Cyber Insurance: Court’s Recent Decisions May Change What Your Policy CoversCyber incidents can take many forms—phishing, insider theft, SQL injection, malware, denial of service, session hijacking, credential farming, or just old fashion “hacking.” Although many of these attack vectors employ technical knowledge, some utilize deception to manipulate individuals into performing certain actions or divulging confidential information.

Commonly referred to as “social engineering,” a perpetrator can exploit human behavior to pull off a scam. Oftentimes this comes as an email, which appears to be from a trusted colleague, vendor, or business partner, asking for a wire transfer to a particular account to settle a bill or provide payment for services.

To date, many of these social engineering schemes have been denied under cyber or computer fraud insurance policies, with many insurance carriers insisting that the policies only cover hacking-type intrusions.

In recent months, this stance has been denied—twice. Once by the Second Circuit in Medidata Solutions Inc. v. Federal Insurance Co. and once by the Sixth Circuit in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America.

In both cases, the court found in favor of the policyholder in a dispute over coverage for social engineering schemes. In Medidata, the insured brought suit claiming that its losses from an email spoofing attack were covered by a computer fraud provision in its insurance policy. The provision at issue covered losses stemming from any “entry of Data into” or “change to Data elements or program logic of” a computer system. The court reasoned that although no hacking occurred, the perpetrators crafted a computer-based spoofing code that enabled the fraudsters to send messages that appeared to come from one of Medidata’s employees. Similarly, in American Tooling, a fraudster send a series of emails, purportedly from a vendor, requesting that American Tooling wire transfer payments to new accounts. American Tooling wired over $800,000 before realizing that the emails were fraudulent. The court in American Tooling found that the loss was covered under the policy and that none of the asserted policy exclusions applied, finding that the emails were computer fraud that directly caused the loss.

Companies should understand the complexity and varied types of cyber incidents that they face, build in mechanisms to avoid engineering scams by validating proposed requests, and review their cyber and crime insurance policies to ensure that they take full advantage of available insurance coverage.  These cases also serve as a reminder to have a clear incident response policy in place and to quickly engage counsel who understands the complexities of the incident, as well as the insurance coverage, in order to minimize loss.

Upcoming Event – Insurance for Cyber Risk – and the Disputes About Its Scope: The Good, the Bad, and the UglyBradley attorney Emily Ruzic will present “Insurance for Cyber Risk – and the Disputes About Its Scope: The Good, the Bad, and the Ugly” as part of DRI’s Cybersecurity and Data Privacy conference.

The event will discuss an overview of cyber threats that now include hacking, ransomware attacks, social engineering, and other schemes. The panel is presented by guest speakers Michael Carr of Brit Global Specialty USA and Anna M. Stafford of Travelers, and moderated by Bradley attorney Emily M. Ruzic.

When:  Thursday, September 6, 2018, 1:30PM – 2:15PM CDT

Where:  Lowes Chicago Hotel

What:  As insurance for cyber risks becomes increasingly common, so too do disagreements about the scope and application of the coverages available. This panel will examine underwriting and claims challenges, insurance coverage disputes, and regulatory pressures on financial and other institutions regarding cyber insurance.

For more information about the event, please review the conference agenda and register on the conference website.

We look forward to seeing you there!

Increased FTC Enforcement Highlights Need for Cyber Regulatory CoverageRegulatory components to cyber insurance policies are becoming increasingly valuable as data-breach enforcement continues to surge. The Federal Trade Commission (FTC or Commission), the nation’s primary privacy and data security enforcer, has announced another record year of enforcement actions regarding consumer privacy. In 2017, the FTC brought nearly two hundred privacy and data security cases. Generally, getting hacked alone will not invite a lawsuit from the FTC, but failing to take corrective actions (resulting in a subsequent breach) could attract attention from regulators. To ensure enforcement, the Commission requires companies to take affirmative steps to remediate unlawful behavior. In addition, the FTC may impose civil, monetary penalties.

Recent FTC Enforcement Activities

Many well-known companies were targets of FTC investigations or enforcement actions in 2017, including Equifax, Lenovo, and VIZIO. Just last month, the FTC announced a settlement with electronic toymaker VTech, stemming from a data breach in 2015. VTech agreed to pay $650,000 to settle allegations that it violated the Children’s Online Privacy Protection Act, which generally requires websites and apps to obtain parental consent before collecting personal information from children under 13 years of age. The FTC alleged that VTech had collected personal information from children without providing the requisite notice or obtaining the parent’s consent. The Commission also claimed that VTech had failed to take reasonable steps to secure the data it had collected.

Coverage for Fines and Penalties

As the FTC continues to increase enforcement actions, regulatory components to cyber-insurance policies are becoming increasingly valuable. Cyber regulatory defense and penalties coverage is one of the rare types of insurance that may affirmatively cover fines and penalties.  For example, the AIG CyberEdge Security and Privacy Liability Insurance defines covered “Loss,” in part, as “civil fines or penalties imposed by a governmental agency and arising from a Regulatory Action, unless the civil fine or penalty is uninsurable under the law of the jurisdiction imposing such fine or penalty.” Other cyber policies provide coverage for “Penalties,” meaning “any civil fine or money penalty payable to a governmental entity that was imposed in a Regulatory Proceeding by the Federal Trade Commission . . . or any other federal, state, local or foreign governmental entity.” Like the AIG definition, these policies also caution that applicable state law may not allow for coverage, stating “the insurability of Penalties shall be in accordance with the law in the applicable venue that most favors coverage for such Penalties.” As with the insurability of punitive damages, there is no uniform view regarding whether fines and penalties can be insured, despite policy language expressly providing for such coverage. Insurers are likely to challenge coverage for fines and penalties that stem from intentional or willful conduct, claiming that loss is uninsurable based on public policy arguments.

Coverage for Defense and Investigative Costs

Cyber policies can also provide coverage for defense and investigative costs in connection with governmental investigations. Typically, the insurer will agree to pay attorneys’ fees, as well as other legal costs, excluding the insured’s internal costs, such as salary or overhead. Commonly, the insurer agrees to pay “Claims Expenses and Penalties in excess of the Retention, which the Insured shall become legally obligated to pay because of any Claim in the form of a Regulatory Proceeding.” Notably, FTC actions and investigations are included in traditional definitions of “Regulatory Proceeding.” Defense and investigation costs can add up quickly, making this portion of cyber coverage quite valuable.

Conclusion

Insurance for regulatory actions stemming from data breaches is readily available in the marketplace. While it remains unclear whether fines and penalties are insurable, as a matter of public policy, insurers are consistently providing coverage for defense and investigative costs in connection with cyber events. As the FTC continues to investigate data security and privacy issues, companies should continue to evaluate cyber-regulatory coverage as it can be a valuable part of business insurance portfolios.