This article is part of CLM's publication Professional Times magazine, a production of CLM's Management & Professional Liability Community. Click to view previous digital editions of Professional Times.
When a cyber incident occurs and a third party is harmed, it might seem the best place to look for coverage is the insured’s cyber liability policy. But doing so can limit the insured’s financial protection. You may do better looking for coverage across multiple policies.
Cyber insurance isn’t necessarily the only policy implicated in a cyber incident. There may be a property policy, a general liability policy, a D&O policy, or even a kidnap and ransom policy that can provide coverage. Consider a cyber incident that causes physical damage to a manufacturing plant, financial losses to the manufacturer’s stockholders, bodily injury to employees, and loss of business income. A cyber policy typically will not cover all of these categories of loss. The key is making sure the proper policies are tapped for the right coverage.
You may already be aware of ISO Endorsements CG 21 06 05 14 and CG 21 07 05 14, which are added to Coverage A to exclude coverage for damages arising out of “[t]he loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data,” where the term “electronic data” includes “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software…which are used with electronically controlled equipment,” with CG 21 06 05 14 addressing bodily injury specifically. Does the insured’s CGL contain these exclusions? Did the insured secure alternative coverage through another policy or endorsement to close that gap?
Let’s deconstruct a hypothetical event to demonstrate some of the possible connections a cyber liability occurrence might entail.
Imagine a manufacturer has fairly comprehensive insurance coverage spread across several insurers. Due to a cyber incident, the production system is idled for a week and the company loses millions as a result. Not only that, it doesn’t fulfill contracts and is on the hook for penalties for those delays. Additionally, this cyber incident not only caused mechanical failures; it resulted in undetected product contamination and a blown valve that killed two employees and seriously wounded a non-employee inspector. The company is looking at workers compensation claims, bodily injury liability, business income loss due to property damage, surety issues, product recall and property loss—at least. In addition, if the manufacturer is a public company, shareholders may bring a lawsuit alleging that the company’s directors and officers are liable for the failure to prevent the cyber incident and for any resulting drop in stock price resulting therefrom. In this scenario, the manufacturer’s D&O policy may be triggered.
Can any of this be covered by cyber insurance? What other coverages apply?
Assuming the insured’s broker has done his job and hasn’t left gaps in coverage for cyber-related liability, the next step is to show where coverage can be found. Though the cyber policy is not a panacea, it probably will be part of the solution, under both first-party and third-party policies.
A standard cyber policy typically covers non-physical damage. It doesn’t cover 1,000 laptops that need to be replaced or an elevator that is destroyed or gauges that are melted as the result of a cyberattack or cyber failure. Under a typical cyber policy, the insured can look for legal, forensics, public relations, credit monitoring and other covered costs, but bodily injury, worker death and property damage are expressly excluded. Does that mean these other losses caused by a cyber event are uninsured? Probably not. Other policies may offer coverage for each component of the loss.
To determine which policies may be impacted, ask yourself what you are trying to cover. If you are trying to cover the costs of legal representation, forensic studies to determine the cause of the cyber incident or remediate the issue, or business interruption losses, you may find coverage under the cyber insurance policy. If it’s bodily injury or third-party property damage, the general liability policy might cover those losses. If you have injured employees, workers compensation is the first recourse. If the board of directors and C-suite knew network security was weak and did nothing to correct it, the company might expect a lawsuit to ensue that potentially triggers D&O coverage. Knowing which coverage is implicated is the first crucial step in helping the insured.
Role of Management Liability Policies
A lot of attention has been focused on the role of directors and officers in cyber liability. Federal securities law requires public companies to disclose material perils and incidents that affect investment risk or are likely to have a material impact on the company’s financial results or condition. These include cybersecurity exposures or incidents. If a company’s cybersecurity program doesn’t use industry standards and best practices, directors and officers could be targeted for governance failures.
If stock value takes a hit because of a cyber event or if it can be shown that a board of directors knew or should have known that cybersecurity was lax and failed to correct it, you might see a lawsuit arise that potentially triggers D&O coverage. If an external cybersecurity officer is used and no oversight is provided by the insured or there’s no effort to review the efficacy of his work, board members and corporate executives could be accused of negligence and/or breaches of their fiduciary duties. In such a scenario, a regulator may investigate the procedures and protocols in place by the insured prior to the cyber incident, or stockholders may bring a claim alleging financial harm.
It’s important to remember the interplay between cyber insurance and D&O insurance. Under D&O policies, the triggers are typically very broad—wrongful acts, negligence, failure and oversight. Cyber is generally much narrower and has different triggers, though the two may be complementary in some instances. For example, a cyber breach that causes stock losses and is shown to be the result of failed oversight might also require notification to victims if personally identifiable information is exposed. Both the D&O and cyber policies would likely respond in this case. While the D&O policy might respond to the oversight failures and loss of corporate value, the cyber policy might respond to the actual data breach and its direct, covered costs.
The United Kingdom’s High Court just decided a class-action data breach case that resulted from an employee’s hack of corporate information systems. In that case, supermarket company Morrisons was found vicariously liable for its dishonest employee’s action of leaking the payroll data of fellow workers and liable for the emotional distress it caused victims, even though no financial loss to victims was shown. While the decision doesn’t set binding precedent in the United States, it does send a message to companies with locations, employees or corporate interests in the United Kingdom, and it shows the increased onus now being placed on corporations when it comes to cybersecurity.
At a minimum, the insured, its insurer(s) and its brokers will have to be highly collaborative when confronted with liability for losses connected to a cyber event. The insured may have to work with multiple insurers or multiple departments within one insurer to determine where coverage lies. If a settlement is in order, there may need to be contributions from several policies.
We are moving into an era of hyper-connectivity. Autos, homes, distributed ledgers (think blockchain) and cryptocurrencies present complex and unanticipated challenges to businesses and insurers alike.
An auto policy, for example, may cover a cyber-related accident which arises from the failure of a vehicle’s automated system. The insurer may then subrogate to the carmaker, but that could be a labyrinthine process since many automakers’ insurance policies expressly don’t cover onboard cyber-linked systems; they, instead, pass responsibility for those off to that product’s manufacturer or, worse, manufacturers that are in other countries. And what about cyber wallets or cryptocurrencies? If an insured participates in these online payment methods and the insured’s “money” is stolen in a cyber invasion of its computer network or payment platform, is it covered?
Defending clients in cyber liability cases is going to require knowledge of coverages outside of cyber risk insurance. Cyber occurrences are much broader than initially imagined, and the industry is playing catch-up. Much of what we are experiencing falls into uncharted legal territory where there is no standing or precedent yet. The landscape is evolving, and all eyes are seeking a road map from the claims side of the house. As technology evolves, it will be up to insurers to provide creative solutions to unexpected risks and lead our clients through unchartered waters.