2018 Allianz Risk Barometer Highlights Business Interruption and Cyber as Two Most Important Risks of New YearAllianz’s yearly survey of nearly 2,000 risk experts from 80 countries highlights business interruption and cyber incidents as the top two major threats for companies through 2018 and beyond. Forty-two percent of responses identified business interruption (BI) as the most important global risk because it can substantially impact revenues. So it is no surprise that BI has been highlighted as the most important risk for six years in a row. New for 2018, however, is that cyber incidents are the most feared BI trigger in the new year.

In addition to cyber incidents’ potential to trigger BI, risk experts identified cyber incidents generally as the second most important risk of 2018 (42 percent of responses). In particular, risk experts highlighted attacks on common internet infrastructure (with the potential to harm multiple companies at one time) as an increasing risk. These large‑scale attacks, such as the October 2016 Mirai Botnet attack on Dyn that brought down Twitter, SoundCloud, Spotify, Reddit and a host of other sites for hours, can substantially disrupt online operations and be used to extort multiple companies.

The Allianz report highlights what most policyholders already know: Cyber risk, whether in the form of business interruption, data‑breach liability, extortion, or otherwise, continues to expand at an almost breathtaking pace.

Every organization should survey the threat landscape to measure cyber exposure in six key risk areas:

  1. Business email compromise (BEC) scams
  2. Ransomware
  3. Distributed denial of service (DDoS)
  4. Data breach
  5. Theft of intellectual property
  6. Destruction or damage to computer systems

Surveying the cyber risk landscape is only the first step. For most organizations, the next step — cyber risk mitigation — includes purchasing cyber insurance. Due to the evolving nature of cyber insurance, and insurers’ differing tolerances for undertaking cyber risk, organizations must carefully assess proposed cyber insurance policies. Coverage grants vary and can include coverage for computer fraud and theft, cyber business interruption, cyber remediation, liability (including defense costs) resulting from a cyber event, regulatory costs, and PCI penalties.

  • Computer fraud and theft coverage pays for losses sustained as a result of unauthorized access to electronic systems or data.
  • Cyber business interruption coverage pays for losses resulting from a cyber event that prevents normal business operations, such as a DDoS attack that restricts web traffic or a ransomware event that shuts down servers, preventing potential customers from accessing the affected services.
  • Remediation coverage pays for response costs following a cyber event (investigation, public relations, customer notification, and credit monitoring).
  • Liability coverage pays defense and indemnity costs resulting from network security events (unauthorized access to systems causing injury to third parties), privacy events (exposure of confidential information), and media liability (advertising injury and copyright or trademark infringement).
  • Regulatory coverage pays defense and investigation costs for regulatory investigations and claims resulting from cyber events (or failure to properly handle a cyber event).
  • PCI coverage pays for liability to credit card issuers arising out of unauthorized disclosure of credit information (and, as noted above, generally requires proof of compliance with PCI standards).

For more information on mitigating your organization’s cyber risks through cyber insurance, our previous article, published by MISTI Infosec Insider, provides a more detailed overview of the factors to consider when managing a cyber‑insurance program.

Bradley Attorneys Highlight Cyber Insurance Risks to Consider When Acquiring a CompanyIn a recent article published by Mergers & Acquisitions, Bradley’s Policyholder Practice Group Leader Katherine Henry and policyholder coverage attorney Brendan Hogan explain some of the risks companies need to consider when considering potential merger and acquisition targets.

This article covers how companies can mitigate M&A risk by:

  • Reviewing key cyber risk management procedures the target company should have in place
  • Assessing the target company’s insurance assets and potential liability
  • Understanding specific cyber insurance coverage grants (data breach, fraud and theft, business interruption, and remediation) and the risks they help mitigate

Read the full article by visiting the Merger & Acquisitions website.

Fore! Fourth Circuit Affirms No Coverage for Hole-in-One PaymentsAs proof that almost anything can be insured, hole-in-one insurance is available on the market. Coverage is granted for payments or awards (cars, cruises, golf trips, cash, etc…) given and can be obtained for the right premium whether you’re protecting against the risk of an “ace” by a professional or a hacker at a charity scramble event. Of course, there are also limitations defined by the terms, conditions, and exclusions in the policy.

During the 2015 Greenbrier Classic in West Virginia, an annual PGA Tour event, Justin Thomas and George McNeill aced the 18th hole. The hole was playing 137 yards that day. The fans went particularly wild, largely because they took home approximately $200,000 from a tournament contest offering a cash prize to any spectator that witnessed a hole-in-one in person.

Those spectators might not have celebrated had they known their prize money would ultimately end up uninsured. At the end of 2017, the Fourth Circuit held there was no coverage for the payments made by Old White Charities because the policy required a longer hole — at least 170 yards (see All Risks v. Old White Charities).

The Fourth Circuit enforced that policy limitation under West Virginia law. Like other jurisdictions across the country, West Virginia enforces the plain language of the policy. The court also rejected arguments based on a shorter limitation (150 yards, so it wouldn’t have mattered anyway) in the policy application and Old White’s argument that it had a reasonable expectation of coverage despite the 170-yard minimum in the policy. Old White’s claims of negligence and fraud during the underwriting process also failed. In sum, the court saw no evidence that provided an exception to the plain language rule.

Two obvious takeaways here:

  1. Many golfers never get the chance to see a hole-in-one in person, but there is nothing unusual about a court upholding a clear policy exclusion or limitation. Even policyholders that do not know the difference between a birdie and a bogey should heed this case as a reminder: The language in the policy matters, even when the result may be harsh. Absent a way around it (an ambiguity caused by other language, waiver, misrepresentation in the application process), an exclusion can produce a tough result inconsistent with the policyholder’s expectations.
  2. This case is also a reminder about the need to manage risk even after insurance is in place. The best risk management programs account for the limitations in the company’s insurance portfolio. For example, some comprehensive property insurance programs contain limitations (e.g., no flood coverage for properties on a coast) on the location of scheduled properties purchased after the policy is bound. Failure to consider that limitation when a new property is acquired can lead to a significant uninsured loss.

I hated to see this result for Old White Charities and a golf tournament that I love to watch, particularly when the same tournament had to be cancelled due to the tragic flooding in that part of West Virginia in 2016. Here’s hoping the 2017 tournament was the start of a new stretch of good fortune for the Greenbrier Classic.

Insurance Purchasers Beware: Florida Court Finds No Duty to Defend Data Breach Claim Under CGL Personal & Advertising Injury CoverageOn November 17, 2017, a U.S. district court in Florida narrowly construed personal and advertising injury coverage for data-breach claims under a commercial general liability policy. In Innovak International, Inc., v. The Hanover Insurance Company, the court held that The Hanover Insurance Company (the insurer) has no duty to defend Innovak International, Inc. (the insured), against a putative class action arising from a data breach that compromised users’ personal private information (“PPI”).

The court narrowly construed the policy’s definition of “personal and advertising injury” that included “[o]ral or written publication in any manner of material that violates a person’s right of privacy.” Despite the absence of a requirement that the insured publish that material, the court held that the policy only extended coverage to publication by the insured.

The court held that “[t]he act that violates the claimants’ right of privacy is the publication of their PPI, and the Underlying Claimants have not alleged that Innovak directly or indirectly committed that act.” The court rejected Innovak’s arguments that the phrase “in any manner” includes both “direct publication of PPI and negligent failure to prevent third parties from obtaining the PPI.” Following a New York state court decision (Zurich American Insurance v. Sony Corporation of America), the Florida court construed the phrase “in any manner” to refer to the medium rather that the sender of the information.

The court also rejected Innovak’s argument that the putative class action complaint alleged that Innovak indirectly published the PPI. The court held that the complaint clearly alleged that Innovak failed to protect the users’ PPI by failing to implement sufficient data security measures – which is not an allegation of publication at all. The court distinguished a California case, Hartford Casualty Insurance Co. v. Corcino & Associates, et al., because that complaint alleged that the insured posted private information on a public website, and the court did not address the same legal issues.

Finally, the court made short shrift of Innovak’s argument that Hanover waived its defense by omitting it from its denial letter, because the particular defense was included within the letter.

This case serves as a reminder that organizations should not assume that their commercial general liability policies will cover losses from data breaches – even if the organization purchases a data breach enhancement, as Innovak did. The policy’s Data Breach Form provided only data breach services and paid only data breach expenses and expressly excluded “fees, costs, settlements, judgments or liability of any kind” arising out of a data breach. The lack of coverage under the Data Breach Form left Innovak with only the personal and advertising injury coverage, which, in this instance, did not extend to the putative class action against Innovak.

As often mentioned on this blog, prudent insureds should purchase dedicated cyber insurance coverage if at all possible. Smaller organizations may rely on coverage enhancements to their existing insurance programs but should recognize the risk of this strategy. Under either a traditional or specialized cyber insurance program, all insureds should scrutinize policy language to understand the scope of coverage and –more importantly – the limitations of that coverage for data breach and other cyber-related exposures.

webinarUpcoming Event - Policyholder Insurance Webinar Series: Is That Drone Insured?Bradley’s Policyholder Insurance Group is pleased to present “Is That Drone Insured?” as part of our ongoing Policyholder Insurance Webinar Series.

This webinar will discuss an overview of available drone insurance terms and conditions, recommended contract terms, and an insurance market assessment, including market capacity and pricing presented by Bradley attorneys Katherine J. Henry and Brendan W. Hogan with guest speaker Chris Proudlove of Global Aerospace.

When: Tuesday, December 12, 2017, 11:30AM – 12:30PM CST

Where: Webinar Registration

What: Businesses are hiring third-party drone operators to provide various services, including aerial photography and mapping, with many more uses developing daily. Some businesses are bypassing third-party operators and purchasing drones for their own use. Given the rapid pace of development of this technology, risks posed by drone operations may not be adequately insured by the third-party drone operator or may be uninsured by your company’s existing insurance portfolio, and governing contracts may not include adequate insurance requirements to protect your company.

We look forward to seeing you there!

$16 Billion Debt Cancellation Gives Breathing Space for National Flood Insurance ProgramThe Senate’s vote Tuesday to forgive $16 billion in debt owed by the National Flood Insurance Program gives a much-needed boost for NFIP as it faces large payouts from recent hurricanes. Packaged with other disaster aid appropriations, the bill now goes to President Trump, who is expected to sign.

NFIP has struggled to stay solvent in the face of multibillion-dollar flood insurance losses in recent years, including $16.3 billion from Hurricane Katrina and $8.6 billion from Superstorm Sandy. Prior to Hurricane Harvey, the program was already nearly $25 billion in debt to the U.S. Treasury, with a $30 billion dollar borrowing limit. Passage of H.R. 2266 allows the program to continue paying claims in the near term, but does not implement any long-term reforms to NFIP. Nor does it extend the life of the program, which is set to expire before the end of the year absent congressional re-authorization. But Tuesday’s 82-17 vote in the Senate suggests that there is strong bipartisan support to maintain the coverage provided by the program, with or without a long-term fix.

Trigger for Hurricane and Named Storm DeductiblesRecent damage from Hurricanes Harvey, Irma, and Maria have focused attention on special “named storm” and “hurricane” deductible endorsements found in most property insurance policies issued for coastal areas. Such endorsements typically convert the insured’s deductible from a fixed amount to a percentage of the property value, such as 1, 2, 5, or 10 percent, for damage caused by certain categories of storms. These percentages are usually taken from the insured value of the property, not merely the amount of damage, so when triggered the endorsement can result in a substantial increase in the out-of-pocket cost for the policyholder.

Several names are used for these endorsements. “Hurricane” deductibles generally apply when a storm has been designated a hurricane by the National Weather Service. “Named Storm” deductibles are broader and include declared tropical storms. “Windstorm” deductibles are the broadest of all and may apply to damage caused by almost any high wind weather event.

Circumstances triggering the deductible can vary significantly depending on the policy and state in which the insured property is located, so the individual policy language and state regulation must be reviewed to determine when the deductible applies. ISO Commercial Property Endorsement CP 03 25 (“Named Storm Percentage Deductible”), for example, provides that a “Named Storm” begins at the time the National Weather Service issues a watch or warning for the area in which the insured premises is located, and ends 72 hours after the termination of the last watch or warning issued for that area.

In some states, regulations have altered the circumstances for triggering the deductible by mandating the scope and duration of a “hurricane.” For example, Florida defines a “hurricane” for residential property insurance purposes as beginning at the time the National Weather Service issues a hurricane watch or warning for any part of Florida and ending 72 hours after the termination of the last hurricane watch or hurricane warning anywhere in the state. Because of the broad scope of this definition, policyholders in some areas may pay a “hurricane deductible” even though the insured property was never subjected to hurricane-force winds.

Where the insurer contends that a percentage deductible applies on account of a hurricane or tropical storm, policyholders should carefully review the policy language and insurance regulations in their state, as well as the actual conditions that caused property damage, to determine if there is an argument against the increased deductible.

The Professional Services Exclusion: You May Not Have the Coverage You ThinkCould you be providing “professional services” that might lead to liability excluded by your commercial general liability policy? The answer may be different than you think.

A recent unpublished Eleventh Circuit opinion provides a reminder that it is important to review your CGL policy and understand whether you are covered. The facts upon which the court relied in Witkin Design Group, Inc. v. Travelers Property Casualty Co. of America appear simple enough. An intersection traffic accident resulted in the death of a young boy. The resulting lawsuit included a negligence claim against the landscape architect who designed and constructed the intersection. The landscape company called on its CGL insurer to defend and indemnify it from the claim. You can imagine the company doing so with the thought that a liability claim had been brought and its general liability policy would provide coverage for that claim.

Like most CGL policies, however, this CGL policy contained a professional services exclusion that excluded coverage for claims “arising out of the rendering of or failure to render any ‘professional service’.” Professional services were defined by the policy as “any service requiring specialized skill or training.” The CGL policy said that professional services included:

a. Preparation, approval, provision of or failure to prepare, approve, or provide any map, shop drawing, opinion, report, survey, field order, change order, design, drawing, specification, recommendation, warning, permit application, payment request, manual or inspection;

b. Supervision, inspection, quality control, architectural, engineering or surveying activity or service, job site safety, construction contracting, construction administration, construction management, computer consulting or design, software development or programming service, or a selection of a contractor or subcontractor; or

c. Monitoring, testing, or sampling service necessary to perform any of the services included in a. or b. above.

But, these are merely non-exhaustive examples. The Eleventh Circuit was clear: “the professional service exclusion applies to any service requiring specialized skill or training.” Because the claim for which the landscape company sought coverage arose out of its design and construction of the intersection, which required specialized skill or training, the court found the professional liability exclusion applied, resulting in no coverage under the CGL policy.

The Eleventh Circuit’s opinion is not ground-breaking. Whether an insured’s conduct constitutes excluded “professional services” is a frequently litigated coverage question, which turns on policy language, the insured’s specific conduct, and applicable state law’s definition of professional services. Other recent examples of cases in which courts have found no coverage because of professional services exclusions include a claim against a home inspector alleging failure to discover insect and water damage; a claim against a real estate broker who failed to disclose an adverse property condition; a claim against a property manager for failing to properly supervise construction; and a claim against an insurance company for misrepresenting insurance policies.

Simply because a professional services claim is excluded by the CGL policy, however, does not always mean that the insured is left holding the bag without insurance coverage. Many companies purchase professional liability policies, which are errors and omissions policies intended to provide coverage for claims arising from the specific professional services in which the insured is engaged. It is critical to understand, however, that these policies may define “professional services” differently than the insured’s CGL policy, and care should be taken to ensure that your professional liability policy covers what your CGL policy may exclude.

So, while the Eleventh Circuit’s recent decision is not ground-breaking, it does provide a useful reminder to think about whether you have the liability coverage that you think you have.  We suggest that you consider the following questions, and discuss them with your broker or attorney if necessary:

  • Does my CGL policy have a “professional services” exclusion?
  • Am I engaged in conduct that could expose me to liability claims and that could be construed as a “professional service” as defined and excluded by the policy?
  • Do I need to purchase a professional liability policy to protect from those claims, and does that professional liability policy cover what the CGL policy excludes?

It is better to know the answers to these questions now, rather than find out after a claim has been filed that you don’t have the coverage you thought. After all, It Pays to be Covered.™

Bradley’s Policyholder Insurance Group is pleased to present “What Blockchain Means for Your Insurance” as part of our ongoing Policyholder Insurance Webinar Series.

This webinar will discuss the applications of blockchain technology in the insurance industry, recent developments in blockchain technology, and the potential impact on policyholders presented by Bradley attorney Katherine J. Henry and Brendan W. Hogan.

When: Thursday, November 2, 2017, 11:30AM – 12:30PM CST

Where: Webinar Registration

What: Distributed ledger technology, often called “blockchain,” is rapidly emerging as a potential solution for businesses in many sectors, often with promises of increased security, reduced risk, and greater efficiency. With any new technology, however, come new risks. Risk management professionals should understand, assess, and plan for the risks that their organization will face resulting from the implementation of blockchain—not only today but in the future. In this webinar, Bradley’s Policyholder Insurance Coverage Team, led by Katherine Henry, will discuss the applications of blockchain technology in the insurance industry, recent developments in blockchain technology, and the potential impact on policyholders. Join us for this compelling introduction into the future of insurance coverage.

We look forward to seeing you there!

SC Supreme Court Says Insurers Can’t Cloud Allocation of Covered and Non-Covered DamagesThe South Carolina Supreme Court’s decision in Harleysville Insurance Co. v. Heritage Communities, Inc., modified July 27, 2017, continues a trend of decisions aimed at preventing an insurer from acting in its own interest to the detriment of its insured when the insurer controls the defense of underlying claims against the insured. Although the far-ranging opinion in Harleysville tackles a number of important coverage issues, perhaps the most salient is a renewed emphasis on the insurer’s duty to inform its insured of the need to allocate damages in underlying litigation to differentiate between covered and non-covered losses in a jury award.

In Harleysville, the jury awarded $10.75 million in actual damages against a developer in two suits arising from defective condominium construction. These damages were based on the cost to repair defects, and included costs to replace faulty workmanship, as well as costs to repair damage to the condominium from water intrusion. The verdict did not distinguish between these costs. Because replacement of faulty workmanship was not covered under the developer’s liability insurance policies, in the ensuing coverage litigation, the insurer contended that it was not obliged to provide coverage for this portion of repairs. The court, however, found that the insurer lost the right to contest this issue when it failed to notify the policyholder of the need to allocate the verdict in the underlying suits.

The problem of parsing covered and non-covered losses in a verdict is not new. Since at least Duke v. Hoch, 468 F.2d 973 (5th Cir. 1972), courts have complained that it is virtually impossible to “determine the particular amount that happened to be in the jury’s mind” in subsequent coverage litigation. Where there was no effort in the underlying suit to determine the jury’s intent in making the award, assignment of the burden of proof between the insurer and policyholder is therefore potentially dispositive of the allocation. While it is typically the insured’s burden to show that damages fall within the coverage grant, a number of courts have recognized the inherent conflict of interest where the insurer controls the defense of the litigation but fails to obtain an allocated verdict. If the burden remained with the policyholder under these circumstances, the insurer could obtain a windfall from its own failure to clarify the composition of the award.

Some courts have responded to this problem by shifting the burden to allocate covered and non-covered losses from the insured to the insurer when the insurer fails to either obtain an allocation of the verdict in the underlying litigation or notify its insured of the need to do so. In Magnum Foods, Inc. v. Continental Casualty Co., 36 F.3d 1491 (10th Cir. 1994), the Tenth Circuit held that where the insurer controlled defense of the litigation but failed to request special interrogatories or a special verdict to allocate damages, it bore the burden of demonstrating that the basis of the award fell outside coverage. In Duke v. Hoch and Harleysville, the courts did not mandate that the insurer must itself seek an allocation, but found that the insurer must provide notice to the insured of the need for allocation in its reservation of rights. Harleysville found that the insurer’s blanket reservation of rights letter did not meet this standard, as it did not “inform the insureds that a conflict of interest may have existed or that they should protect their interests by requesting an appropriate verdict.” The insurer therefore lost the right to contest this issue and was required to cover damages for faulty workmanship that would otherwise have fallen outside of the policy.

Left unresolved by the opinion is precisely how, and by whom, the allocation of the verdict will be accomplished. In Duke v. Hoch, obtaining an allocated verdict would have been fairly simple, since the non-covered damages related to a particular claim against the insured; thus, the jury could have been asked to specify the portion of damages awarded on the basis of that claim. But in Harleysville, parsing out the covered and non-covered damages would have required specific findings as to which costs were required to replace the insured’s faulty work product, and which costs pertained to repairs for water intrusion. For the jury to make an informed decision on these issues, defense counsel would need to tailor the testimony of its witnesses, and possibly even modify its closing argument.

In a given case, the facts relevant to such allocation might well be contested between the insurer and the policyholder, and it is doubtful whether defense counsel retained by the insurer will be able to navigate this potential conflict of interest. Because Harleysville focused on the insurer’s duty to notify the policyholder of the need for an allocated verdict in its reservation of rights, insurers may argue that it is the policyholder’s responsibility to engage independent defense counsel if it wants to obtain such an allocation. But if the insured must pay for its own attorneys to handle the litigation, it has been deprived of a key benefit of coverage, namely the insurer’s duty to provide a defense. The policyholder could obtain independent counsel of its own choosing, and ask the insurer to reimburse reasonable fees. A policyholder, however, can expect the insurer to resist any arrangement under which it would pay for litigation expenses exceeding those of its regular insurance defense counsel, or for expenses incurred to present evidence adverse to the insurer’s own coverage position. As insurers modify their reservation of rights letters to meet the prescriptions in Harleysville and similar cases, policyholders must be vigilant for an insurer’s communication that allocation is needed, and insist that insurers discharge their defense obligations under the policy.