Avoiding The Most Common Cyber Insurance Claim Denials
When it comes to cyber security and insurance, companies have been vocally concerned over finding themselves losing twice – the victim of both a cyber breach and cyber insurance claim declination. First they experience a security event which results in significant damages, then they discover their insurance policy will not respond. From hidden language, to sub-limits, we explore some of the more significant cases and areas in which carriers are declining coverage (or expected to decline coverage) and how to avoid them.
FAILURE TO MAINTAIN: Often referred to as the negligence or “failure to follow” exclusion, some carriers contain within their policy language, a specific exclusion which precludes coverage for claims arising from the insured’s failure to maintain minimum/adequate security standards. And they have attracted as much contention as they have confusion – which is a large reason why many carriers have since removed such language. While it may not trigger any specific concern for the average broker or buyer (appearing as a form of a warranty statement) it serves as a dangerous blanket-type exclusion. Here is a small sampling of the language used in such exclusions:
“Failure to ensure that the computer system is reasonable protected by security practices and systems maintenance procedures that are equal or greater to those disclosed in the proposal”
“Failure to continuously implement the procedures and risk controls identified in the insured’s application”
The cottage health case demonstrates the damage such an exclusion can cause. In 2014, shareholders filed a class action claim against Cottage Health after the hospital inadvertently published confidential client information online. Despite human error as the contributing factor, it was determined the hospital lacked basic controls such as encryption, and was in violation of HIPAA.
In response, companies and their directors should perform careful reviews of the cyber policy terms and exclusions, in order to ensure the form does not contain any clauses or wording requiring the insured to comply with a certain degree of cyber security controls. Additionally, companies should work closely with their CISO, IT and info-security departments in order to confirm the accuracy of all statements contained within the application.
PCI FINES & ASSESSMENTS: PCI related fines and assessments is another area in which cyber insurers are denying coverage with seeming regularity. While the PF Chang case may be one of the more widely publicized examples, it is far from the only dispute involving coverage for such fines. To briefly summarize the case again – following a breach which exposed customers’ credit cards, the insurer paid roughly 2 Mill in damages but denied the payment of roughly another 2 Mill in PCI assessments for policy language reasons. Insurers can restrict or limit coverage for such assessments through various policy clauses. The 2 most problematic exclusions however are i) specific exclusions for PCI or self-regulatory fines, and ii) the contractual liability exclusions (as was relied upon in the PF Chang case). Of equally important consideration is, how the payment card information is accessed. Some policies contain exclusions for viruses or self-propagating code which could also serve to preclude PCI coverage.
In addition to carefully reviewing cyber policies for clauses related to regulatory and PCI fines, policyholders should pay careful attention to the language contained within the policy form - assessing coverage can be considerably more difficult than simply locating an exclusion. Jones Day published an interesting article on the topic here. As also noted, insureds should carefully review their contracts for contractual obligations and understand how they coordinate with their insurance policy’s language.
CYBER EXTORTION & RANSOMWARE: Ransomware has been a hot topic following the recent chain of breaches. As demonstrated by WannaCry, extortion demands have continued to remain low despite an expected imminent increase. This is deceiving however – with most of the damages arriving in the form of lost income and asset restoration, it can be all too easy to underestimate the severity of damages that a ransomware attack can inflict. The recently publicized Alfonso Moses case effectively highlights the disparity between the value of the extortion demand vs that of the sustained lost income. After the law firm suffered a ransomware attack demanding a 25k ransom, the cyber carrier in question ultimately agreed to reimburse 20k for the loss (the sub-limit defined in the policy), however the firm contented that it suffered 700k in damages attributed to lost income. While it is not clear if the policy’s terms actually provided any coverage for lost income resulting from cyber extortion, the policy’s limits would appear to have been insufficient regardless, and raises an important reminder regarding reviewing the scope of coverage.
With cyber policies often setting individual limits per insuring clause and further sub-limiting specific elements, policy limits can sometimes be difficult to navigate. For this reason, it is advised that insurance purchasers perform a careful assessment of the extortion insuring clause and review all limits, sublimits, deductibles and time deductibles for adequacy using benchmarks if available. It should also be noted that attacks such as these can also inflict considerable reputational damage and lost clients, which can be difficult to quantify and equally difficult to insure against.
PRE-BREACH LAWSUITS: The case of Kimpton Hotels has already demonstrated that a cyber breach-related lawsuit can be brought prior to actual “data-misuse” induced damages, however the Johnson Bell case takes it one step further, becoming the first lawsuit to be filed even despite any actual breach. While the concept of preemptive regulatory inspections/investigations is fairly well understood, the concept of a lawsuit in absence of an actual breach is slightly harder to grasp. To summarize, after one of the firms’ clients discovered security holes, a class action was filed against the law firm for malpractice and negligence (among other allegations) resulting from security flaws and failure to properly secure its client’s data which “subjected the plaintiffs to an increased risk of injuries”. Among other security vulnerabilities stated, were allegations that the law firm was utilizing out-of-date software that was known to be exploitable and a VPN and email system that were vulnerable to attacks. It’s once again important to note however, that there was no actual intrusion, data exposure or data misuse – meaning effectively, no damages.
This case poses a real coverage dilemma, particularly for cyber policies, because almost all insurers draft their language around the requirement of an intrusion (or security event) in order to trigger coverage. It also highlights the importance of performing regular system updates and security checks which may help avoid such claims altogether. While cyber policies are generally not structured for claims absent any breach, avenues for coverage that may be explored include cyber DIC policies and potentially E&O or D&O policies (barring any exclusions) – however it will largely depend on the claim specifics, policy language, industry and more.
SOCIAL ENGINEERING SCHEMES: Social engineering schemes have been steadily growing in popularity, and can be exploited a number of ways: via phished email credentials, by way of phone or letterhead, or direct altering of bank account information by cyber criminals. While policy language is still adapting to better cover computer fraud and social engineering losses, many policy forms contain a number of exit points for which carriers can attempt to deny coverage. Without summarizing the specifics of each case, here is a small sampling of some of those potential exit points that carriers have been relying on and the cases in which each was cited:
- Fraudulent transfer was ultimately caused by the over-riding of the company’s own security controls (State Bank)
- Funds were transferred voluntarily or by natural persons with authority to enter the company’s computer system (Acqua Star & Medidata)
- Fraudulent transfer request was carried out via phone as opposed to “directly from the use of a computer” (Apache Corp)
- Losses sustained were not “direct” losses of the insured but rather losses of clients’ funds. As also pointed out by Blaney’s Fidelity Blog, the policy contained an additional requirement that the fraudulent transfer be introduced via “unauthorized introduction of instructions that propagated themselves”. (Taylor & Lieberman)
The first step to being afforded coverage for such claims is ensuring that any cyber or crime policy has an appropriate social engineering endorsement, as opposed to relying on a computer fraud/forgery insuring clause. It is also advisable to perform a careful assessment of the social engineering clause, as endorsements can vary significantly.