webinarBradley’s Policyholder Insurance Group is pleased to present “Is the Cyber Liability Exclusion the New Pollution Exclusion? Analyzing Commercial and Product Liability Coverage Issues in Today’s Connected World” as part of our ongoing Policyholder Insurance Webinar Series.

This webinar will feature detailed information about the potential risks and coverage gaps facing policyholders presented by Bradley attorney Katherine J. Henry.

When: Thursday, September 28, 2017, 11:30AM – 12:30PM CST

Where: Webinar Registration

What: Decades ago, insurance companies added a total pollution exclusion to commercial general liability policies in response to rulings allowing coverage for the costs of pollution cleanup. In the years after insurance companies first included this exclusion, insurers used the broad wording of the pollution exclusion to deny coverage for an increasingly larger amount of alleged contaminants. Today, commercial policyholders may face the same risks with the cyber liability exclusion. Intended to exclude coverage for data-breach-related claims under CGL policies, the broad wording of the cyber liability exclusion creates the potential for similar expansion  and resulting coverage gaps in today’s interconnected world. Join us for a detailed discussion of the potential risks and coverage gaps facing policyholders, as well as strategies for preserving coverage
and eliminating potential gaps.

We look forward to seeing you there!

Upcoming webinars in the Policyholder Insurance Webinar Series:

  • Thursday, October 19: What Blockchain Means for Your Insurance
  • Thursday, November 9: Is That Drone Insured?

webinarBradley’s Policyholder Insurance Group is pleased to present “Navigating Your Cyber Liability Policy” as part of our ongoing Insurance Policyholder Webinar Series.

This webinar will feature detailed information about cyber insurance presented by Bradley attorneys Katherine J. Henry and Emily M. Ruzic.

When: Thursday, April 13, 2017, 11:30AM – 12:30PM CST

Where: Webinar Registration

What: Does it pay to be covered for cyber liability? For many companies, the answer is an unqualified “yes.” During this webinar, you will learn about the types of cyber insurance coverage available in the insurance market today, including coverage for business interruption and cyber extortion, as well as pre- and post-loss services included in cyber policies. This webinar will provide the tools necessary to evaluate whether your company would benefit from cyber insurance, an increasingly important part of corporate insurance programs.

We look forward to seeing you there!

Upcoming webinars in the Insurance Policyholder Webinar Series:

  • Thursday, June 22: Finance Insurance
  • Thursday, September 28: Securing and Insuring the Internet of Things
  • Thursday, October 19: What Blockchain Means for Your Insurance
  • Thursday, November 9: Is That Drone Insured?

A Close Look at Policy Wording Is Essential to Ensure Coverage for Cyber RisksAs the demand for insurance coverage for cyber-related losses continues to grow, more insurance companies are offering cyber insurance policies and endorsements, but the market is far from mature and the available policies far from complete. Insurers have not adopted a unified approach to cyber policies, nor do they offer identical coverages. Due to the variance between available cyber insurance policies and endorsements, policyholders should carefully weigh their cyber risks against proposed cyber coverage to understand the scope of coverage actually available to address company exposures. Insureds should closely examine policy wording, rather than relying on policy labels or marketing materials.

One of the first published cases interpreting a cyber policy illustrates this point. When hackers accessed 60,000 credit card numbers in P.F. Chang’s customer database, the restaurant chain’s cyber policy covered the costs of the forensic investigation into the cause of the data breach to prevent a recurrence, as well as the costs of defense against customer lawsuits arising from the breach, to the tune of some $1.7 million (P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co.). Most cyber policies include coverage for first-party losses as well as liability to third parties. Unfortunately, P.F. Chang’s cyber policy did not cover the nearly $2 million in expenses imposed by credit card issuers such as MasterCard to pay for such items as notifications to cardholders and reissuance of credit cards compromised by the breach. Many cyber policies offer coverage for these types of fines and penalties, albeit for an additional premium.

Those expenses, including fines and penalties, were passed through to P.F. Chang’s via its Master Services Agreement with the restaurant’s third-party credit card processor, Bank of America Merchant Services (BAMS). The agreements between servicers such as BAMS and credit card associations require the servicers to abide by Payment Card Industry Data Security Standards (PCI-DSS) and pay for losses arising from a data breach. These rules and obligations were incorporated into the contract between P.F. Chang’s and BAMS, requiring P.F. Chang’s to reimburse BAMS for any PCI-DSS assessments.

P.F. Chang’s and other restaurants and retailers rely on these servicers to process credit-card transactions on a daily basis. Yet in no less than three places, P.F. Chang’s cyber policy excluded liability assumed under a contract such as the one with BAMS. The “reasonable expectations” doctrine in Arizona that favors policyholders could not save P.F. Chang’s from the court’s interpretation of the plain wording of the policy.

A contractual liability exclusion is a standard exclusion in most commercial general liability policies. However, the exclusion typically incorporates exceptions for “insured contracts.” CGL policies incorporate this exclusion because these policies are primarily intended to cover a third party’s tort claims against a policyholder, not a policyholder’s financial losses arising from a contract. CGL policies also typically exclude coverage for fines and penalties such as those imposed by credit card associations. The P.F. Chang’s decision highlights the need for contractual liability, fines and penalties coverage for policyholders who accept credit card payments.

On January 27, 2017, the Ninth Circuit granted a joint stipulation to dismiss P.F. Chang’s appeal of the district court’s decision after the parties reached a settlement. We do not know the details of this settlement, although this settlement preserved this insurer-friendly decision to the detriment of policyholders.

This watershed case is a cautionary tale. The wild world of cyber-related risks is difficult to pin down – ranging from the obvious but mundane, such as theft of a company laptop, to the worst case scenario of a system-wide hack that could cause a major disruption and loss of business and extensive liability. As P.F. Chang’s shows, it pays to assess your company’s risks and closely examine your policy to ensure you have the coverage you need.