Increased cyber losses means more litigation over claimsReprints
Litigation over cyber claims so far has centered on general liability policies, but fights over network security and privacy liability policies are expected to grow.
Coverage disputes involving cyber policies have already arisen without reaching the courts over issues such as policyholders' choice of outside advisers, application of policy retroactive dates and exclusions for malicious employee actions, experts say.
“Within the next two years, we are definitely going to see reported decisions” in cyber insurance coverage cases where policies don't include arbitration clauses, said Roberta D. Anderson, a partner at law firm K&L Gates L.L.P. in Pittsburgh.
“There's been a lot of negotiating behind the scenes on cyber claims,” often leading to confidential settlements, said Joshua Gold, a shareholder at Anderson Kill P.C. in New York.
Risk managers need to work with expert advisers on the terms of cyber insurance, which vary considerably from insurer to insurer, to head off potential disputes, lawyers and brokers recommend.
Companies seeking coverage for data breaches under general liability policies often have turned to the personal and advertising injury part of the forms, and disputes have centered on whether a breach constitutes a “publication” that violated a right to privacy.
Buyers have had mixed success in court.
For example, a Connecticut appeals court ruled in 2013 that Atlanta-based Recall Total Information Management Inc. had no GL coverage for more than $6 million in costs from lost data tapes containing personal information of 500,000 employees of International Business Machines Corp. There was no evidence a third party accessed the data, so there was no “publication” under the policy terms, a judge ruled.
A New York state judge created a new hurdle last year, ruling that Sony Corp. had no GL coverage in the massive 2011 PlayStation hack. The hackers were responsible for publishing PlayStation users' stolen information, and only intentional acts by Sony would have triggered coverage, the judge found. Sony is appealing.
Buyers' odds of finding GL coverage for data breaches may soon get worse.
More insurers are adopting the Insurance Services Office's May 2014 cyber exclusions for GL policies, market experts said. Another less-noticed April 2013 ISO endorsement drops personal and advertising coverage for “oral or written publication, in any manner, of material that violates a person's right of privacy.”
Ms. Anderson said the GL form endorsement means “lights-out for data breach coverage.”
Cyber insurers, meanwhile, have already paid some large claims.
Target Corp. expects to recover $90 million from cyber insurers, partially offsetting $248 million in expenses in the 2013 hacker attack affecting personal and credit card data of 70 million customers, the retailer said in its most recent quarterly SEC filing. Minneapolis-based Target said it had already received $28 million from insurers. Target's cyber insurers include Ace Ltd., American International Group Inc. and Axis Capital Holdings (BI, Jan. 20, 2014).
In its third-quarter filing, The Home Depot Inc. said it had a $15 million cyber insurance receivable, partially offsetting $43 million in pretax expenses in a 2014 breach exposing some 56 million customer payment cards. Atlanta-based Home Depot has $100 million in cyber coverage above a $7.5 million deductible, according to the filing. Home Depot's cyber insurers include AIG, Zurich Insurance Group Ltd., Liberty Mutual Insurance Co. and HCC Insurance Holdings Inc. (BI, Sept. 15, 2014).
Cyber insurers generally have been responsive to losses, brokers and others say.
“Carriers in the cyber insurance space do not want to have a reputation of not paying claims,” said Scott N. Godes, a partner at Barnes & Thornburg L.L.P. in Washington.
Still, coverage disputes have arisen under cyber liability policies, and more are likely in the future as the coverage becomes more common, experts say.
One issue so far has been choice of outside counsel and providers of breach recovery, credit monitoring and other services, said Lon A. Berk, a partner at Hunton & Williams L.L.P. in McLean, Virginia.
“There's been a good deal of pressure from insurance companies to use vendors and attorneys chosen by the insurers, which is not always in the policyholder's best interest,” he said.
Buyers who already have qualified lawyers and providers should reach agreement in advance on using them.
“It's always easier to have that conversation before the breach than to have it under the gun afterwards,” said David Finz, senior client adviser at Marsh L.L.C.'s FINPRO division in New York.
Another problem area is retroactive inception dates. Ms. Anderson cited a study last year by Alexandria, Virginia-based security firm Mandiant, a FireEye Co., that hackers were present on victim networks for a median 229 days before being discovered. Insurers are denying coverage for attacks occurring before the policy inception date where there was no retroactive coverage, Ms. Anderson said.
Mr. Berk said he has seen retroactive periods of up to five years when a policyholder has been with the same insurer for some time.
Many cyber policies contain conduct exclusions, eliminating coverage for “dishonest acts or omissions” of an insured and its employees, Ms. Anderson said. Because malicious employee acts frequently cause cyber claims, companies should seek to limit the exclusion to a defined group of high-level employees, she said. Insurers have denied coverage or reserved rights on the basis of the exclusion, she said.
Breach victims also may face disputes over the cost of fixes to software and systems in the wake of an attack, Mr. Berk said.
The fact that there is no standard cyber insurance form means buyers, brokers and insurers need to work harder to clarify the intended meaning of policy terms, said Adam Cantor, senior vp and claims advocate with the FINEX division of Willis North America in New York.
Cyber policies are not as “mature” as CGL and other forms that have been around longer, he said.