Insurers fight to bar cyber coverage under commercial general liability policiesReprints
Recent legal efforts by insurers to bar cyber coverage under commercial general liability policies signal a new coverage battle between insurers and policyholders as costly data breaches proliferate.
In the latest move, a Travelers Cos. unit earlier this month sought a judicial ruling that it is not obligated to provide indemnity coverage and defense costs under its commercial general liability policy for P.F. Chang's China Bistro Inc. in connection with the restaurant chain's data breach that occurred from October 2013 through June 2014.
The Insurance Services Office Inc.'s recent revisions to its standard commercial general liability policy forms exclude cyber coverage. But it will take some time for these forms to become more widely adopted in the market, and there are numerous older policy forms, at least some of which have ambiguous language, experts say.
Furthermore, many firms still do not have cyber insurance policies, leaving their commercial general liability policies as possibly the only source of coverage for the exorbitant costs associated with a major data breach.
And even for those firms with cyber policies, general liability policies, unlike their cyber counterparts, provide broader coverage, including offering defense costs that are outside the policy limits, experts say.
Policyholders' success in obtaining cyber-related coverage under their general liability policies has been mixed. In February, for instance, a New York judge held that Zurich America Insurance Co. is not obligated to cover Sony Corp. of America for litigation related to the 2011 hacking of its PlayStation Network under Sony's general liability policy.
Travelers asserts in its court filing that the “property damage” covered in its commercial general liability policy does not include loss or damage to “electronic media and records.” In August, P.F. Chang's disclosed that customer data from credit and debit cards used at 33 of its 211 P.F. Chang's eateries were pilfered.
“The track record of companies trying to get coverage under a CGL policy has not worked out too well,” said Scott L. Vernick, a policyholder attorney and a partner with Fox Rothschild L.L.P. in Philadelphia. “The Sony decision was a very troubling decision in this area.”
Insurers' position that cyber risks are not covered under general liability policies is based on policy language, as well as their contention it was never their intent to provide the coverage.
The Travelers case is a “clear sign that the CGL carriers are extremely protective of their policy trigger,” said Adam Cottini, managing director, insurance and risk management in North America at Arthur J. Gallagher & Co. in New York.
General liability insurers generally are not interested in suing their customers, but “this is one of those moments where it's large enough of an issue where Travelers is willing to obviously accept the negative connotation of using their own insured” for the purposes of a larger issues, Mr. Cottini said.
“I don't think we're going to see a lot of these cases,” but it is important for insurers to set a precedent on this issue so both clients and policyholders “know where the coverage resides and where it doesn't,” said John Coletti, New York- based chief underwriting officer for cyber and technology at XL Group P.L.C., who stated insurers never intended for commercial general liability policies to cover cyber events.
“Obviously, the carriers are going to continue to fight hard to deny coverage under the CGL policies, claiming there's no property damage liability in these types of situations, so it's going to be battleground and a fight, but it's still an important issue that needs to be looked at,” said David E. Weiss, a policyholder attorney with Reed Smith L.L.P. in San Francisco.
Mr. Weiss said policyholders' success in obtaining coverage under their general liability policies is going “depend a lot on the facts of individual cases,” whether they can claim there was physical injury to property or loss of use of property.
Joshua Gold, a shareholder with policyholder law firm Anderson Kill P.C. in New York, said, “I don't think it's terribly ambiguous to begin with, which is I think most policyholders should have personal injury coverage for a violation of privacy complaint, unless the policy has an express exclusion for a computer hacking incident.”
ISO's recent publication of a cyber exclusion “is an indication that the policies are supposed to be read to cover those, otherwise what's the point of the exclusion?” he asked.
William Boeck, senior vice president, insurance and claims counsel, for the Lockton Cos., in Kansas City, Missouri, said he advises his clients never to rely on commercial general liability policies for coverage of cyber risks.
“I would always prefer that clients have certainty on this issue, and if they rely on their general liability policy to cover cyber risks, the only thing certain is they will have a fight with their insurer over coverage,” he said. He said more policyholders are buying cyber policies “so they have certainty on the issue.”
A prudent policyholder should not “just pick one policy and put all their eggs in one basket,” said Kevin Kalinich, Chicago-based global practice leader of cyber risk insurance at Aon Risk Solutions.
Policyholders should seek cyber coverage under any applicable policy, which could include property, crime, kidnap and ransom, and professional liability, as well as a specific cyber policy, he said.
He added in these cases an issue may arise under the “other insurance clause” on many policies, which states that the particular policy is excess of any other policy in covering the same issue.