This piece was originally shared on the GBA Insurance site and is republished here with permission.
5 Common Reasons Insurers Decline Coverage
Companies purchase cyber insurance with the intention of protecting their balance sheets – and they hope the policies will respond as intended. However, a lack of policy standardization, confusing terminology and numerous exclusions can often leave unintended coverage gaps hiding within. In the following article, we explore some of the most problematic cyber insurance claim denials and how to avoid them.
When it comes to cybersecurity and insurance, companies have been vocally concerned over finding themselves losing twice – the victim of both a cyber breach and cyber insurance claim denial. First they experience a security event, resulting in significant damages, then they discover their insurance policy will not respond. From hidden language to sub-limits, we explore some of the more significant cases and areas in which carriers are declining coverage (or are expected to decline coverage) and how to avoid them.
Failure to Maintain
Often referred to as the negligence or “failure to follow” exclusion, some carriers contain within their policy language a specific exclusion that precludes coverage for claims arising from the insured’s failure to maintain minimum/adequate security standards. This exclusion has generated as much contention as confusion – a key reason why many carriers have since removed such language. While it may not trigger any specific concern for the average broker or buyer (appearing as a form of a warranty statement), it serves as a dangerous blanket-type exclusion. Here is a small sampling of the language used in such exclusions:
“Failure to ensure that the computer system is reasonably protected by security practices and systems maintenance procedures that are equal or greater to those disclosed in the proposal”
“Failure to continuously implement the procedures and risk controls identified in the insured’s application”
The Cottage Health case demonstrates the damage such an exclusion can cause. In 2014, shareholders filed a class action claim against Cottage Health after the hospital inadvertently published confidential client information online. Despite human error as the contributing factor, it was determined the hospital lacked basic controls such as encryption and that it was in violation of HIPAA.
In response, companies and their directors should perform careful reviews of the cyber policy terms and exclusions in order to ensure the form does not contain any clauses or wording requiring the insured to comply with a certain degree of cybersecurity controls. Additionally, companies should work closely with their CISO, IT and information security departments in order to confirm the accuracy of all statements contained within the application.
PCI Fines & Assessments
PCI-related fines and assessments is another area in which cyber insurers are denying coverage with seeming regularity. While the P.F. Chang’s case may be one of the more widely publicized examples, it is far from the only dispute involving coverage for such fines. To briefly summarize the case again, following a breach that exposed customers’ credit card information, the insurer paid roughly $2 million in damages but denied the payment of roughly another $2 million in PCI assessments for policy language reasons. Insurers can restrict or limit coverage for such assessments through various policy clauses. The two most problematic exclusions, however, are 1) specific exclusions for PCI or self-regulatory fines, and 2) the contractual liability exclusions (as was relied upon in the P.F. Chang’s case). Of equally important consideration is how the payment card information is accessed. Some policies contain exclusions for viruses or self-propagating code, which could also serve to preclude PCI coverage.
In addition to carefully reviewing cyber policies for clauses related to regulatory and PCI fines, policyholders should pay careful attention to the language contained within the policy form; assessing coverage can be considerably more difficult than simply locating an exclusion. Jones Day published an interesting article on the topic here. As also noted, insureds should carefully review their contracts for contractual obligations and understand how they coordinate with their insurance policy’s language.
Ransomware & Sublimits
Ransomware has been a hot topic following the recent chain of breaches. As demonstrated by WannaCry, extortion demands have continued to remain low despite an expected imminent increase. This is deceiving, however; with most of the damages arriving in the form of lost income and asset restoration, it can be all too easy to underestimate the severity of damages a ransomware attack can inflict. The recently publicized Moses Afonso Ryan case effectively highlights the disparity between the value of the extortion demand and that of the sustained lost income. After the law firm suffered a ransomware attack demanding a $25,000 ransom, the cyber carrier in question ultimately agreed to reimburse $20,000 for the loss (the sub-limit defined in the policy); however, the firm contended that it suffered $700,000 in damages attributed to lost income. While it is not clear if the policy’s terms actually provided any coverage for lost income resulting from cyber extortion, the policy’s limits would appear to have been insufficient regardless, raising an important reminder to review the scope of coverage.
With cyber policies often setting individual limits per insuring clause and further sub-limiting specific elements, policy limits can sometimes be difficult to navigate. For this reason, it is advised that insurance purchasers perform a careful assessment of the extortion insuring clause and review all limits, sublimits, deductibles and time deductibles for adequacy using benchmarks if available. It should also be noted that attacks such as these can also inflict considerable reputational damage and loss of clientele, which can be difficult to quantify and equally difficult to insure against.
The case of Kimpton Hotels has already demonstrated that a cyber-breach-related lawsuit can be brought prior to actual data misuse; however, the Johnson Bell case takes it one step further, becoming the first lawsuit to be filed even prior to any actual breach. While the concept of preemptive regulatory inspections/investigations is fairly well understood, the concept of a lawsuit in absence of an actual breach is slightly harder to grasp. To summarize, after one of the firms’ clients discovered security holes, a class action was filed against the law firm for malpractice and negligence (among other allegations) resulting from security flaws and failure to properly secure its client’s data which “subjected the plaintiffs to an increased risk of injuries.” Among other security vulnerabilities stated were allegations that the law firm was utilizing out-of-date software that was known to be exploitable, along with a VPN and email system that were vulnerable to attacks. It’s once again important to note, however, that there was no actual intrusion, data exposure or data misuse – meaning effectively, no damages.
This case poses a real coverage dilemma, particularly for cyber policies, because almost all insurers draft their language around the requirement of an intrusion (or security event) in order to trigger coverage. It also highlights the importance of performing regular system updates and security checks which may help avoid such claims altogether. While cyber policies are generally not structured for claims absent any breach, avenues for coverage that may be explored include cyber DIC policies and potentially E&O or D&O policies (barring any exclusions) – however, it will largely depend on the claim specifics, policy language, industry and more.
Social engineering schemes have been steadily growing in popularity and can be exploited in a number of ways: via phished email credentials, by way of phone or letterhead or direct altering of bank account information by cyber criminals. While policy language is still adapting to better cover computer fraud and social engineering losses, many policy forms contain a number of exit points for which carriers can attempt to deny coverage. Without summarizing the specifics of each case, here is a small sampling of some of those potential exit points that carriers have been relying on and the cases in which each was cited:
- Fraudulent transfer was ultimately caused by the overriding of the company’s own security controls (State Bank)
- Funds were transferred voluntarily or by natural persons with authority to enter the company’s computer system (Acqua Star & Medidata)
- Fraudulent transfer request was carried out via phone as opposed to “directly from the use of a computer” (Apache Corp)
- Losses sustained were not “direct” losses of the insured, but rather losses of clients’ funds. As also pointed out by Blaney’s Fidelity Blog, the policy contained an additional requirement that the fraudulent transfer be introduced via “unauthorized introduction of instructions that propagated themselves” (Taylor & Lieberman).
The first step to being afforded coverage for such claims is ensuring that any cyber or crime policy has an appropriate social engineering endorsement as opposed to relying on a computer fraud/forgery insuring clause. It is also advisable to perform a careful assessment of the social engineering clause, as endorsements can vary significantly.