Five Pitfalls of Cybersecurity Insurance

Given the increasing threat of cyber-attacks and the corresponding costs, businesses are increasingly considering cybersecurity insurance. But insurance is only as effective as the scope of the coverage. 

In United States courts there is a body of case law interpreting insurance policies in the cybersecurity context which highlights five noteworthy pitfalls:

1. Coverage Denied Because the Insured Did Not Comply with Underlying Obligations

Just as health coverage may be contingent upon the insured maintaining a healthy lifestyle, cybersecurity insurance may be contingent upon the insured meeting certain technical standards. 

In Columbia Casualty Co v Cottage Health System, the insurer denied coverage and alleged that the insured failed to comply with required “procedures and risk controls”, which imposed an obligation to “follow minimum required practices”.

2. Coverage Denied Because the Incorrect Party Was Injured

In P.F. Chang’s v Federal Insurance Co, the insured (P.F. Chang’s) made a claim on its insurance due to a data breach resulting in stolen records belonging to its customers. P.F. Chang’s did not suffer an injury. 

The court concluded that the relevant insurance policy did not cover P.F. Chang’s because the policy required that the claimant suffer an injury. The policy at issue was marketed as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world."

3. Coverage Denied Because the Incorrect Party Caused the Injury

In Zurich American Insurance Co v Sony Corp of America et al,1 Sony made a claim on its insurance for defence and indemnification due to losses resulting from a data breach by criminal hackers. The policy provided coverage for “oral or written publication in any manner of the material that violates a person’s right of privacy.” 

The court held, however, that the policy only provided coverage if Sony published the material itself. Since the hackers published the material, Zurich had no obligation to indemnify Sony.

4. Coverage Denied Because the Cyber Activity Was Merely Incidental

Cybersecurity insurance may only provide coverage if the loss clearly results from cyber activity. In Apache Corp v Great American Insurance Company, the insured became the victim of fraud after an employee wrongfully determined that a known vendor’s telephone and email request to transfer money was authentic. 

The request turned out to be fraudulent and the insured reimbursed the vendor. The insured made a claim based on its insurance which covered for “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer…”. The court held that the circumstances were not covered because the computer use was not the direct result of the loss, but rather was “merely incidental”.

5. Coverage Denied Because the Litigation Was Outside the Scope of Covered Claims

Insurance may provide coverage for certain claims to the exclusion of others. In Travelers Property Casualty Company of America v Federal Recovery Services Inc, the insured made a claim based on costs incurred for litigation resulting from a tort claim for intentional misuse of its data storage activities. 

The insurer denied the claim because the policy only provided coverage if the loss was caused by “any error, omission or negligent act.” The court held that the lawsuit against the insured for “knowledge, willfulness, and malice” was outside the scope of the coverage.

Conclusion

The US case law highlights the importance of understanding your company's risks and vulnerabilities in order to define the precise scope of cybersecurity insurance required. A risk and vulnerability assessment is a critical component to establishing an overall cybersecurity plan that will mitigate risk and corresponding damages.

Lexology

For More Information about Cyber Insurance in your Industry or Service please contact Cyber Security Intelligence for free Information about your potential Risks and the Insurance that is Available.

You Might Also Read: 

Cyber Crime Drives Up The Cost Of Insurance:

Cyber Should Be Standalone Insurance:

Cyber Insurance: 7 Questions To Ask:

UK Parliamentary Committee Wish To Penalise CEOs for Cyber Breaches (£):

 

« North Korea's Cyber War on Australia
Social Media Reaction To The London Terror Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Dataguise

Dataguise

Dataguise provides a data-centric security solution to detect, protect, and monitor sensitive data in real time across all data repositories, both on premises and in the cloud.

SEC Consult

SEC Consult

SEC Consult is a leading European consultancy for application security services and information security.

Cyber Defense Agency (CDA)

Cyber Defense Agency (CDA)

Cyber Defense Agency is a premier professional services firm specializing in cyber security, computer network defense, and information security.

MER Group

MER Group

MER Group is a world-leading integrator in the areas of communications and security. MER cyber solutions cover the entire range of cyber and intelligence related products and services.

IBA Security

IBA Security

IBA Security is a center of competence consolidating the cybersecurity expertise of the IBA Group.

Nuspire

Nuspire

Nuspire provide services to protect your network with best-in-class managed detection and response, allowing you to stay focused on managing your business.

LuJam Cyber

LuJam Cyber

LuJam Cyber is a cybersecurity company that provides protection to SME Networks.

BigPanda

BigPanda

BigPanda is the first provider of Autonomous Operations solutions that empower IT Operations at large, complex enterprises.

Tyler Technologies

Tyler Technologies

Tyler Technologies is a leading provider of end-to-end information management solutions and services for local governments.

Barikat Cyber Security

Barikat Cyber Security

Barikat is a provider of information security solution and services including security analysis and compliance, security testing, managed security services, incident response and training.

Corellium

Corellium

Corellium are dedicated to supporting our peers in the ARM community who seek to build more secure, performant, and accessible software and devices.

Cyber Resilience Centre for Wales (WCRC)

Cyber Resilience Centre for Wales (WCRC)

The Cyber Resilience Centre for Wales (WCRC) is part of the national roll out of Cyber Resilience Centres in the UK which began in 2019.

iSPIRAL IT Solutions

iSPIRAL IT Solutions

iSPIRAL is a leading regulatory technology software provider delivering state-of-art AML, KYC, Risk and Compliance solutions.

GoodAccess

GoodAccess

GoodAccess is the cybersecurity platform that gives your business the security benefits of zero trust without the complexities so your users can securely access digital resources anytime, anywhere.

Ark Technology Consultants

Ark Technology Consultants

Ark Technology Consultants is a unique IT Services Firm which blends technology solutions with consultative insight around governance and process management.

Amnet Technology Solutions (Amnet Systems)

Amnet Technology Solutions (Amnet Systems)

Amnet Systems is a technology services organization that provides Managed IT, Cloud Computing, Cyber Security, Data Center and Audio Visual services since 1995.