Listen to this post

Any company, particularly if conducting business is a highly regulated industry, risks being served with a subpoena or a civil investigative demand (collectively, “CID”) from a governmental agency or entity. As set forth below, the company may have insurance coverage available to cover the costs associated with responding to the CID. More importantly, however, failure to provide prompt notice to insurance carriers could preclude coverage for any subsequent litigation or enforcement proceeding related to the CID. Prompt notice of the CID to the company’s directors and officers’ (D&O) insurer is critical.

D&O Policies and CID

D&O policies provide financial protection through liability coverage, including both defense and indemnity, to the directors and officers of a company for claims asserted against those directors and officers arising from the management of the company. Unlike other forms of insurance, such as property or general liability policies, in which insurers utilize standardized forms, D&O coverage can vary significantly from one insurer to another. 

The typical D&O policy provides insurance coverage under three different insuring agreements, commonly known as Side A, Side B, and Side C coverage. Side A provides “direct” or personal liability coverage for individual directors and officers where the company cannot legally provide a defense or indemnify loss (where such indemnity is prohibited by state law) or where the company is financially unable to do so. Side B indirectly covers the individual directors and officers of the company by reimbursing the company for defense or indemnity payments that the company has made or is required to make on behalf of its directors and officers. Side C, which is also known as “entity coverage,” provides coverage for claims against the company itself. 

The insuring agreement of most D&O policies will provide coverage for “loss” that is incurred as a result of a “claim” made for a “wrongful act.” While the specific language of D&O policies varies from one insurer to another, the term “claim” typically refers to an assertion of a legal right, a demand for payment by a third party against the insured, or even a demand for non-monetary relief. The term “claim” could also be defined to include administrative and regulatory proceedings, criminal investigations, or civil investigative demands by regulators. In short, depending on the language of the CID itself, as well as the definition of “claim” in a D&O policy, a CID could constitute a claim.

Delayed Notification Risks Denial of Coverage

If a CID could constitute a claim as defined in the D&O policy, prompt notice is critical because failure to provide notice timely could defeat coverage. D&O policies are typically written on a claims-made basis. Claims-made policies, sometimes called claims made and reported policies, provide coverage for claims that occur (and are reported) to the insurer while the policy is in force.  Failure to report a claim to the carrier during the policy period, or any applicable extended reporting period, could be an absolute bar to coverage.

Another reason for prompt notice to a D&O carrier of any CID, even if the insured does not think the CID qualifies as a claim or the anticipated costs to the insured in responding to the CID does not require insurance proceeds, is a concept within D&O policies of “related claims.” Most D&O policies also contain “related claims” or “interrelated wrongful acts” provisions. These provisions are broadly worded and will provide that all related wrongful acts will be considered a single claim.  For example, the policy definition of “related claims” or “related wrongful acts” could be “claims that have as a common nexus any fact, circumstance, situation, event, transaction or series of related facts, circumstances, situations, events or transactions.” Where two or more claims satisfy this “related claims” definition, then they are usually deemed to be a single claim first made at the time of the earlier claim.

For example, assume a company has a D&O policy for successive one-year policy periods beginning June 1, 2020.  The company receives a CID on December 1, 2020, responds to the CID and does not provide notice to its D&O insurer. The D&O policy renews on June 1, 2021, for one year and then again on June 1, 2022, for another year. In September 2022, the insured company is named as a defendant in an enforcement action and is then named as a defendant in civil lawsuit in March 2023 – both actions involving the same conduct that was at issue in the CID. The company tenders both the enforcement action and the civil lawsuit to its insurer, which denies the claims.

The insurer asserts that under the definition of “claim” in the hypothetical D&O policy, the CID constituted a claim, which should have been reported but was not reported to the carrier during the June 1, 2020, to June 1, 2021, policy. Because the claim was not made and reported during that policy period, there was no coverage for the CID. Furthermore, under the “related claims” provision of this hypothetical D&O policy, the CID, enforcement action, and civil lawsuit were “related claims” that were deemed to be a single claim first made at the time of the CID. Since there was no coverage for the CID – because it was never reported – the insurer asserts the “related claims” provision precludes coverage for both the enforcement action and the civil lawsuit.

When any company receives a CID or government-issued subpoena, the company should consult with insurance coverage counsel and an experienced broker to evaluate potential coverage under any D&O policy and provide prompt notice of the CID to the D&O insurer.

Listen to this post

Some policyholders mistakenly assume that all cyber insurance policies provide coverage for much the same type of losses. But unlike many other types of commercial insurance, cyber has not become standardized in the years since its inception. Instead, the cyber insurance market offers policyholders a menu of coverage options, from which the organization must purchase specific insuring agreements that match its risk profile. Cyber losses can result from cyber extortion (including the use of ransomware), theft, denial of service attacks, network disruption, and a host of other causes, and can lead to different types of losses, including ransom payments, business interruption, third-party liability due to unauthorized disclosure of confidential information, and regulatory defense and penalties – to name just a few. A given insurance policy may cover any combination of these losses, and some coverages may be optional. It is incumbent on the policyholder to know the risks it needs insured and work with its broker and coverage counsel to find the right policy. 

A decision last month by a federal court in Oregon highlights the risk of litigation when coverage is not clear. In Yoshida Foods International, LLC v. Federal Insurance Company, the policyholder suffered a ransomware attack demanding payment of $107,074.20 in cryptocurrency to recover encrypted data. Because Yoshida lacked access to cryptocurrency, one of its executives paid the ransom from his personal cryptocurrency account and was later reimbursed by the company. The policy did not explicitly provide coverage for extortion, ransomware, or encryption, but did cover a “direct loss” caused by “Computer Fraud,” which included unlawful taking of money resulting from unauthorized entry into a computer system. Federal refused to cover the ransomware payment, arguing among other things that the payment was not a “direct loss” insured by the computer fraud coverage grant because the company’s reimbursement to its executive was an indirect or consequential loss, and because the transfer of funds represented the company’s conscious decision instead of direct theft by the criminals. Over Federal’s objections, the district court found the policy language was broad enough to encompass the ransomware attack, obligating the insurer to indemnify Yoshida for its loss. The policyholder prevailed – but only after litigating the scope of the insurance policy that it purchased.

The Yoshida Foods decision is not binding on other courts, and another jurisdiction could reach a different interpretation of similar policy language. But the coverage dispute might have been avoided if the policy included a specific coverage grant for extortion and ransomware. Amid the assortment of options in the cyber insurance market, policyholders are well advised to shop for policies that clearly identify the risks the organization intends to cover, while also paying attention to limits, definitions, conditions, and exclusions. 

A cross-office Bradley team recently scored a bad faith victory for Sinclair Oil on March 18, 2022. The case involved a hotly contested business interruption loss and the delayed and frustrating recovery process that followed. Sinclair believed that its post-fire business losses were clearly covered by their Marsh-manuscripted all risks policy and that it was entitled to compensation for delayed payment on that claim. And by the end of a week-long trial, the jury agreed. The results of this case provide positive signs for insurance policyholders in bad faith claims.

Background

In 2013, an exploded control valve and subsequent fire severely damaged a hydrodesulfurization unit in Sinclair’s refinery near Rawlins, Wyoming. The resulting case was filed in 2015 against a hold-out insurer in Switzerland, Infrassure Ltd, which was one of more than a dozen carriers on Sinclair’s London market-based property program. For many years, Infrassure successfully delayed paying its 7.5% part of Sinclair’s refinery fire insurance claim, holding it up through assertions of a government-regulated runoff, motions practice, appraisal, and appeals.

The Issues & Challenges of the Case

In 2017, the trial court dismissed the original bad faith claim on a choice of law issue, concluding that because Sinclair was headquartered in Utah, its insurance policy that covered its Wyoming refinery was not “delivered or issued for delivery” in Wyoming and could not receive Wyoming’s sharp edged extra-contractual policyholder protections. Sinclair successfully challenged that ruling in the Tenth Circuit and the Wyoming Supreme Court, securing an appellate victory and winning back its bad faith claim. The Wyoming Supreme Court unanimously ruled for Sinclair in May 2021, and the Tenth Circuit granted this rare remand jury trial solely on whether Infrassure acted in bad faith.

The Result & Takeaways

During the jury instruction conference, Infrassure conceded that the mountain of evidence showed that there actually was a delay, leaving only the question of whether the delay was “unreasonable or without cause”. After strong closing arguments, the jury rendered a plaintiff’s verdict for Sinclair Oil—finding that “[the carrier] unreasonably and without cause delayed payment of Sinclair’s covered insurance claim.”

The outcome of this case provides a couple of key takeaways for business owners:

  1. Even if your bad faith claim hits a roadblock, you may have other options to recover your losses. Many states have statutes that guarantee insureds payment or denial within a certain time period. If you feel like your insurer has been giving you the runaround, you may have legal options beyond a traditional bad faith claim.
  2. Post-appraisal payment recovery is a developing area of insurance law. Policyholders may be able to recover for payments that are ultimately late or that do not roughly correspond to the amount ultimately owed. See Sinclair Wyo. Ref. Co. v. Infrassure, Ltd, 970 F.3d 1317 (10th Cir. 2020); Randel v. Travelers Lloyds of Tex. Ins. Co., 9 F.4th 264 (5th Cir. 2021). Your bad faith business interruption case would benefit from having experienced trial and appellate counsel to guide you through these novel issues.

If your business has a concern about carrier claims handling practices during an extraordinary time element loss, we can work with your broker and resources to get to the right result – final fair payment.

Bradley’s team included Geoffrey Greeves, Kate Margolis, Marc Ayers, Justin Miller, and Anne Miles Golson.