Insurance should be a central part of every company's breach preparedness strategy. We live in a world in which perfect security is not attainable. It has been shown time and time again that sophisticated hackers – given enough time and resources – can penetrate even the most advanced defensive systems. When breaches occur, they can result in significant costs for forensic investigations, network remediation, customer notifications, credit monitoring, legal fees, regulatory fines, etc. Most of these costs can be covered by insurance, such that an effective insurance programme can significantly reduce the financial consequences of any breach incident.
The aim of this chapter is to assist organisations and their advisers in developing an insurance programme to protect against cyber risk. Most of the chapter is devoted to cyber insurance policies, which are the most effective vehicle for covering cyber losses. We explain the major features of cyber policies, offer suggestions for the procurement process and discuss best practices for pursuing insurance claims following a cyberattack. We also review the cover available for cyber risk under other types of insurance policies and significant case law that addresses these issues.
The evolution of cyber insurance
The origins of insurance for cyber risk can be traced to the first years of the 21st century. With the explosion of the internet as a platform for commerce, businesses began looking for ways to insure the litigation risks associated with their online activities. The earliest cyber policies, labelled Tech E&O and Media E&O cover, emerged between 2000 and 2005 as a new form of professional liability insurance for companies in the technology and media sectors.
The demand for cyber insurance increased dramatically following the first wave of massive data breaches reported by US businesses between 2007 and 2009. When a cyberattack resulted in theft of personal data, it was often followed by class action lawsuits by the affected consumers. Faced with these risks, corporate policyholders sought insurance that would cover a broad range of breach-related costs, including forensic expenses, notification costs, and legal fees for the defence of litigation and regulatory proceedings. Insurers responded in two ways. They began to sharply limit the cover available for cyber risk in commercial general liability (CGL), commercial property and other traditional types of insurance. At the same time, insurers accelerated the development and marketing of the modern form of cyber insurance that remains in use today.
During the past decade, there has been a rapid expansion of cyber insurance, marked by three recurring themes:
- ongoing evolution of policy forms to cover newly emerging threats, ranging from hacktivism and ransomware to attacks by nation states;
- heightened insurer involvement in breach response activities as a method of controlling costs; and
- lack of standard forms, as most insurers have developed their own policy forms using different language for key terms, conditions and exclusions.
As cyber insurance enters its third decade, we consider the lack of movement toward standard forms to be a major deficiency. Standard forms promote predictability of coverage, which benefits policyholders and insurers alike. Insurance policies are contracts that should be interpreted according to their express terms. But the multiplicity of forms, combined with the lack of governing case law, hinders the development of common understandings regarding the scope and meaning of cover. It has also contributed to an increase in claim denials as insurers sometimes adopt arbitrary interpretations of policy terms.
All these factors make it more difficult for companies to assess the adequacy of their own insurance programme. The remainder of this chapter offers guidance for policyholders and their counsel on how best to address these challenges.
Major features of cyber policies
Modern cyber policies combine third-party cover for the defence and settlement of claims with first-party cover for the policyholder's own breach-related losses. Policies typically contain multiple insuring clauses that are intended to cover different categories of costs, but which in practice frequently overlap. While the labels vary from insurer to insurer, most cyber policies contain the following insuring clauses.
Breach response costs
This insuring clause covers the policyholder's incident response costs, including (1) forensic consulting fees to investigate the breach; (2) legal fees paid to external counsel to coordinate the investigation and advise the company on its legal duties; (3) the cost of notifying individuals whose personal information has been compromised; and (4) the cost of providing those individuals with credit monitoring or identity theft protection services as a remedial measure. While some cyber policies do not expressly reference legal fees in this insuring clause, it is commonly understood that such fees are covered as part of the cost of the forensic investigation.
An important difference among cyber policies relates to the type of information that will trigger cover under the data breach expense insuring clause. Many policies cover breach incidents involving a wide range of protected information, including personally identifiable information (PII), protected health information and confidential business information. But some cyber policies limit cover to breaches involving personal information. This is a significant shortcoming from the perspective of the policyholder, because an attack that targets confidential corporate data will result in many of the same response costs as an attack targeting PII.
This insuring clause covers third-party claims resulting from a data breach or cyberattack. Covered costs include defence costs, damages and settlements. The types of claims that are covered vary from policy to policy, but generally include (1) claims by consumers for unauthorised disclosure of personal information, violation of data privacy laws, or violation of breach reporting requirements, and (2) claims by corporate customers for disclosure of confidential business information, transmission of malware or impairing access to computer networks.
The original focus of the privacy liability insuring clause was protection against claims for unauthorised disclosure of data, but as a result of recent legislative developments, companies currently face an increased risk of liability for data processing and handling practices. The European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act of 2018 impose new obligations on businesses relating to the collection, retention and transfer of consumer data, with violations potentially leading to civil damages and regulatory fines. Many cyber insurers have amended their policy forms to cover these types of data processing claims, and we expect others to follow suit.
The privacy liability insuring clause discussed above is triggered by a 'claim', which is typically defined to include complaints, arbitration notices, demand letters, or other written requests for monetary relief. In some policies, the definition of 'claim' is broad enough to include government regulatory proceedings. More frequently, cover for regulatory proceedings is offered in a separate insuring clause, which covers legal fees incurred to respond to government enquiries or investigations, amounts paid in settlement, and fines and penalties to the extent permitted by law. Some insurers make this cover optional and do not include it in their standard cyber form. In such cases, if the policyholder opts not to purchase regulatory cover, the insurer may resist efforts to seek indemnity for regulatory claims under other insuring clauses.
This insuring clause is modelled on the business interruption cover found in commercial property insurance policies. It insures against loss of revenue resulting from a network shutdown occasioned by a cyber incident. Such cover would be triggered, for example, when a company shuts down its network to contain a cyber intrusion or when hackers disable hardware or software applications needed to operate the network. Cover typically extends for 60 to 180 days after the shutdown occurs.
Network interruption insuring clauses also cover extra expenses incurred as a result of a cyber incident, though the scope of this cover varies widely. Some policies cover any extra expenses that would not have been incurred but for the network shutdown, while others limit cover to costs incurred to minimise lost income. In some policies, advance approval by the insurer is required. Most policies contain exclusions for costs associated with system upgrades.
Beyond these core insuring clauses, cyber insurers have developed additional optional cover to address particular risks. These ancillary clauses can be quite valuable for certain policyholders. The most important types are:
- data recovery – covers the cost of replacing or restoring data that is corrupted or destroyed in a cyberattack;
- cyber extortion – covers the costs of responding to a ransomware attack or other form of extortion;
- payment card industry (PCI) claims – covers fines and assessments imposed under the rules of the payment card brands for breaches involving credit or payment card data;
- fraudulent transfer and social engineering – covers amounts lost in fraudulent schemes to steal funds using forged emails and payment instructions; and
- technology products or services – covers third-party claims alleging defects in technology products (including software) or negligent acts, errors or omissions in the performance of technology services.
The unpredictable costs of cyber claims have been a significant challenge for the insurance industry. Insurers typically price their products based on historical experience with similar claims. Because there is not yet sufficient data available for cyber policies, insurers attempt to control costs on individual claims by requiring policyholders to obtain approval for major expenditure.
Cyber policies typically require insurer consent before retaining counsel, hiring forensic consultants or other vendors; providing breach notices to affected individuals; offering credit monitoring services; or settling claims. These requirements go beyond what is found in other types of protection. Commercial property policies do not require a policyholder to obtain insurer approval before notifying stakeholders that facilities have been damaged, or before retaining contractors to carry out repairs.
The prevailing practice among most cyber insurers has been to show flexibility in applying these consent provisions. In crisis situations, it is not always possible to obtain insurer approval before retaining counsel or forensic consultants. Provided the policyholder promptly notifies the insurer of the retention and receives no objection, the consent requirement should be deemed satisfied.
From the policyholder's perspective, there should be no objection to reasonable consent requirements as long as they do not interfere with the breach response efforts. By way of example, it would be unreasonable in most circumstances for an insurer to refuse to approve a policyholder's decision to notify individuals of a breach. To withhold such approval would interfere with the policyholder's duties to its customers and could expose the policyholder to legal liability.
Other terms and conditions
Like all insurance policies, cyber policies contain a host of other terms, conditions and definitions that qualify the cover in important ways. Insuring clauses often include defined terms to describe covered incidents and expenses. A standard formulation for third-party cover is that the insurer will pay for a 'loss' arising from a 'claim', so the definitions of those two terms are particularly important. From a policyholder's perspective, the definition of 'claim' should go beyond formal lawsuits and administrative proceedings to include written demand letters and informal regulatory enquiries. The term 'loss' should include defence costs, damages and settlements, as well as prejudgment and post-judgment interest, statutory damages and regulatory fines. Cyber policies generally will not cover non-monetary relief or the cost of complying with an injunction.
Policyholders should also pay close attention to financial terms relating to policy limits and retentions. Retentions in cyber policies tend to be high, particularly for larger companies and companies with a mixed record of data security. To compound the pain, some policies require payment of multiple retentions when a cyberattack triggers multiple insuring clauses. Thus, if a data breach results in a network shutdown, disclosure of PII and resulting lawsuits, the insurer may require payment of three retentions under the network interruption, data breach expense and privacy liability clauses. Policyholders should avoid, whenever possible, policies that require the satisfaction of multiple retentions.
Cyber policy exclusions
There has been a proliferation of exclusions in cyber policies, with some containing as many as 60 or 70 exclusions. Certain insurers appear to view exclusions as a way of managing risk at the micro level, making fine distinctions between fact scenarios and drafting language intended to cover some exposures but not others. This approach leads to overly complex policies that increase the risk of insurance disputes. It is in the interest of both insurers and policyholders for exclusions to be stated in simple and straightforward terms, to foster a common understanding of the risks excluded from cover.
Below, we discuss three exclusions commonly found in cyber policies that can be problematic in the event of a cyberattack.
The war exclusion has been a standard feature of CGL and commercial property policies for more than 100 years. Over time, language has been added to broaden its scope beyond the simple paradigm of war. Nonetheless, courts have consistently held that the war exclusion is limited to warfare in the classic sense of the word, namely, armed conflict between sovereign nations or their functional equivalents. Pan American World Airways, Inc v. Aetna Casualty & Surety Co (holding that a war exclusion does not apply to violent terrorist hijacking). Random acts of violence by individuals or groups will not trigger the exclusion. No reported decision has ever applied the war exclusion to a cyberattack.
Some cyber policies address this issue by expressly stating that the war exclusion does not apply to cyberattacks. Such language adds helpful clarity, but is not necessary. Even without such language, the war exclusion cannot fairly be read to apply to hostile activities carried out in cyberspace.
Contractual liability exclusion
The contractual liability exclusion bars coverage for the liability of third parties that the policyholder assumes via contractual indemnification provisions. The insurance industry tends to disfavour indemnification provisions, though they are a standard feature in business-to-business contracts. Most contracts involving the transfer, processing or storage of confidential data will contain indemnity provisions that allocate costs between the two parties in the event of unauthorised disclosure. Companies that take on indemnification obligations should delete or modify the contractual liability exclusion to ensure that their obligations are covered.
Exclusion for negligent security practices
Many cyber insurers try to manage risk by reviewing their policyholders' network security practices during the underwriting process. This review can include detailed application questions and interviews with IT staff. Some cyber policies go a step further and exclude losses caused by an inadvertent failure to follow the security practices described in the application. Other policies contain exclusions for failure to implement software patches; failure to maintain current antivirus software; failure to adequately design or configure computer systems; or other errors in network security. Such exclusions run counter to one of the basic purposes of insurance – protecting policyholders from losses caused by their own negligence. Policyholders should seek to strike these exclusions from their policies whenever possible.
Procuring the right insurance
Any effort to enhance breach preparedness through insurance must begin at the time the policies are purchased. That is when policyholders, as buyers in a competitive market, have the opportunity to obtain new cover, purchase higher limits and negotiate changes in policy wording.
Yet the procurement process can be challenging for a number of reasons. Cyber policies are both relatively new and highly complex. Policyholders with no prior experience in cyber claims may not understand how key provisions will be applied. In addition, because there are no standard policy forms, it is difficult to compare the cover offered by different insurers. Finally, the nature of cyber risk is constantly changing, which requires the risk management group to remain alert to the new threats and vulnerabilities that emerge every year.
To successfully navigate these issues, we recommend that policyholders periodically conduct a detailed review of their cyber insurance programme in a collaborative process involving corporate risk management, legal and IT groups, as well as insurance brokers and specialist counsel who have experience in handling data breach claims. Together, this integrated team should work through the following framework of issues.
First, the team should develop a solid understanding of the company's current insurance programme, both to assess the adequacy of cover and to identify specific policy provisions that need improvement. The discussion in the previous section can serve as a reference point for this analysis. Specialist counsel can explain how policy terms have been interpreted in prior breach incidents, while insurance brokers can help to compare existing policies with those offered by other insurers.
Second, the team must understand the legal and regulatory environment – including the company's obligations with respect to data, the potential liabilities for violations, and the type of regulatory proceedings to which the company may be subject. The regulatory landscape can change over time, as seen by the recent enactment of the EU's GDPR and California's Consumer Privacy Act, so companies must stay abreast of developments that create new exposures.
Third, the team should have access to a risk assessment that identifies the most important cyber threats facing the business. This assessment is necessary to determine which ancillary cyber cover should be purchased. In addition, most companies face their own unique risks owing to the nature of their business operations. These risks might include a disabling attack on a critical supplier, investigations by a specific government agency, or exposure to a particular type of claim. Where such specialised risks are not adequately covered under existing policy forms, the policyholder should try to negotiate policy endorsements to address them.
Each set of issues discussed above will change over time. An insurance programme that offered ample protection four years ago may no longer be adequate in light of new business activities or threat vectors. Consequently, this review process should take place at frequent intervals. If done correctly, it will generate a concrete list of policy enhancements to be implemented over time to build a more robust insurance programme.
Significant case law developments
Below we review the significant case law addressing insurance for cyber claims. Most of the relevant cases involve traditional types of policies, such as commercial crime and CGL. These traditional policies continue to provide cover for cyber risk, though insurers have added exclusions in recent years that sharply curtail the extent of this cover.
Commercial general liability policies
Attempts to seek coverage for cyber risks under CGL policies have focused on insuring clauses that cover property damage and personal and advertising injury.
CGL policies provide defence and indemnity cover for claims alleging 'property damage', which is defined as: 'physical injury to tangible property, including all resulting loss of use of that property . . . [or] loss of use of tangible property that is not physically injured'.
The Insurance Services Office (ISO) amended this definition in 2001 to expressly state that tangible property does not include electronic data. Under the revised definition, coverage is generally not available under CGL policies for claims alleging loss or corruption of data without additional injury.
The situation may be different when a cyberattack results in corruption of data that, in turn, disables computer hardware on which the data was stored. The disabled hardware may qualify as 'loss of use of tangible property that is not physically injured' and therefore fall within the definition of property damage. For example, in Eyeblaster, Inc. v. Federal Insurance Co., an internet advertising business sought coverage for a customer's lawsuit alleging that his computer was infected with a spyware program. The court held that there was no coverage for the customer's claims alleging loss of data, because the policy defined tangible property to exclude data. However, the court found the claim was insured based on loss of use, because the customer was unable to use the computer that housed the damaged data.
A subsequent court decision applied Eyeblaster to reject loss of use coverage for a payment card data breach. In Target Corp. v. ACE American Insurance Co., policyholder Target sought coverage for its settlement liability to multiple banks following a data breach resulting in the theft of credit and debit card data. The breach necessitated the cancellation of the compromised payment cards and reissuance of new cards. The court held that loss of use did not apply because the record lacked any allegation or evidence of the value of the use of the payment cards to either customers or payment card companies. As such, the court held, the policyholder could not establish the required connection between the damages incurred to settle the claims and the value of the use of the cards.
Personal and advertising injury
Policyholders have also sought coverage under the personal and advertising injury insuring clause (personal injury clause) for data breach claims alleging disclosure of confidential personal information. The personal injury clause covers (among other things) claims alleging 'publication, in any manner, of material that violates a person's right of privacy'. Policyholders have argued that disclosure of private information in a data breach constitutes this type of covered publication. Some courts have accepted that argument, particularly where the policyholder itself inadvertently disclosed the information. For example, in Travelers Indemnity Co of America v. Portal Healthcare Solutions LLC, a policyholder sought coverage for the inadvertent release of confidential patient records online. The court found the claim was insured based on the policyholder's negligent disclosure of information in violation of patients' privacy rights.
Other courts have rejected similar arguments. In Innovak International, Inc. v. Hanover Insurance Co., the policyholder sought coverage for privacy claims alleging the release of plaintiffs' private information in a data breach. The Innovak court ruled against the policyholder on the grounds that the hackers, not the policyholder, were the publisher of the information. The court held that cover under the personal injury clause was limited to claims alleging acts of publication by the policyholder itself. This result seems questionable in light of the relevant policy language, which covered claims alleging publication 'in any manner' arising out of the policyholder's business and for which the policyholder was legally responsible.
It is important to note that in 2015, ISO introduced a new data breach exclusion for standard form CGL policies. The exclusion states that the personal injury clause does not apply to claims 'arising out of any access to or disclosure of any person's or organization's confidential or personal information'. Under the broad language of this exclusion, insurance is no longer available under CGL policies for most data privacy claims arising from a breach incident.
Commercial crime policies typically cover the loss of money, securities or other business property as a result of fraud, employee dishonesty, theft and other third-party acts. Some crime policies include cover for computer fraud and fraudulent electronic transfers. Such policies may serve as a source of insurance for cyber-related claims. For example, courts have found coverage under commercial crime policies where hackers used forged emails to induce a policyholder's employee to wire funds outside the organisation.
Courts have rejected coverage, however, when the particular circumstances of a loss fall outside the crime policy's insuring clause. In Aqua Star Corp. v. Travelers Casualty & Surety Co., hackers gained access to an email account used by one of Aqua Star's vendors. The hackers then sent forged emails to an Aqua Star employee, which purported to come from the vendor and directed the employee to change the vendor's bank account information for receiving wire transfers. The Aqua Star employee made this change, and subsequent wire transfers were made to an account controlled by hackers. The policyholder submitted a claim under the computer fraud section of its crime policy, but the court rejected the claim based on a policy exclusion for 'loss or damages resulting directly or indirectly from the input of electronic data by a natural person having the authority to enter the insured's computer system'. The court noted that the Aqua Star employees who changed the vendor bank account information and sent the wire transfers had authority to use the company's computer system. According to the court, it did not matter that the employees had been deceived into taking those actions.
The Aqua Star case illustrates a common problem with commercial crime policies, which typically contain insuring clauses that cover specific fact scenarios. If the factual circumstances of a loss does not match the terms of the insuring clause, coverage may be unavailable. See InComm Holdings, Inc. v. Great Am. Ins. Co. (finding no coverage for losses arising out of fraudulent debit card redemptions); Mississippi Silicon Holdings, L.L.C. v. Axis Ins. Co. (rejecting coverage for fraudulently induced invoice payments); Sanderina, LLC v. Great Am. Ins. Co. (finding no coverage for fraudulent wire transfer); Childrens Place, Inc. v. Great Am. Ins. Co. (rejecting coverage where the insured failed to follow required procedures for verifying wire transfer instructions).
One additional issue courts have grappled with is the interpretation of crime policies that require 'direct' causation between the use of a computer and the loss. For example, in G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., the insurer argued that the insured's decision to pay a Bitcoin ransom to hackers in return for restored access to the insured's computer systems was an intervening cause of the loss. The Indiana Supreme Court disagreed and found that the loss resulted 'directly from the use of a computer' because the Bitcoin transfer was 'nearly the immediate result – without significant deviation – from the use of a computer'. Similarly, in Cincinnati Insurance Co. v. Norfolk Truck Center, Inc., the court interpreted 'directly' in a crime policy to mean 'something that is done in a “straightforward” or “proximate” manner and “without deviation” or “without intervening agency” from its cause'. Under this definition, the court found the insured's wire transfer in response to a fraudulent vendor invoice to be a covered loss.
Directors' and officers' liability
Directors' and officers' liability (D&O) policies are issued to companies to cover claims for wrongful acts against directors and officers – and often claims against the company as well. Because the term 'wrongful act' tends to be broadly defined, a D&O policy could potentially provide cover for claims arising out of cyber incidents. For example, a company or its executives could be accused of negligent supervision of operations that leads to the disclosure of PII or confidential information of corporate customers. Similarly, corporate executives might be accused of failing to provide timely notice of a breach incident. While there are no published court decisions addressing these issues, it is reasonable to believe that a D&O policy would cover such claims in the absence of an applicable policy exclusion.
Cyber policies are relatively new and case law interpreting them is sparse. The few published cases that exist involve disputes about specific instances of fact rather than broad legal principles. Two of the more notable cases are discussed below.
In P.F. Chang's China Bistro, Inc v. Federal Insurance Co., the policyholder was a restaurant owner who suffered a data breach resulting in disclosure of customer credit card information. The owner sought indemnity under its cyber policy for PCI assessments imposed by the payment card brands. The policyholder had not purchased cover for PCI claims, so it asserted claims under insuring clauses for privacy notification, privacy liability and network interruption. The court, interpreting these insuring clauses broadly, determined that the PCI assessments might qualify as (1) costs to notify affected individuals under the privacy notification clause or (2) extra expense under the network interruption clause. The court nonetheless denied coverage for the assessments based on the contractual liability exclusion, which barred cover for 'liability assumed by any Insured under any contract or agreement'. The court found that the policyholder's liability for the assessments arose solely from its contractual agreements to indemnify the credit card servicing company.
Travelers Property Casualty Co. of America v. Federal Recovery Services  arose from a dispute between the owner of fitness centres (Global Fitness) and its credit card processor (Federal Recovery Acceptance (FRA)). Global Fitness sued FRA for allegedly disrupting a planned merger by refusing to return customer credit card data until all outstanding invoices were paid. FRA's cyber policy included technology services cover, which insured FRA for claims alleging 'any error, omission or negligent act'. The court denied coverage on the grounds that the claims were based on intentional conduct rather than negligence. According to the court, the complaint alleged FRA had knowingly refused to return the customer data until its payment demands were met, and therefore did not give rise to potential liability for negligent acts.
One lesson that can be drawn from these cases is that both disputes could have been avoided if the policyholders had identified the relevant risks and purchased appropriate insurance. With respect to the P.F. Chang case, for example, restaurant owners face the risk of PCI assessments if customer credit card data is stolen, and should purchase cyber policies that include PCI cover.
This lesson underscores the importance of pursuing a coordinated procurement strategy (as outlined in the section 'Procuring the right insurance'). It will never be possible to predict every claim or loss a company may face in the future. But the goal of any insurance programme should be to identify the risks most likely to affect the business and then procure adequate cover to address them.
Pursuing insurance after a cyberattack
For companies that fall victim to a cyberattack, insurance policies become an important asset that can be used to fund response and remediation efforts. As with any asset, the value of a company's insurance policies can be enhanced through careful management or squandered through neglect. Companies that wait too long to focus on insurance or mishandle the claims process will reduce their ultimate recovery. Below we discuss best practices for the effective pursuit of insurance claims following a breach event.
Incident response coordination
From the outset, the pursuit of insurance cover should be closely integrated with the company's overall breach response efforts. A risk management representative should be included in the incident response team, with other key constituencies – IT, legal, finance, accounting, communications, etc. The risk management team must be kept informed regarding developments in the investigation, retention of vendors and major expenses. And management must be made aware of issues that could affect the availability of insurance. Insurance policies come with their own special requirements, which may not be well understood outside the risk management department. Sometimes these requirements run counter to other priorities for the incident response team. For example, it may be necessary to delay key decisions on the retention of vendors to allow time for communication with the insurers. Management's desire to maintain confidentiality regarding the breach investigation may conflict with the company's duty to provide information to its insurers. In most cases, there are ways to reconcile these tensions, but if insurance issues are left out of the dialogue, there is a risk that decisions will be made that impair the insurance recovery.
Pursuing coverage for breach-related losses requires early engagement with insurers to comply with consent requirements and respond to information requests. Policyholders therefore need to develop, as soon as possible, an insurance strategy based on a solid understanding of the coverage issues. Companies should aim to accomplish the following steps within the first two weeks after discovery of a cyber incident:
- give notice to insurers under all policies that may potentially apply – even those under which coverage may be uncertain. Under the law of many jurisdictions, policyholders cannot recover for costs incurred before the date of notice;
- put mechanisms in place to track all breach-related costs and to document all related expenditure;
- reach out to the primary insurer to establish a line of communication and discuss any required consents. Communications on consent issues should be confirmed in writing. In the early stages of a breach, it is reasonable to expect insurers to respond to consent requests within 48 hours at most. If the insurer does not respond, it may waive its right to object to the policyholder's decision; and
- prepare a strategic legal plan that summarises the available insurance, explains which costs will be covered and identifies the steps that must be taken to maximise recovery. This plan will inform communications with the insurers and assist the incident response team in making decisions that could affect the insurance recovery.
In many cases, the policyholder will retain external counsel to assist with the tasks outlined above. One of the benefits of retaining insurance lawyers is that their discussions with the company are protected from disclosure by attorney–client privilege. Note that most insurers will either retain insurance counsel on cyber claims or assign the claim to experienced managers with law degrees. This can put the policyholder at a disadvantage, particularly if it does not have prior experience with cyber claims.
Managing insurer communications
Shortly after giving notice, the policyholder should expect to receive requests from the insurers for information. These requests are often technical and detailed. The policyholder has a duty to respond to reasonable requests pursuant to the cooperation clause that is part of every insurance policy. However, it is proper – and often necessary – to manage these requests. There is no need to provide immediate responses if the work would interfere with breach response efforts or if forensic evidence is not yet available. The policyholder is generally not required to provide insurers with privileged attorney–client communications or attorney work-product. At the same time, withholding information unnecessarily is likely to be counterproductive in the long run. The policyholder has an interest in maintaining positive working relationships with its insurers, and disputes about routine information requests will make the insurance claim more difficult to resolve.
As the insurance claim progresses, the policyholder should provide regular updates to insurers about the forensic investigation, regulatory proceedings, third-party claims and major expenditure. Communications will initially focus on the primary insurer, to consult on consent issues, settlement opportunities and breach notification. If costs are likely to exceed the primary policy limits, the policyholder should maintain communications with excess insurers as well. Failure to do so increases the likelihood that the excess insurers will second-guess decisions made by the underlying layers.
Invoices should be submitted for reimbursement promptly and regularly. Many cyber policies require that a formal proof of loss be submitted within 90 or 120 days of discovery of the incident, though these deadlines can be extended by mutual agreement. If the policyholder is required to file the proof of loss before final cost figures are available, it can reserve the right to make supplemental submissions in the future.
Areas of potential dispute
While there has been very little litigation to date regarding cyber insurance policies, disputes frequently occur during the claim process. Based on the growing number of claim denials in the past two to three years, we expect litigation to become more frequent in the future. Below we review some of the most common areas of dispute that are likely to spawn litigation in the years ahead.
As noted in the subsection discussing 'Cyber policy exclusions', cyber policy applications typically include detailed questions about the policyholder's network security measures. The responses may become the source of disputes about coverage. It is becoming increasingly common for insurers to raise defences based on the policy application, particularly when a cyber incident occurs as a result of a failure to follow the security procedures described in the application responses. When a policyholder makes a material misrepresentation or omission in the application, the insurer may be entitled to reject the claim. It would be improper, however, to reject a claim based on an immaterial error or minor inaccuracy.
Choice of counsel
Many cyber insurers seek to limit a policyholder's right to select counsel as a way to control costs. The limitations come in several forms. Some policies simply give the insurer the right to appoint counsel. Others provide that counsel should be chosen by mutual agreement between the policyholder and the insurer, but should they fail to agree, the insurer makes the final decision. A third approach is to require the policyholder to retain counsel from a panel of law firms selected by the insurer.
From the perspective of the policyholder, any restrictions on its right to be represented by skilled and loyal counsel is problematic. In the United States, most states give the policyholder the right to select counsel when the insurer is providing a defence under a reservation of rights. Courts have reasoned that the prospect of a future coverage dispute creates a conflict of interest that prevents the insurer from controlling the choice of counsel. The principles apply with equal force to the selection of counsel under a cyber policy. If the insurer has raised defences in a reservation of rights letter, or has not yet stated its position, the policyholder should have the right to select counsel. Insurance policy provisions that seek to negate or limit this right should be deemed unenforceable. Where possible, a policyholder should seek to add language to the policy at the time of purchase to preserve the right to select counsel. Alternatively, the policyholder should request an endorsement that approves its preferred counsel to handle breach investigations and cyber claims.
Settlement of claims
A frequent area of dispute involves the settlement of third-party claims. Most insurance policies contain provisions that require insurer consent for settlements. Policyholders may jeopardise coverage if they enter into a binding settlement agreement without first seeking insurer consent. This typically requires a candid discussion, often involving defence counsel, regarding the merits of the claim and the likely exposure. Insurers have a duty to accept a settlement if the proposed payment is reasonable in light of the risk of liability and the likely range of damages. If an insurer breaches this duty, the policyholder has the option of proceeding with the settlement and then pursuing claims against the insurer to recover the cost. Before doing so, the policyholder should carefully document the insurer's failure to approve a reasonable settlement offer.
When cyberattacks involve state actors, insurers are sometimes tempted to assert defences based on the war exclusion, or the related civil authority exclusion. Attempts to invoke these exclusions in the context of a cyberattack should be seen as opportunistic. As discussed in the section 'Cyber policy exclusions', the war exclusion is limited to acts of military force and no published court decision has ever applied it to a cyber incident.
The civil authority exclusion bars cover for losses 'arising out of or attributable to any action of a public or government authority, including the seizure, confiscation or destruction of the Insured's computer system or data'. This exclusion is meant to apply to lawful orders by governments, acting pursuant to legal process and within the scope of their authority. It does not apply to cyberattacks launched under the cloak of secrecy by clandestine agents of foreign governments.
As the cyber insurance market matures, claim disputes such as those described above will occur with greater frequency. Some will lead to litigation. In most cases, the outcome of such disputes will be determined by the language of the insurance policy. When the language favours the policyholder, it will have significant leverage to negotiate a successful resolution of the dispute. Such an outcome becomes much more difficult to achieve when the language is unclear or favours the insurer. All this points, once again, to the importance of the procurement process in laying the foundation for a successful insurance recovery when, inevitably, cyber incidents occur.
1 Richard DeNatale and Brian McDonald are partners at Jones Day who represent policyholders in cyber insurance and data breach coverage matters. They wish to thank their colleague Thilini Chandrasekera for her contributions to the second edition.
2 These included breaches reported by TJ Maxx (2007), TD Ameritrade (2007) and Heartland (2009).
3 As a general matter, first-party insurance covers loss or damage to a policyholder's own property, while third-party insurance covers lawsuits and third-party claims asserted against the policyholder.
4 The basic anatomy of an insurance policy can be described as follows: insuring clauses grant cover for the risks described in the clause, which can be stated generally ('all risk of loss or damage to property') or specifically ('property damage resulting directly from flooding'); exclusions seek to limit cover for certain risks that would otherwise be insured under the policy; definitions provide the meaning of key terms used in the insuring clauses and exclusions; conditions set forth other contractual obligations of the policyholder and the insurer; and endorsements are amendments to the basic policy form that modify the terms of cover.
5 Some cyber insurers offer cover for notification costs and credit monitoring costs in a separate insuring clause.
6 Consent requirements regarding choice of counsel are discussed in the section titled 'Choice of counsel' (see page 72).
7 Stempel on Insurance Contracts, Section 24.04 (2008).
8 A typical war exclusion in a cyber policy bars cover for losses resulting from 'war, invasion, acts of foreign enemies, terrorism, hijacking, hostilities or warlike operations (whether war is declared or not), military or usurped power, civil commotion assuming the proportions of or amounting to an uprising, strike, lockout, riot, civil war, rebellion, revolution or insurrection'.
9 505 F.2d 989 (2d Cir 1974).
10 Holiday Inns Inc. v. Aetna Ins. Co., 571 F. Supp. 1460, 1497 (S.D.N.Y. 1983).
11 The Insurance Services Office (a subsidiary of Verisk Analytics) is responsible for drafting standard forms for US insurance policies.
12 For CGL policies issued prior to this revision, courts were split on whether data constituted tangible property. Compare Retail Sys., Inc. v. CNA Ins. Cos, 469 N.W.2d 735, 738 (1991) (finding that computer tape and data were tangible property under the insurance policy) with America Online v. St Paul Mercury Ins. Co., 347 F.3d 89, 96 (2003) (rejecting cover because tangible property does not include damage to data or software). See also Ward Gen. Ins. Servs., Inc. v. Emp'rs Fire Ins. Co., 114 Cal. App. 4th 548, 556, 557 (2003), as modified on denial of rehearing (2004) (holding that the loss of a database did not qualify as 'direct physical loss of or damage to' property under the terms of a commercial property policy).
13 613 F.3d 797 (8th Cir 2010).
14 No. 19-cv-2916 (WMW/DTS), 2021 WL 424468 (D. Minn. Feb. 8, 2021).
15 35 F.Supp.3d 765 (E.D. Va 2014), aff'd 644 Fed. App'x 245 (4th Cir. 2016).
16 280 F.Supp.3d 1340 (M.D. Fla 2017).
17 The same court that decided the Innovak case reached a similar conclusion in St. Paul Fire & Marine Insurance Co. v. Rosen Millennium, Inc., 377 F. Supp. 3d 1176 (M.D. Fla. 2018) (insurer had no duty to defend claim arising from data breach affecting credit card information).
18 See ISO Form CG 2 07 05 15.
19 See Medidata Sols Inc. v. Fed. Ins. Co., 729 Fed. App'x 117 (2d Cir 2018) (finding that use of the policyholder's email system to send a forged email purportedly from a corporate officer fell within the cover grant for 'entry of data into' or 'change to data elements' of a computer system); see also Am. Tooling Ctr. Inc. v. Travelers Casualty & Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir 2018) (finding cover where fraudulent email induced an employee to wire funds outside the organisation).
20 719 Fed. App'x. 701 (9th Cir. 2018).
21 ibid., at 703.
22 No. 15-cv-2671-WSD, 2017 WL 1021749, at *11 (N.D. Ga. Mar. 16, 2017) (aff'd, 731 Fed. App'x 929 (11th Cir. 2018)).
23 No. 20-60215, 2021 WL 406238, at *2 (5th Cir. Feb. 4, 2021).
24 No. 18-cv-00772-JAD-DJA, 2019 WL 4307854, at *3 (D. Nev. Sept. 11, 2019).
25 No. 18-11963 (ES) (JAD), 2019 WL 1857118 (D.N.J. Apr. 25, 2019).
26 No. 20S-PL-617, 2021 WL 1034982, at *16 (Ind. Mar. 18, 2021).
27 430 F. Supp. 3d 116, 130 (E.D. Va. 2019).
28 No. CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016).
29 156 F.Supp.3d 1330 (D Utah 2016).
30 See Admiral Ins. Co. v. Sup. Ct. (A Perfect Match, Inc.), 18 Cal. App. 5th 383, 389 (4th Dist 2017); Varshavskaya v. Metro. Life Ins. Co., 890 N.Y.S. 2d 643, 643, 2009 N.Y. Slip Op. 09215 (2d Dep't 2009).
31 A reservation of rights allows an insurer to cover the policyholder's legal fees for the defence and investigation of a claim, while reserving the insurer's right to deny cover for any ultimate judgment, settlement or indemnity payment.
32 Under New York law, '[w]here an insurer defends under a reservation of rights, the insured is entitled to retain its own counsel'. Federated Dep't Stores, Inc. v. Twin City Fire Ins. Co., 807 N.Y.S. 2d 62, 66 n.1, 2006 N.Y. Slip Op. 00105 (1st Dep't 2006). Under California law, the policyholder has a right to independent counsel if the actions of defence counsel can affect the outcome of a disputed cover issue. See California Civil Code, Section 2860; San Diego Navy Fed. Credit Union v. Cumis Ins. Soc'y, Inc., 162 Cal. App. 3d 358, 375 (1984).
33 Luria Bros. & Co., Inc. v. Alliance Assur. Co., 780 F.2d 1082, 1091 (2d Cir 1986) (New York law); Kransco v. American Empire Surplus Lines Ins. Co., 23 Cal. 4th 390, 401 (2000) (California law).
34 See Kao v. Markel Ins. Co., 708 F. Supp. 2d 472, 478 (E.D. Pa 2010) (civil authority exclusion applies 'where damage results from an act done within the scope of and in execution of a lawful order'); Dunlap v. Illinois Founders Ins. Co., 250 Ill. App. 3d 563, 568 (1993) (exclusion does not apply to actions outside the scope of the official's authority).