Cyber Insurance: What Case Law Teaches Us About Coverage

Policyholders have secured cyber insurance to guard against cyber attacks. How well have Insurers done? Lets look at the case law to find out.


Cybercrime has come a long way from the days of Nigerian Princes seeking aid from unsuspecting AOL subscribers to liberate their family fortunes from the grips of oppressive regimes. Cybercriminals today are far more sophisticated, and so too are their victims. Now, it is C-Suite executives and publicly traded corporations being swindled by ever-evolving “spoofing” scams, while some of the world’s largest healthcare providers, airlines and hotel companies fall victim to massive data breaches as a result of “phishing” schemes and other malware. Indeed, recently a handful of multi-national conglomerates had their operations virtually shut down by malware purportedly released by the Russian military.1 The costs to companies associated with these modern-day cyberthreats can be staggering. Cybercrime is among the most significant risks facing businesses today. Fortunately, in the event of an attack, companies may not have to go it alone. In many instances, insurance may be available to cover some or all of the loss.

This article highlights a few of the more recent massive cyber incidents inflicted on well-known U.S. companies, and discusses the various types of insurance products marketed and sold to protect businesses against such risks, as well as notable court decisions addressing the scope of cyber coverage under such policies. Finally, some practical pointers are offered for effectively insuring against the risks of modern cyberthreats.

The Growing Threat of Cybercrime

Earlier this year, Equifax, the multinational consumer credit reporting agency, finalized the largest data breach class-action settlement in history. The case arose from an incident in 2017 in which hackers accessed personal data, including names, dates of birth, social security numbers and driver’s license numbers from approximately 150 million consumers. Ensuing claims were brought by the Federal Trade Commission, the Consumer Financial Protection Bureau and various state attorneys general. More than 300 class-action lawsuits were also filed by consumers and financial institutions, which were consolidated in Federal District Court in Atlanta, Georgia.2

The Equifax litigation was ultimately resolved …

To read more, click here

This article has been published in PLI Current: The Journal of PLI Press,