Cyber Insurance: Court’s Recent Decisions May Change What Your Policy CoversCyber incidents can take many forms—phishing, insider theft, SQL injection, malware, denial of service, session hijacking, credential farming, or just old fashion “hacking.” Although many of these attack vectors employ technical knowledge, some utilize deception to manipulate individuals into performing certain actions or divulging confidential information.

Commonly referred to as “social engineering,” a perpetrator can exploit human behavior to pull off a scam. Oftentimes this comes as an email, which appears to be from a trusted colleague, vendor, or business partner, asking for a wire transfer to a particular account to settle a bill or provide payment for services.

To date, many of these social engineering schemes have been denied under cyber or computer fraud insurance policies, with many insurance carriers insisting that the policies only cover hacking-type intrusions.

In recent months, this stance has been denied—twice. Once by the Second Circuit in Medidata Solutions Inc. v. Federal Insurance Co. and once by the Sixth Circuit in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America.

In both cases, the court found in favor of the policyholder in a dispute over coverage for social engineering schemes. In Medidata, the insured brought suit claiming that its losses from an email spoofing attack were covered by a computer fraud provision in its insurance policy. The provision at issue covered losses stemming from any “entry of Data into” or “change to Data elements or program logic of” a computer system. The court reasoned that although no hacking occurred, the perpetrators crafted a computer-based spoofing code that enabled the fraudsters to send messages that appeared to come from one of Medidata’s employees. Similarly, in American Tooling, a fraudster send a series of emails, purportedly from a vendor, requesting that American Tooling wire transfer payments to new accounts. American Tooling wired over $800,000 before realizing that the emails were fraudulent. The court in American Tooling found that the loss was covered under the policy and that none of the asserted policy exclusions applied, finding that the emails were computer fraud that directly caused the loss.

Companies should understand the complexity and varied types of cyber incidents that they face, build in mechanisms to avoid engineering scams by validating proposed requests, and review their cyber and crime insurance policies to ensure that they take full advantage of available insurance coverage.  These cases also serve as a reminder to have a clear incident response policy in place and to quickly engage counsel who understands the complexities of the incident, as well as the insurance coverage, in order to minimize loss.

Upcoming Event – Insurance for Cyber Risk – and the Disputes About Its Scope: The Good, the Bad, and the UglyBradley attorney Emily Ruzic will present “Insurance for Cyber Risk – and the Disputes About Its Scope: The Good, the Bad, and the Ugly” as part of DRI’s Cybersecurity and Data Privacy conference.

The event will discuss an overview of cyber threats that now include hacking, ransomware attacks, social engineering, and other schemes. The panel is presented by guest speakers Michael Carr of Brit Global Specialty USA and Anna M. Stafford of Travelers, and moderated by Bradley attorney Emily M. Ruzic.

When:  Thursday, September 6, 2018, 1:30PM – 2:15PM CDT

Where:  Lowes Chicago Hotel

What:  As insurance for cyber risks becomes increasingly common, so too do disagreements about the scope and application of the coverages available. This panel will examine underwriting and claims challenges, insurance coverage disputes, and regulatory pressures on financial and other institutions regarding cyber insurance.

For more information about the event, please review the conference agenda and register on the conference website.

We look forward to seeing you there!

Increased FTC Enforcement Highlights Need for Cyber Regulatory CoverageRegulatory components to cyber insurance policies are becoming increasingly valuable as data-breach enforcement continues to surge. The Federal Trade Commission (FTC or Commission), the nation’s primary privacy and data security enforcer, has announced another record year of enforcement actions regarding consumer privacy. In 2017, the FTC brought nearly two hundred privacy and data security cases. Generally, getting hacked alone will not invite a lawsuit from the FTC, but failing to take corrective actions (resulting in a subsequent breach) could attract attention from regulators. To ensure enforcement, the Commission requires companies to take affirmative steps to remediate unlawful behavior. In addition, the FTC may impose civil, monetary penalties.

Recent FTC Enforcement Activities

Many well-known companies were targets of FTC investigations or enforcement actions in 2017, including Equifax, Lenovo, and VIZIO. Just last month, the FTC announced a settlement with electronic toymaker VTech, stemming from a data breach in 2015. VTech agreed to pay $650,000 to settle allegations that it violated the Children’s Online Privacy Protection Act, which generally requires websites and apps to obtain parental consent before collecting personal information from children under 13 years of age. The FTC alleged that VTech had collected personal information from children without providing the requisite notice or obtaining the parent’s consent. The Commission also claimed that VTech had failed to take reasonable steps to secure the data it had collected.

Coverage for Fines and Penalties

As the FTC continues to increase enforcement actions, regulatory components to cyber-insurance policies are becoming increasingly valuable. Cyber regulatory defense and penalties coverage is one of the rare types of insurance that may affirmatively cover fines and penalties.  For example, the AIG CyberEdge Security and Privacy Liability Insurance defines covered “Loss,” in part, as “civil fines or penalties imposed by a governmental agency and arising from a Regulatory Action, unless the civil fine or penalty is uninsurable under the law of the jurisdiction imposing such fine or penalty.” Other cyber policies provide coverage for “Penalties,” meaning “any civil fine or money penalty payable to a governmental entity that was imposed in a Regulatory Proceeding by the Federal Trade Commission . . . or any other federal, state, local or foreign governmental entity.” Like the AIG definition, these policies also caution that applicable state law may not allow for coverage, stating “the insurability of Penalties shall be in accordance with the law in the applicable venue that most favors coverage for such Penalties.” As with the insurability of punitive damages, there is no uniform view regarding whether fines and penalties can be insured, despite policy language expressly providing for such coverage. Insurers are likely to challenge coverage for fines and penalties that stem from intentional or willful conduct, claiming that loss is uninsurable based on public policy arguments.

Coverage for Defense and Investigative Costs

Cyber policies can also provide coverage for defense and investigative costs in connection with governmental investigations. Typically, the insurer will agree to pay attorneys’ fees, as well as other legal costs, excluding the insured’s internal costs, such as salary or overhead. Commonly, the insurer agrees to pay “Claims Expenses and Penalties in excess of the Retention, which the Insured shall become legally obligated to pay because of any Claim in the form of a Regulatory Proceeding.” Notably, FTC actions and investigations are included in traditional definitions of “Regulatory Proceeding.” Defense and investigation costs can add up quickly, making this portion of cyber coverage quite valuable.

Conclusion

Insurance for regulatory actions stemming from data breaches is readily available in the marketplace. While it remains unclear whether fines and penalties are insurable, as a matter of public policy, insurers are consistently providing coverage for defense and investigative costs in connection with cyber events. As the FTC continues to investigate data security and privacy issues, companies should continue to evaluate cyber-regulatory coverage as it can be a valuable part of business insurance portfolios.

2018 Allianz Risk Barometer Highlights Business Interruption and Cyber as Two Most Important Risks of New YearAllianz’s yearly survey of nearly 2,000 risk experts from 80 countries highlights business interruption and cyber incidents as the top two major threats for companies through 2018 and beyond. Forty-two percent of responses identified business interruption (BI) as the most important global risk because it can substantially impact revenues. So it is no surprise that BI has been highlighted as the most important risk for six years in a row. New for 2018, however, is that cyber incidents are the most feared BI trigger in the new year.

In addition to cyber incidents’ potential to trigger BI, risk experts identified cyber incidents generally as the second most important risk of 2018 (42 percent of responses). In particular, risk experts highlighted attacks on common internet infrastructure (with the potential to harm multiple companies at one time) as an increasing risk. These large‑scale attacks, such as the October 2016 Mirai Botnet attack on Dyn that brought down Twitter, SoundCloud, Spotify, Reddit and a host of other sites for hours, can substantially disrupt online operations and be used to extort multiple companies.

The Allianz report highlights what most policyholders already know: Cyber risk, whether in the form of business interruption, data‑breach liability, extortion, or otherwise, continues to expand at an almost breathtaking pace.

Every organization should survey the threat landscape to measure cyber exposure in six key risk areas:

  1. Business email compromise (BEC) scams
  2. Ransomware
  3. Distributed denial of service (DDoS)
  4. Data breach
  5. Theft of intellectual property
  6. Destruction or damage to computer systems

Surveying the cyber risk landscape is only the first step. For most organizations, the next step — cyber risk mitigation — includes purchasing cyber insurance. Due to the evolving nature of cyber insurance, and insurers’ differing tolerances for undertaking cyber risk, organizations must carefully assess proposed cyber insurance policies. Coverage grants vary and can include coverage for computer fraud and theft, cyber business interruption, cyber remediation, liability (including defense costs) resulting from a cyber event, regulatory costs, and PCI penalties.

  • Computer fraud and theft coverage pays for losses sustained as a result of unauthorized access to electronic systems or data.
  • Cyber business interruption coverage pays for losses resulting from a cyber event that prevents normal business operations, such as a DDoS attack that restricts web traffic or a ransomware event that shuts down servers, preventing potential customers from accessing the affected services.
  • Remediation coverage pays for response costs following a cyber event (investigation, public relations, customer notification, and credit monitoring).
  • Liability coverage pays defense and indemnity costs resulting from network security events (unauthorized access to systems causing injury to third parties), privacy events (exposure of confidential information), and media liability (advertising injury and copyright or trademark infringement).
  • Regulatory coverage pays defense and investigation costs for regulatory investigations and claims resulting from cyber events (or failure to properly handle a cyber event).
  • PCI coverage pays for liability to credit card issuers arising out of unauthorized disclosure of credit information (and, as noted above, generally requires proof of compliance with PCI standards).

For more information on mitigating your organization’s cyber risks through cyber insurance, our previous article, published by MISTI Infosec Insider, provides a more detailed overview of the factors to consider when managing a cyber‑insurance program.

Bradley Attorneys Highlight Cyber Insurance Risks to Consider When Acquiring a CompanyIn a recent article published by Mergers & Acquisitions, Bradley’s Policyholder Practice Group Leader Katherine Henry and policyholder coverage attorney Brendan Hogan explain some of the risks companies need to consider when considering potential merger and acquisition targets.

This article covers how companies can mitigate M&A risk by:

  • Reviewing key cyber risk management procedures the target company should have in place
  • Assessing the target company’s insurance assets and potential liability
  • Understanding specific cyber insurance coverage grants (data breach, fraud and theft, business interruption, and remediation) and the risks they help mitigate

Read the full article by visiting the Merger & Acquisitions website.

Insurance Purchasers Beware: Florida Court Finds No Duty to Defend Data Breach Claim Under CGL Personal & Advertising Injury CoverageOn November 17, 2017, a U.S. district court in Florida narrowly construed personal and advertising injury coverage for data-breach claims under a commercial general liability policy. In Innovak International, Inc., v. The Hanover Insurance Company, the court held that The Hanover Insurance Company (the insurer) has no duty to defend Innovak International, Inc. (the insured), against a putative class action arising from a data breach that compromised users’ personal private information (“PPI”).

The court narrowly construed the policy’s definition of “personal and advertising injury” that included “[o]ral or written publication in any manner of material that violates a person’s right of privacy.” Despite the absence of a requirement that the insured publish that material, the court held that the policy only extended coverage to publication by the insured.

The court held that “[t]he act that violates the claimants’ right of privacy is the publication of their PPI, and the Underlying Claimants have not alleged that Innovak directly or indirectly committed that act.” The court rejected Innovak’s arguments that the phrase “in any manner” includes both “direct publication of PPI and negligent failure to prevent third parties from obtaining the PPI.” Following a New York state court decision (Zurich American Insurance v. Sony Corporation of America), the Florida court construed the phrase “in any manner” to refer to the medium rather that the sender of the information.

The court also rejected Innovak’s argument that the putative class action complaint alleged that Innovak indirectly published the PPI. The court held that the complaint clearly alleged that Innovak failed to protect the users’ PPI by failing to implement sufficient data security measures – which is not an allegation of publication at all. The court distinguished a California case, Hartford Casualty Insurance Co. v. Corcino & Associates, et al., because that complaint alleged that the insured posted private information on a public website, and the court did not address the same legal issues.

Finally, the court made short shrift of Innovak’s argument that Hanover waived its defense by omitting it from its denial letter, because the particular defense was included within the letter.

This case serves as a reminder that organizations should not assume that their commercial general liability policies will cover losses from data breaches – even if the organization purchases a data breach enhancement, as Innovak did. The policy’s Data Breach Form provided only data breach services and paid only data breach expenses and expressly excluded “fees, costs, settlements, judgments or liability of any kind” arising out of a data breach. The lack of coverage under the Data Breach Form left Innovak with only the personal and advertising injury coverage, which, in this instance, did not extend to the putative class action against Innovak.

As often mentioned on this blog, prudent insureds should purchase dedicated cyber insurance coverage if at all possible. Smaller organizations may rely on coverage enhancements to their existing insurance programs but should recognize the risk of this strategy. Under either a traditional or specialized cyber insurance program, all insureds should scrutinize policy language to understand the scope of coverage and –more importantly – the limitations of that coverage for data breach and other cyber-related exposures.

webinarBradley’s Policyholder Insurance Group is pleased to present “Is the Cyber Liability Exclusion the New Pollution Exclusion? Analyzing Commercial and Product Liability Coverage Issues in Today’s Connected World” as part of our ongoing Policyholder Insurance Webinar Series.

This webinar will feature detailed information about the potential risks and coverage gaps facing policyholders presented by Bradley attorney Katherine J. Henry.

When: Thursday, September 28, 2017, 11:30AM – 12:30PM CST

Where: Webinar Registration

What: Decades ago, insurance companies added a total pollution exclusion to commercial general liability policies in response to rulings allowing coverage for the costs of pollution cleanup. In the years after insurance companies first included this exclusion, insurers used the broad wording of the pollution exclusion to deny coverage for an increasingly larger amount of alleged contaminants. Today, commercial policyholders may face the same risks with the cyber liability exclusion. Intended to exclude coverage for data-breach-related claims under CGL policies, the broad wording of the cyber liability exclusion creates the potential for similar expansion  and resulting coverage gaps in today’s interconnected world. Join us for a detailed discussion of the potential risks and coverage gaps facing policyholders, as well as strategies for preserving coverage
and eliminating potential gaps.

We look forward to seeing you there!

Upcoming webinars in the Policyholder Insurance Webinar Series:

  • Thursday, October 19: What Blockchain Means for Your Insurance
  • Thursday, November 9: Is That Drone Insured?

webinarBradley’s Policyholder Insurance Group is pleased to present “Navigating Your Cyber Liability Policy” as part of our ongoing Insurance Policyholder Webinar Series.

This webinar will feature detailed information about cyber insurance presented by Bradley attorneys Katherine J. Henry and Emily M. Ruzic.

When: Thursday, April 13, 2017, 11:30AM – 12:30PM CST

Where: Webinar Registration

What: Does it pay to be covered for cyber liability? For many companies, the answer is an unqualified “yes.” During this webinar, you will learn about the types of cyber insurance coverage available in the insurance market today, including coverage for business interruption and cyber extortion, as well as pre- and post-loss services included in cyber policies. This webinar will provide the tools necessary to evaluate whether your company would benefit from cyber insurance, an increasingly important part of corporate insurance programs.

We look forward to seeing you there!

Upcoming webinars in the Insurance Policyholder Webinar Series:

  • Thursday, June 22: Finance Insurance
  • Thursday, September 28: Securing and Insuring the Internet of Things
  • Thursday, October 19: What Blockchain Means for Your Insurance
  • Thursday, November 9: Is That Drone Insured?

A Close Look at Policy Wording Is Essential to Ensure Coverage for Cyber RisksAs the demand for insurance coverage for cyber-related losses continues to grow, more insurance companies are offering cyber insurance policies and endorsements, but the market is far from mature and the available policies far from complete. Insurers have not adopted a unified approach to cyber policies, nor do they offer identical coverages. Due to the variance between available cyber insurance policies and endorsements, policyholders should carefully weigh their cyber risks against proposed cyber coverage to understand the scope of coverage actually available to address company exposures. Insureds should closely examine policy wording, rather than relying on policy labels or marketing materials.

One of the first published cases interpreting a cyber policy illustrates this point. When hackers accessed 60,000 credit card numbers in P.F. Chang’s customer database, the restaurant chain’s cyber policy covered the costs of the forensic investigation into the cause of the data breach to prevent a recurrence, as well as the costs of defense against customer lawsuits arising from the breach, to the tune of some $1.7 million (P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co.). Most cyber policies include coverage for first-party losses as well as liability to third parties. Unfortunately, P.F. Chang’s cyber policy did not cover the nearly $2 million in expenses imposed by credit card issuers such as MasterCard to pay for such items as notifications to cardholders and reissuance of credit cards compromised by the breach. Many cyber policies offer coverage for these types of fines and penalties, albeit for an additional premium.

Those expenses, including fines and penalties, were passed through to P.F. Chang’s via its Master Services Agreement with the restaurant’s third-party credit card processor, Bank of America Merchant Services (BAMS). The agreements between servicers such as BAMS and credit card associations require the servicers to abide by Payment Card Industry Data Security Standards (PCI-DSS) and pay for losses arising from a data breach. These rules and obligations were incorporated into the contract between P.F. Chang’s and BAMS, requiring P.F. Chang’s to reimburse BAMS for any PCI-DSS assessments.

P.F. Chang’s and other restaurants and retailers rely on these servicers to process credit-card transactions on a daily basis. Yet in no less than three places, P.F. Chang’s cyber policy excluded liability assumed under a contract such as the one with BAMS. The “reasonable expectations” doctrine in Arizona that favors policyholders could not save P.F. Chang’s from the court’s interpretation of the plain wording of the policy.

A contractual liability exclusion is a standard exclusion in most commercial general liability policies. However, the exclusion typically incorporates exceptions for “insured contracts.” CGL policies incorporate this exclusion because these policies are primarily intended to cover a third party’s tort claims against a policyholder, not a policyholder’s financial losses arising from a contract. CGL policies also typically exclude coverage for fines and penalties such as those imposed by credit card associations. The P.F. Chang’s decision highlights the need for contractual liability, fines and penalties coverage for policyholders who accept credit card payments.

On January 27, 2017, the Ninth Circuit granted a joint stipulation to dismiss P.F. Chang’s appeal of the district court’s decision after the parties reached a settlement. We do not know the details of this settlement, although this settlement preserved this insurer-friendly decision to the detriment of policyholders.

This watershed case is a cautionary tale. The wild world of cyber-related risks is difficult to pin down – ranging from the obvious but mundane, such as theft of a company laptop, to the worst case scenario of a system-wide hack that could cause a major disruption and loss of business and extensive liability. As P.F. Chang’s shows, it pays to assess your company’s risks and closely examine your policy to ensure you have the coverage you need.