[BreachExchange] Five Pitfalls of Cybersecurity Insurance: Lessons from the United States

Audrey McNeil audrey at riskbasedsecurity.com
Fri Apr 28 15:34:52 EDT 2017


http://www.jdsupra.com/legalnews/five-pitfalls-of-cybersecurity-63424/

Given the increasing threat of cyberattacks and the corresponding costs,
businesses are increasingly considering cybersecurity insurance.  But
insurance is only as effective as the scope of the coverage. Though
Canadian courts have not yet interpreted insurance policies in the
cybersecurity context, American cases highlight five noteworthy pitfalls.

1. Coverage Denied Because the Insured Did Not Comply with Underlying
Obligations

Just as health coverage may be contingent upon the insured maintaining a
healthy lifestyle, cybersecurity insurance may be contingent upon the
insured meeting certain technical standards. In Columbia Casualty Co v
Cottage Health System, the insurer denied coverage and alleged that the
insured failed to comply with required “procedures and risk controls”,
which imposed an obligation to “follow minimum required practices”.

2. Coverage Denied Because the Incorrect Party Was Injured

In P.F. Chang’s v Federal Insurance Co, the insured (P.F. Chang’s) made a
claim on its insurance due to a data breach resulting in stolen records
belonging to its customers. P.F. Chang’s did not suffer an injury. The
court concluded that the relevant insurance policy did not cover P.F.
Chang’s because the policy required that the claimant suffer an injury. The
policy at issue was marketed as “a flexible insurance solution designed by
cyber risk experts to address the full breadth of risks associated with
doing business in today’s technology-dependent world."

3. Coverage Denied Because the Incorrect Party Caused the Injury

In Zurich American Insurance Co v Sony Corp of America et al,1 Sony made a
claim on its insurance for defence and indemnification due to losses
resulting from a data breach by criminal hackers. The policy provided
coverage for “oral or written publication in any manner of the material
that violates a person’s right of privacy.” The court held, however, that
the policy only provided coverage if Sony published the material itself.
Since the hackers published the material, Zurich had no obligation to
indemnify Sony.

4. Coverage Denied Because the Cyber Activity Was Merely Incidental

Cybersecurity insurance may only provide coverage if the loss clearly
results from cyber activity. In Apache Corp v Great American Insurance
Company, the insured became the victim of fraud after an employee
wrongfully determined that a known vendor’s telephone and email request to
transfer money was authentic. The request turned out to be fraudulent and
the insured reimbursed the vendor. The insured made a claim based on its
insurance which covered for “loss of, and loss from damage to, money,
securities and other property resulting directly from the use of any
computer to fraudulently cause a transfer…”. The court held that the
circumstances were not covered because the computer use was not the direct
result of the loss, but rather was “merely incidental”.

5. Coverage Denied Because the Litigation Was Outside the Scope of Covered
Claims

Insurance may provide coverage for certain claims to the exclusion of
others. In Travelers Property Casualty Company of America v Federal
Recovery Services Inc, the insured made a claim based on costs incurred for
litigation resulting from a tort claim for intentional misuse of its data
storage activities. The insurer denied the claim because the policy only
provided coverage if the loss was caused by “any error, omission or
negligent act.” The court held that the lawsuit against the insured for
“knowledge, willfulness, and malice” was outside the scope of the coverage.

Conclusion

The United States case law highlights the importance of understanding your
company's risks and vulnerabilities in order to define the precise scope of
cybersecurity insurance required.  A risk and vulnerability assessment is a
critical component to establishing an overall cybersecurity plan that will
mitigate risk and corresponding damages.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170428/1c0121df/attachment.html>


More information about the BreachExchange mailing list