Some policyholders mistakenly assume that all cyber insurance policies provide coverage for much the same type of losses. But unlike many other types of commercial insurance, cyber has not become standardized in the years since its inception. Instead, the cyber insurance market offers policyholders a menu of coverage options, from which the organization must purchase specific insuring agreements that match its risk profile. Cyber losses can result from cyber extortion (including the use of ransomware), theft, denial of service attacks, network disruption, and a host of other causes, and can lead to different types of losses, including ransom payments, business interruption, third-party liability due to unauthorized disclosure of confidential information, and regulatory defense and penalties – to name just a few. A given insurance policy may cover any combination of these losses, and some coverages may be optional. It is incumbent on the policyholder to know the risks it needs insured and work with its broker and coverage counsel to find the right policy. 

A decision last month by a federal court in Oregon highlights the risk of litigation when coverage is not clear. In Yoshida Foods International, LLC v. Federal Insurance Company, the policyholder suffered a ransomware attack demanding payment of $107,074.20 in cryptocurrency to recover encrypted data. Because Yoshida lacked access to cryptocurrency, one of its executives paid the ransom from his personal cryptocurrency account and was later reimbursed by the company. The policy did not explicitly provide coverage for extortion, ransomware, or encryption, but did cover a “direct loss” caused by “Computer Fraud,” which included unlawful taking of money resulting from unauthorized entry into a computer system. Federal refused to cover the ransomware payment, arguing among other things that the payment was not a “direct loss” insured by the computer fraud coverage grant because the company’s reimbursement to its executive was an indirect or consequential loss, and because the transfer of funds represented the company’s conscious decision instead of direct theft by the criminals. Over Federal’s objections, the district court found the policy language was broad enough to encompass the ransomware attack, obligating the insurer to indemnify Yoshida for its loss. The policyholder prevailed – but only after litigating the scope of the insurance policy that it purchased.

The Yoshida Foods decision is not binding on other courts, and another jurisdiction could reach a different interpretation of similar policy language. But the coverage dispute might have been avoided if the policy included a specific coverage grant for extortion and ransomware. Amid the assortment of options in the cyber insurance market, policyholders are well advised to shop for policies that clearly identify the risks the organization intends to cover, while also paying attention to limits, definitions, conditions, and exclusions. 

A cross-office Bradley team recently scored a bad faith victory for Sinclair Oil on March 18, 2022. The case involved a hotly contested business interruption loss and the delayed and frustrating recovery process that followed. Sinclair believed that its post-fire business losses were clearly covered by their Marsh-manuscripted all risks policy and that it was entitled to compensation for delayed payment on that claim. And by the end of a week-long trial, the jury agreed. The results of this case provide positive signs for insurance policyholders in bad faith claims.

Background

In 2013, an exploded control valve and subsequent fire severely damaged a hydrodesulfurization unit in Sinclair’s refinery near Rawlins, Wyoming. The resulting case was filed in 2015 against a hold-out insurer in Switzerland, Infrassure Ltd, which was one of more than a dozen carriers on Sinclair’s London market-based property program. For many years, Infrassure successfully delayed paying its 7.5% part of Sinclair’s refinery fire insurance claim, holding it up through assertions of a government-regulated runoff, motions practice, appraisal, and appeals.

The Issues & Challenges of the Case

In 2017, the trial court dismissed the original bad faith claim on a choice of law issue, concluding that because Sinclair was headquartered in Utah, its insurance policy that covered its Wyoming refinery was not “delivered or issued for delivery” in Wyoming and could not receive Wyoming’s sharp edged extra-contractual policyholder protections. Sinclair successfully challenged that ruling in the Tenth Circuit and the Wyoming Supreme Court, securing an appellate victory and winning back its bad faith claim. The Wyoming Supreme Court unanimously ruled for Sinclair in May 2021, and the Tenth Circuit granted this rare remand jury trial solely on whether Infrassure acted in bad faith.

The Result & Takeaways

During the jury instruction conference, Infrassure conceded that the mountain of evidence showed that there actually was a delay, leaving only the question of whether the delay was “unreasonable or without cause”. After strong closing arguments, the jury rendered a plaintiff’s verdict for Sinclair Oil—finding that “[the carrier] unreasonably and without cause delayed payment of Sinclair’s covered insurance claim.”

The outcome of this case provides a couple of key takeaways for business owners:

  1. Even if your bad faith claim hits a roadblock, you may have other options to recover your losses. Many states have statutes that guarantee insureds payment or denial within a certain time period. If you feel like your insurer has been giving you the runaround, you may have legal options beyond a traditional bad faith claim.
  2. Post-appraisal payment recovery is a developing area of insurance law. Policyholders may be able to recover for payments that are ultimately late or that do not roughly correspond to the amount ultimately owed. See Sinclair Wyo. Ref. Co. v. Infrassure, Ltd, 970 F.3d 1317 (10th Cir. 2020); Randel v. Travelers Lloyds of Tex. Ins. Co., 9 F.4th 264 (5th Cir. 2021). Your bad faith business interruption case would benefit from having experienced trial and appellate counsel to guide you through these novel issues.

If your business has a concern about carrier claims handling practices during an extraordinary time element loss, we can work with your broker and resources to get to the right result – final fair payment.

Bradley’s team included Geoffrey Greeves, Kate Margolis, Marc Ayers, Justin Miller, and Anne Miles Golson.

On December 31, 2021, New York imposed draconian new insurance disclosure requirements on defendants in New York state courts when Gov. Kathy Hochul signed the Comprehensive Insurance Disclosure Act (Senate Bill 7052) into law. The new law, amending Section (f) of New York Civil Practice Law and Rules (C.P.L.R.) § 3101 and adding New York C.P.L.R. § 3122-B, imposes insurance disclosure requirements so severe that, just two weeks after its enactment, the New York Senate introduced an amendment, Senate Bill 7882, that reduces – but does not eliminate – the burden resulting from these new disclosure requirements. Gov. Hochul has signaled her support for Senate Bill 7882.

If approved and signed into law, Senate Bill 7882 moderates § 3101’s new onerous disclosure obligations on defendants, third-party defendants, and cross-claim and counter-claim defendants, but the obligations remain burdensome and problematic, as discussed further below.

Before the legislature amended C.P.L.R. § 3101(f) through Senate Bill 7052, § 3101(f) permitted parties to seek insurance information through discovery:

“A party may obtain discovery of the existence and contents of any insurance agreement under which any person carrying on an insurance business may be liable to satisfy part or all of a judgment which may be entered in the action or to indemnify or reimburse for payments made to satisfy the judgment. Information concerning the insurance agreement is not by reason of disclosure admissible in evidence at trial. For purpose of this subdivision, an application for insurance shall not be treated as part of an insurance agreement.”

Senate Bill 7052 amended C.P.L.R § 3101(f) to require defendants to disclose insurance information. Defendants must:

  • Provide proof of insurance to the plaintiff and any other party in a New York state case within 60 days after service of an answer;
  • Disclose the insurance information for policies and programs sold or delivered within the state of New York in place at the time of the loss (putting aside any ensuing confusion between claims-made and occurrence policies) for a dizzying array of insurance structures (as stated in section f(1)(i)): “all primary, excess and umbrella policies, contracts or agreements issued by private or publicly traded stock companies, mutual insurance companies, captive insurance entities, risk retention groups, reciprocal insurance exchanges, syndicates, including, but not limited to, Lloyd’s Underwriters as defined in section six thousand one hundred sixteen of the insurance law, surplus line insurers and self-insurance programs;”
  • Disclose the contact information, including the telephone number and email address, of the assigned claims adjustor and third-party administrators (TPA), including the person at the insurer to whom the TPA reports (a remarkable interjection of a plaintiff into an insured’s relationship with its insurers);
  • Disclose any lawsuits that may erode or reduce the policy, and any lawsuit and attorneys’ fee amounts that have eroded or reduced the policy; and
  • Ensure the accuracy of their disclosures due to an “ongoing obligation to make reasonable efforts to ensure that the information remains accurate and complete” and to update information within 30 days of receipt – the obligation continues until 60 days after entry of final judgment after all appeals.

Senate Bill 7052 also amended C.P.L.R § 3101(f) by deeming an insurance application to be part of the insurance policy (before amendment, § 3101(f) considered an insurance application not part of the insurance policy).

Finally, Senate Bill 7052’s amendments to C.P.L.R § 3101(f) were immediate and retroactive – applying to all pending suits, with compliance required within 60 days.

Pending Senate Bill 7882 moderates some of Senate Bill 7052’s drastic changes to C.P.L.R § 3101(f) by:

  • Allowing defendants 90 days rather than 60 days from filing an answer to provide the insurance information and permitting production of the declaration page only if the plaintiff consents (neither bill required defendants to disclose proof of insurance after filing a motion to dismiss in lieu of an answer);
  • Adding the phrase “insofar as such documents relate to the claim being litigated” to the disclosure required for policies and programs sold or delivered within New York;
  • Requiring disclosure of only the name and email address of the assigned claims adjustor;
  • Eliminating the required disclosure of any lawsuits and attorneys’ fee amounts that may or have eroded or reduced the policy;
  • Requiring defendants to disclose any updated insurance information, including when “filing of the note of issue” (a notice to the court that the case is trial ready), at the commencement of court-ordered settlement negotiations, at voluntary mediation, at trial, and for 60 days after entry of final judgment or settlement after all appeals;
  • Exempting personal injury protection cases from these disclosure requirements;
  • Returning to the former § 3101(f) language recognizing that an application is not part of an insurance agreement; and
  • Making these new requirements prospective (not retrospective) from the effective date of Senate Bill 7052 (thus superseding the prior amendment and eliminating the severe administrative burden of imposing the requirements on all pending cases and eliminating the more severe requirements enacted by Senate Bill 7052, which is now the law of New York).

Strategies for Compliance

Risk managers, in-house legal staff, and outside counsel should implement a coordinated strategy to ensure compliance with these disclosure requirements. To comply with C.P.L.R. § 3101(f), organizations should take the following steps:

  1. Coordinate with your broker to ensure that you have the responsive documents on hand.
  2. Centralize this disclosure process across all New York state cases through in-house counsel or a single outside counsel to ensure consistent responses.
  3. Require a confidentiality agreement or protective order before disclosing any insurance information.
  4. When disclosing, redact confidential information, but expect plaintiffs to challenge any redactions given the law’s scope.
  5. Identify only potentially responsive policies and programs using the following guidelines:
    • Sold or delivered in New York. Unfortunately, only litigation or further legislative action will clarify whether § 3101 (f)(1)(i)’s limitations to policies and programs “sold or delivered within the state of New York” limit the scope of the broader language of § 3101 (f)(1), which requires disclosure of “proof of the existence and contents of any insurance agreement under which any person or entity may be liable to satisfy part or all of a judgment . . . or to indemnify or reimburse for payments made to satisfy entry of the final judgment.” Even if the disclosure obligations are limited to policies sold or delivered within the state of New York, organizations headquartered in the state and those using brokers located in the state must disclose their insurance information. Because many insureds utilize brokers headquartered in New York, the reference to “sold or delivered in New York” could be particularly problematic. Anticipate litigation over this issue.
    • Insofar as such documents relate to the claim being litigated. Determine whether the insurance information is relevant to the legal dispute; provide only insurance information that would provide coverage for the claim. If Senate Bill 7882 does not become law, this limitation will not be available. Even if it does, anticipate litigation over this issue.
    • Under which any person or entity may be liable. The amount of the potential liability determines the scope of mandatory disclosure. Once again, anticipate litigation over this issue because:
      • Primary policies with high deductibles may not respond.
      • Excess policies in insurance programs with high self-insured retentions may not respond.
      • Umbrella or excess policies may not respond depending upon the amount of the potential liability.
  • All primary, excess, and umbrella policies, etc. Responsive insurance information includes captive insurance, risk retention groups, insurance exchanges, syndicates, and self-insurance programs.
  1. Begin by disclosing declaration pages only. (Declaration pages are not certificates of insurance.)
  2. For automobiles subject to New York insurance laws, consider complying with New York’s financial responsibility laws by means other than through insurance policies.
  3. Monitor legislative developments and urge legislators and Gov. Hochul to further limit these overreaching insurance disclosure requirements.
  4. Consult with coverage counsel to ensure proper compliance with this law.