“Silence is golden”, unless your cyber coverage is at stake

Kurtis Suhs
Founder and C.E.O., Cyber Special Ops, LLC
Mr. Suhs serves as the Founder and C.E.O. of Cyber Special Ops, LLC,  a cyber risk company that provides Concierge Cyber®, a low-cost membership that guarantees members emergency response to a cyberattack or data breach through a team of highly respected third-party service providers, on a pay-as-you-go basis, at pre-negotiated and substantially discounted rates.

Every organization that evaluates and purchases standalone cyber insurance has addressed their cyber risk, correct? One might think so, but one needs to know exactly what an organization has… or does not have, by looking at the bigger insurance picture. Cyber risk is truly unique in that a cyber claim could theoretically trigger every line of insurance. Today, the more astute insurers have examined how a cyber claim could impact each and every line of property and casualty (P&C) insurance across their entire book. Specifically, what P&C policies 1) define cyber and affirmatively provide coverage on a full or sub-limited basis, 2) define cyber and affirmatively exclude coverage or 3) neither define nor affirmatively offer or exclude coverage (aka silent cyber). And most importantly, how do all the insureds’ P&C policies work together to respond to a cyber claim.

Most insurance agencies either have an internal cyber resource or outsource cyber placement to a wholesaler with cyber expertise. Generally, those cyber experts only evaluate the standalone cyber insurance product and do not evaluate the entirety of the insured’s insurance program. Even Fortune 250 companies often assign the property insurance to one broker and the casualty/professional insurance to another broker. Whether the insured is a small or large organization, both scenarios may result in a costly insurance agent’s E&O claim and leave the insured, who purchased standalone cyber insurance, in a precarious position.

This blog addresses 1) case law that has affirmed cyber coverage, 2) case law that has deemed no cyber coverage and 3) key insurance policy terms, conditions and endorsements for insurance agents to examine when evaluating cyber risk.

Property:

A property policy is triggered by physical damage to tangible property. Is data considered tangible property under a property policy? Courts are split on whether a property policy provides coverage for electronic data. Some Courts have found coverage in a property policy. In American Guaranty & Liability Insurance V. Ingram Micro, Inc., 2000 WL 726789 (D. Ariz. 2000), the Court held that the loss of the use and functionality of its computers as a result of a power outage constitutes “direct physical loss or damage” within the meaning of a property policy. The Court reached this conclusion notwithstanding the fact that the computers in question retained the inherent ability after the power outage to perform the same functions as previously. The loss of use was caused instead by the loss of custom programming contained in the computers’ read access memory (RAM) as a result of the power outage.

Other courts, however, have found there to be no coverage for data under a property policy. In Ward General Insurance Services v. Employer’s Fire Insurance Company, 114 Cal. App. 4th. 548, the Court found that electronic data was not tangible, and thus loss of data is not property damage.

While most property markets exclude coverage for the loss of electronic data, two markets provide optional endorsements with affirmative cyber coverage. One insurer offers an optional  three-part coverage cyber endorsement that encompasses information asset protection, cyber extortion coverage and network business interruption.  Another insurer offers an optional two-part coverage cyber endorsement that provides information asset protection and network business interruption. An insured has the option to choose whether the Cyber Optimal Recovery endorsement is primary, contributing or is in excess to a cyber policy—in order to maximize recovery under both a property and standalone cyber policy.

Commercial General Liability (CGL): 

Prior to 2001, courts were inconsistent on whether electronic data constituted tangible property under Coverage A. Bodily Injury and Property Damage.

Since 2001, ISO CGL policies specifically provide that electronic data is not tangible property.

Since 2004, ISO CGL policies eliminate coverage for damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.

Coverage A. Bodily Injury and Property Damage:

Courts are split on whether Coverage A.  Bodily Injury and Property Damage Liability under a CGL policy provides coverage for electronic data.  In Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797, 801 (8th Cir. 2010),  the Court held that an online marketing company was entitled to a defense under its CGL policy in a claim alleging that spyware installed by the insured damaged the claimant’s computer and thereby coverage was afforded on that basis.

In Computer Corner v. Fireman’s Fund Ins. Co., 46 P. 3d 1264 (N.M. Ct. App. 2002), the New Mexico Court of Appeals held that a CGL policy provided coverage for liability arising from the loss of data stored on a computer hard drive, relying on the finding of fact that computer data is “tangible” property. The Court of Appeals made this determination despite: (1) the district court’s finding that the insured, Computer Corner, had expected and/or intended that the data would be lost; and (2) the district court’s conclusion that coverage under the policy was excluded pursuant to standard “business risk/work product” exclusions found in most CGL policies.

Other courts have held that electronic data is not tangible and thus the loss of electronic data is not property damage.  An example of such a finding is found in America Online, Inc. v. St. Paul Mercury Insurance. Co., 347 F. 3d 89 (4th Cir. 2003), where the Court held the insurer had no duty to defend under the CGL policy because computer data and software were not “tangible property”.

Coverage B. Personal and Advertising Injury:

Courts are also divided on whether Coverage B. Personal and Advertising Injury under a CGL policy provides coverage for a claim alleging that the breach of electronic data violates a person’s right to privacy.

In Hartford Casualty Insurance v. Corcino & Associates 2013 WL 5687525 (C.D. CA 2013), the Court required the insurer provide coverage when an insured posted private, confidential and sensitive medical and/or psychiatric information on a public website which remained online for almost a full year.

In Travelers Indemnity v. Portal Healthcare Solutions, LLC (4th Circuit April 2016) (unpublished), the Court held the insurer owed a duty to defend where the insured allegedly failed to safeguard confidential medical records from being viewed on a public website and two patients alleged that they were able to access their own records by way of a Google search.

Other courts, however, have deemed there to be no coverage under Coverage B. of a CGL policy. In Zurich American Insurance Co. v. Sony Corporation of America No. 651982/2001 (NY Sup Ct Feb 2014), the Court found no coverage arising from the PlayStation hack because the alleged “publication” was not an intentional act committed by the insured, but instead was the result of a criminal act of a third-party hacker.

In Recall Total Management, Inc. v. Federal Insurance Co. 115 A. 3d 458 (Conn. 2015), the Connecticut Supreme Court found no coverage when a transport vendor allegedly lost data tapes containing sensitive data on a large number of employees. The Court ruled that there was no “publication” absent evidence that the information on the tapes was ever accessed, and the triggering of a breach notification statute does not demonstrate personal injury.

In May 2014, ISO exclusions were created to preclude coverage for claims “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.” Nonetheless, even where these exclusions appear, policyholders will continue to litigate their scope.

Environmental:

Environmental insurance policies in the marketplace are generally silent around cyber risk related to a covered environmental loss. Consequently, depending upon the type and nature of  a claim, an environmental policy may provide coverage for defense, indemnity, business interruption and “other expenses” such as forensics, legal and public relations.

Professional Liability (E&O):

E&O insurance policies in the marketplace are generally silent around cyber risk. Consequently, depending upon the type and nature of  a claim, an E&O policy may provide coverage for a cyber claim tied to the rendering of professional services. Coverage might include defense, indemnity, business interruption and “other expenses” such as forensics, legal and public relations.

Many E&O insurers offer an optional cyber endorsement and provide coverage on a sub-limited basis.

Hospital Professional Liability (HPL) and Miscellaneous Facility E&O:

HPL and Miscellaneous Facilities E&O insurance policies in the marketplace are generally silent around cyber risk. Consequently, depending upon the type and nature of  a claim, a HPL or Miscellaneous Facilities E&O policy may provide coverage for a cyber claim tied to the rendering of professional services. Coverage might include defense, indemnity, business interruption and “other expenses” such as forensics, legal and public relations.

Management Liability (D&O):

The majority of D&O policies are silent around cyber risk. Defense and indemnity of shareholder derivative and regulatory investigations may have coverage. Some courts have found coverage in a management liability policy. In Sterling v. Stratfor Enterprises, LLC et al., Case No. 2:12-cv-00297-DRH-ARL (E.D.N.Y.), the Court ordered Stratfor to offer class members who opt in, one month of free access to its service, worth $29.08, and an electronic book published by Stratfor called “The Blue Book,” priced at $12.99. The two together may cost Stratfor approximately $1.75 million, according to estimates in the settlement. In addition, a $400,000 lump sum was paid to plaintiff attorneys.

Other prominent shareholder derivative suits against directors and officers, including Home Depot, Target and Wyndham Hotels have been dismissed. Derivative lawsuits are particularly challenging for claimants, owing to the procedural hurdles, like the demand requirement, and the substantive defenses, like the business judgment rule.

Crime:

Courts are split on whether a crime policy provides coverage for theft of monies by use of a computer.  Some Courts have found coverage in a crime policy. In Medidata Solutions, Inc. v. Federal Insurance Co., No. 15-CV-907 (U.S.D.C., S.D.N.Y. July 21, 2017), the New York Federal Court found coverage under a crime policy for social engineering induced fraudulent funds transfer when a computer code was used to alter emails.  The case was affirmed under an appeal.

Other courts, however, have found that the crime policy does not provide coverage. In Taylor & Lieberman v. Federal Ins. Co., 2017 WL 929211 (9th Cir. Mar. 9, 2017) (unpublished), the Ninth Circuit held that an accounting and business management firm that fell victim to a social engineering fraud did not have coverage under any of the insuring agreements of a crime policy.

In InComm Holdings, Inc. v. Great American Ins. Co., 2017 WL 1021749 (U.S.D.C., D. Ga. Mar. 16, 2017), the Court found no coverage under a Computer Fraud policy for claims arising from a scheme involving a Prepaid Debit Card Plan.

In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, Case No. 16-11208 (U.S.D.C., E.D. Mich. Aug. 1, 2017), a Michigan Federal Court found no coverage under a crime policy for social engineering-induced fraudulent funds transfer.

Call to Action:

Insurance agents need to review each and every insurance policy of a client for cyber coverage. Specifically, what P&C policies 1) define cyber and affirmatively provide coverage on a full or sub-limited basis, 2) define cyber and affirmatively exclude coverage or 3) have silent cyber.  Start first with the insuring agreements and definitions and then examine what is excluded in each base form along with all the policy’s endorsements.

And most importantly, take a look at the “Other Insurance” provision for each policy. Standard language in most policies read as follows,

“This insurance will be excess over any other insurance which also provides coverage for any claim, including any deductible provisions. However, any insurance specifically arranged by you to apply in excess of this insurance will not be deemed other insurance”.

This language is really problematic because a claim may erode any and all other lines of insurance on a quota share basis if each policy’s “Other Insurance” provisions is on an excess basis, therefore, insurance agents should ensure that the “Other Insurance” provision in the cyber policy reads as follows,

“If an Insured is entitled to coverage under one or more valid and collectible bonds or other policies of insurance, then the coverage under this Policy will apply as primary insurance”.

To provide color on why the above is important, I will share a  real-life scenario. I recently reviewed a professional service firm’s insurance policies. The firm maintained both an E&O and Cyber insurance policy.

The professional services firm’s E&O policy had a cyber coverage endorsement. The “Other Insurance” provision was explicitly excess of any valid and collectible insurance.

However, the professional service firm’s cyber insurance policy had the following endorsement, effectively causing the professional liability policy to erode as primary even for a cyber event, while the cyber insurance policy, which they specifically purchased for such risk, sat idle as excess coverage:

  1. Section II, Definitions, is amended by adding the following:

Professional Liability Insurance means any valid and collectible insurance which covers liability arising out of the Insured’s professional services as an accountant, architect, civil engineer, financial service provider, healthcare provider, insurance agent or broker, insurance carrier, lawyer, medical professional, real estate agent or broker, securities agent or broker, structural engineer, surveyor, or any other profession for which the Insured has obtained a policy specifically to cover liabilities arising out of such professional services. Professional Liability Insurance policies may be commonly referred to in the marketplace as Errors and Omissions policies, Miscellaneous Professional Liability policies, Professional Indemnity policies, Malpractice policies, or other related terms.

  1. Section XII, Other Insurance, is amended by adding the following:

Notwithstanding anything to the contrary, if any Costs, Damages, or Claims Expenses under this Policy are also covered under any other Professional Liability Insurance, or any policy stated to be specifically excess of such policy (collectively “Other Policies”), then this Policy shall specifically be treated as excess insurance over such Other Policies with respect to such Costs, Damages, or Claims Expenses. This Policy shall cover such Costs, Damages, or Claims Expenses, subject to the Policy terms and conditions, only to the extent that the amount of such Costs, Damages, or Claims Expenses are in excess of the amount afforded under the Other Policies, whether such Other Policies are stated to be primary, excess, contributory, contingent or otherwise.

Just like insurers, insurance agents need to evaluate each and every policy for cyber risk, how each policy interacts with other policies and which policy will first respond to a cyber claim. The last thing you want is for an insured to purchase standalone cyber insurance, only to see other lines of insurance erode first while the cyber insurance sits on the sideline.

From Stephanie Lynch: Summary of New Cyber Insurance Study

In this post, Stephanie Lynch provides an excellent summary of the recent Guy Carpenter and CyberCube study “Looking Beyond the Clouds,” which looks at potential U.S. cyber insurance industry catastrophes and their financial fallout. You can download the study itself at here the Guy Carpenter website.

It is crucial that we, as the cyber insurance market, put in the work to understand the characteristics of catastrophic cyber events and the financial impact they could have on our industry. Guy Carpenter and CyberCube Analytics have collaborated on a study to quantify cyber risk, specifically looking at potential U.S. cyber industry catastrophic and systemic loss events.

The study is done on a synthetic cyber portfolio representing the U.S. standalone cyber market, informed by Guy Carpenter’s view of the market. GC started with a base portfolio of just over 6k policies with a combined premium of $285m, estimated to represent about 10% of the U.S. cyber market. It was tested and extrapolated out using a proportion of risk sizes seen in underlying exposure dataset, to create a total market view of $2.6b and about 55k policies. It’s important to note that this study does not contemplate endorsements, package policies or non-affirmative cyber within other lines of business, but exclusively looks at standalone cyber policies.

CyberCube had developed 23 catastrophic loss scenarios on their platform, ranging from attacks on critical infrastructure, to large scale cloud ransomware at a leading cloud service provider, to widespread theft from a major email service provider.  The unique characteristic about CyberCube is that they have access to data from both inside and outside the firewall, which builds a more unique and complete view of the risk, due to their exclusive access to information from Symantec, the world’s largest cybersecurity firm.

All modeled results are based on 10k simulations run on the synthetic portfolio through these 23 loss scenarios in the CyberCube platform. The analysis and results can be found in much more detail within the study itself, but a few key takeaways:

  • The costliest cyber catastrophe scenario modeled was widespread data loss due to zero-day vulnerabilities within a leading operating system, which caused a $23.8b insured loss to the market. The likelihood of this event is also the lowest (beyond the 1:300 year return period), but it is similar to what occurred with the NotPetya attack that was mostly uninsured.
  • The most likely loss scenario was widespread data theft from a major email service provider.
  • The second most likely was large-scale ransomware at a leading cloud services provider.
  • Companies with revenues greater than $1b, regardless of industry, represent about 75% of the insured loss.
  • Financial firms were most impacted by these systemic events, accounting for ~20% of the insured loss. This isn’t all too surprising due to the larger insurance takeup rate in the cyber market by these firms.
  • While the loss drivers of each of these scenarios are different, it is important to note that Business Interruption costs, caused often by supply chain delays, are a big part of these catastrophic loss costs. The BI component of cyber insurance has evolved rapidly over the last few years, and we have seen waiting periods and sublimits erode considerable over this time as well.

Rebecca Bole of CyberCube Analytics says, “Insurers and the organizations they insure need to be aware of these major scenarios, and understand the response plans necessary and the potential financial losses in each of these scenarios. The industry must invest in effectively assessing and managing aggregations, educating the business community to drive product adoption and quantifying cyber risk to promote the purchase of adequate insurance limits.”

Hopefully this study has got the conversation started within the businesses with these exposures, insurance carriers covering them, and reinsurers backing them. Since there hasn’t quite been a U.S. insured catastrophic, systemic cyber loss yet, it is a challenge for (re)insurers to estimate the size and scope of what such a loss would look like on their balance sheets. It is encouraged to read through the article and the details of the top 5 catastrophic loss drivers. It is important for us all to analyze our portfolios with these catastrophic scenarios in mind, and this study is a great place to start.

SLynch_HeadshotStephanie Lynch is a treaty reinsurance underwriter and account executive with 5+ years of full time industry experience. She is responsible for developing, growing, and managing treaty reinsurance broker and client relationships and underwriting proportional and non-proportional professional liability programs.

Her treaty reinsurance background began on the actuarial side of the business, working on the reserving team at Arch Reinsurance. After a few years, she made the transition to underwriting, working with the professional liability treaty reinsurance group. Stephanie joined the professional liability underwriting team at Safety National Re in September of 2017 working on both medical and non-medical professional liability.

Stephanie is a graduate of The College of New Jersey with a Bachelor’s degree in Mathematics and a minor in actuarial science. She has achieved the CPCU, RPLU, CYB, ARe, AINS designations and is a licensed NJ producer in property, casualty and surplus lines.

 

Jeffrey Norton on Small Companies and Large Breaches

Jeffrey Norton of Beazley Group and panelist for the 2015 PLUS Conference session “When David Fells Goliath: Small Companies’ Role in Large Breaches” joined us in the Media Zone to discuss how small and medium-sized enterprises can and should prepare when doing business with large companies.