, for business related losses, insurers routinely contend that no coverage is provided because insurers did not anticipate covering these kinds of losses. In many instances, insurers are taking these positions, irrespective of case law finding coverage, and irrespective of policy language affording coverage.
There is a solution, but it requires a thorough understanding case law, policy language, and the law pertaining to how insurance provisions are construed.
A good insurance broker is critical to securing the best possible cyber insurance coverage. Insurance brokers have an understanding of what insurers are selling. This is valuable, because there are no standards for cyber coverage. Different insurers approach the same problem from different angles. Insurance brokers, however, typically do not opine on what the policies cover, as this is a legal function, and brokers do not practice law.
For this reason, sophisticated corporations often seek an independent legal review of their cyber-insurance programs.
Seeing opportunity, law firms have also jumped into this hot new area, with newly minted cyber-experts available to review corporate insurance policies. These lawyers can talk circles around most anyone when it comes to cyber-buzz words, but, when it comes to insurance coverage, they have little judgment or experience, and their counsel, quite frankly, is not that helpful. Others have a great deal of experience, but their experience comes from representing insurance companies.
There are many Insurance company lawyers who represent insurers , but also sell their “cyber-review” services to policyholders. Their marketing materials claim that no one knows better then them as to what the policies cover — as they drafted them in the first instance. Ethically, these firms see no legal conflicts in doing this, as long as things don’t get too contentious. Even if they are correct on the conflicts issue, insurance company lawyers have the wrong mindset for this kind of work. Insurance company lawyers are trained from day one not to see coverage. They place emphasis on irrelevant things, like what insurers like to do, rather than policy language, which is the determining factor for coverage.
For additional information cyber insurance coverage, please see Cyber Insurance Claim Denials, Computer Fraud: Two Similar Scams, Two Very Different Insurance Outcomes, Cyber and Intellectual Property Claims, The Wild Wild West of Cyber Insurance, Strategies for Addressing Cloud Computing Insurance Risks.