Faced with a deluge of cyber breach incidents and claims, the insurance industry has responded seriously by increasing its cyber liability product offerings. But while the market is still in its infancy, are the covers and expectations clear? Cyber risk is real. But the risks incurred by each organization can be quite nuanced. Carriers strive to keep pace with changing risks while trying to create insurance products that are both useful and profitable. Along the way, there are bound to be misunderstandings and, inevitably, problems.
Cyber risk review
Ransomware is a very hot issue right now, so let’s start by looking at the case of a business loss claim from a hospital that suffered a ransomware attack. The entry of the attack occurred when an employee of a software vendor in the hospital accidentally exposed his credentials. The bad actor who collected the credentials took the opportunity to perform a ransomware attack, taking the hospital out of operation for a period of time. The hospital files a business interruption (BI) claim with its insurer, but E&O coverage also kicks in for the software vendor whose employee erred in exposing their credentials. It was not intentional or malicious. It was an innocent mistake. How are damages calculated and who is responsible for them?
Now consider classic wire transfer fraud. The insured asks his operator to make a claim on his cyber insurance policy only to find that such claims do not really fall under cyber policy, but are in fact considered social engineering. Is it an error or an omission on the part of the insurance broker not to have included or suggested this coverage?
Insurers should be aware that many people do not understand their cyber policies, which can lead to bad faith accusations from the insurer. There are some important differences between first and third party cyber liability policies. Policies often include sub-limits for certain coverages.
Although most states require policyholders to read their insurance policies, the coverages can be confusing, which can give rise to arguments regarding policyholders’ reasonable expectations. If the courts apply the so-called “reasonable expectations doctrine” or find ambiguities in insurance policies, they are likely to find coverage under the policies. Lawyers for policyholders will then include bad faith claims, arguing that there have been unreasonable or reckless claim denials.
These examples help illustrate some of the interplay between cyber liability and E&O and the challenges insurers face in delivering insurance solutions in a rapidly changing cyber world.
Let’s take a step back.
Basics of liability insurance
Cyber liability protects the user of technological services and devices. There are two types of insurance:
First-party liability insurance covers data breaches in an organization’s own systems. The causes of these data breaches can include malware and viruses, phishing scams, application vulnerabilities, weak passwords and other employee errors, as well as insider attacks. First party liability coverage helps pay for affected customer notification, data recovery, damage control such as a public relations campaign, credit and fraud monitoring services for affected customers , investigation of data breach sources and ransom demands.
Third-party liability insurance, on the other hand, covers data breaches on customer systems that a company has worked on or is responsible for. This coverage covers legal fees, legal costs and damages.
Where does E&O fit in?
Unlike cyber liability, which protects the user of technological services and devices, E&O aims to protect the merchant who sells the technological products or services. Cyber liability covers are usually included in the E&O insurance package, called technological E&O.
Tech E&O covers a company for making an error that results in financial harm to a client. Coverage will generally include errors or omissions, undelivered services, missed deadlines, and breach of contract.
Consider if a web designer created a website for a client that looks like one of the client’s competitors, resulting in potential copyright infringement against the client. Or a software developer sells software to a customer who had a “bug” that caused operational problems when the customer implemented the software. Imagine that the software bug caused new orders to be removed from the system if no delivery date was entered. The E&O would respond to pay a company’s legal fees and other costs related to customer claims.
An edifying tale: bad faith cyber liability and technological E&O
There is a lot of activity around bad faith litigation against carriers, and when it comes to cyber liability, there is no exception. This happens in situations where a policy is in place. A claim occurs and then the conduct of the insurer in handling the claim is called into question. James Dodrill, West Virginia’s insurance commissioner, warns that when it comes to bad faith litigation it is common to see it arise in low limit insurance policies where the insured will use the argument. in bad faith to circumvent the lower limit of the police.
The goal is the same for the applicant regardless of the type of coverage, whether it is cyber, E&O or property coverage. The caveat for insurers, according to Dodrill, is: “If you have a low EO limit or exclusions implied by the policy language, these things will come into play if you make a wrong cover call. “
The bottom line is that while cybersecurity is a relatively new type of blanket, lessons learned in other areas need to be implemented into the writing of these policies and the exclusionary language into the policies. Dodrill cautions, “Carriers need to be careful. I have seen low limit policies of $ 25,000 result in bad faith verdicts north of $ 10 million. “
The role of the forensic accountant in cyber liability
Claims professionals are accustomed to using the services of forensic accountants in the event of loss of income / business interruption. In the area of cybercrime, the forensic accountant would be involved in a post-breach case where a company’s first party liability coverage responds to the incident. The accountant would help calculate the damages arising from the loss of business income resulting from the violation.
Going back to the hospital example where the hospital’s software vendor had an employee whose credentials fell into the hands of a bad actor, the vendor’s E&O coverage may answer. The forensic accountant would then be involved not only in the assessment of damages for the hospital, but also in the potential subrogation against the software vendor as part of its E&O coverage.
Take-out for carriers and claims professionals
With so many things at stake, let’s get back to the perspective of complaints handling. In general, when an IT liability claim arises, we want to consider the insured’s protocols. Did they follow established protocols? What is the true nature of the complaint? Is this a decided cyber claim or social engineering? If coverage is denied, is there a well-documented rationale behind the decision? Are you exploring the limits available? What is the potential of a causal defense?
When it comes to acting in good faith and avoiding bad faith claims, carriers want to focus on training. Train claims teams to be responsive and act in good faith, and enable brokers to understand policies and clearly communicate the limits, exclusions and expectations of policyholders.
The world of cyber insurance will continue to evolve rapidly. Opportunities abound for carriers who are prepared with the right products, processes and support.
John Palmeri ([email protected]) is a partner of Gordon & Rees. Danielle Gardiner ([email protected]) is Senior Vice President at Lowers Forensics International. Carlos Rivera ([email protected]) is Senior Vice President – Caribbean and Latin America – at Lowers Forensics International. Special thanks to Jim Dodrill ([email protected]), West Virginia Insurance Commissioner, for his ideas.