Five Pitfalls of Cybersecurity Insurance

Given the increasing threat of cyber-attacks and the corresponding costs, businesses are increasingly considering cybersecurity insurance. But insurance is only as effective as the scope of the coverage. 

In United States courts there is a body of case law interpreting insurance policies in the cybersecurity context which highlights five noteworthy pitfalls:

1. Coverage Denied Because the Insured Did Not Comply with Underlying Obligations

Just as health coverage may be contingent upon the insured maintaining a healthy lifestyle, cybersecurity insurance may be contingent upon the insured meeting certain technical standards. 

In Columbia Casualty Co v Cottage Health System, the insurer denied coverage and alleged that the insured failed to comply with required “procedures and risk controls”, which imposed an obligation to “follow minimum required practices”.

2. Coverage Denied Because the Incorrect Party Was Injured

In P.F. Chang’s v Federal Insurance Co, the insured (P.F. Chang’s) made a claim on its insurance due to a data breach resulting in stolen records belonging to its customers. P.F. Chang’s did not suffer an injury. 

The court concluded that the relevant insurance policy did not cover P.F. Chang’s because the policy required that the claimant suffer an injury. The policy at issue was marketed as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world."

3. Coverage Denied Because the Incorrect Party Caused the Injury

In Zurich American Insurance Co v Sony Corp of America et al,1 Sony made a claim on its insurance for defence and indemnification due to losses resulting from a data breach by criminal hackers. The policy provided coverage for “oral or written publication in any manner of the material that violates a person’s right of privacy.” 

The court held, however, that the policy only provided coverage if Sony published the material itself. Since the hackers published the material, Zurich had no obligation to indemnify Sony.

4. Coverage Denied Because the Cyber Activity Was Merely Incidental

Cybersecurity insurance may only provide coverage if the loss clearly results from cyber activity. In Apache Corp v Great American Insurance Company, the insured became the victim of fraud after an employee wrongfully determined that a known vendor’s telephone and email request to transfer money was authentic. 

The request turned out to be fraudulent and the insured reimbursed the vendor. The insured made a claim based on its insurance which covered for “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer…”. The court held that the circumstances were not covered because the computer use was not the direct result of the loss, but rather was “merely incidental”.

5. Coverage Denied Because the Litigation Was Outside the Scope of Covered Claims

Insurance may provide coverage for certain claims to the exclusion of others. In Travelers Property Casualty Company of America v Federal Recovery Services Inc, the insured made a claim based on costs incurred for litigation resulting from a tort claim for intentional misuse of its data storage activities. 

The insurer denied the claim because the policy only provided coverage if the loss was caused by “any error, omission or negligent act.” The court held that the lawsuit against the insured for “knowledge, willfulness, and malice” was outside the scope of the coverage.

Conclusion

The US case law highlights the importance of understanding your company's risks and vulnerabilities in order to define the precise scope of cybersecurity insurance required. A risk and vulnerability assessment is a critical component to establishing an overall cybersecurity plan that will mitigate risk and corresponding damages.

Lexology

For More Information about Cyber Insurance in your Industry or Service please contact Cyber Security Intelligence for free Information about your potential Risks and the Insurance that is Available.

You Might Also Read: 

Cyber Crime Drives Up The Cost Of Insurance:

Cyber Should Be Standalone Insurance:

Cyber Insurance: 7 Questions To Ask:

UK Parliamentary Committee Wish To Penalise CEOs for Cyber Breaches (£):

 

« North Korea's Cyber War on Australia
Social Media Reaction To The London Terror Attack »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

2|SEC Consulting (2-SEC)

2|SEC Consulting (2-SEC)

At 2|SEC Consulting, we deliver an end-to-end service of cyber and information security solutions which are tailored to each client’s exact security needs.

Zurich

Zurich

Zurich is a leading multi-line insurer providing a wide range of property and casualty, and life insurance products and services in more than 210 countries and territories.

Engage Black

Engage Black

Engage Black provides solutions for securing and protecting cryptographic keys, data at rest, and data in motion.

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC) is one of the most distinguished Cybersecurity, Privacy and Information Security Conference in Thailand and Southeast Asia.

Approach

Approach

Approach is a leading provider of cyber security consulting and secure application development services in Belgium.

Cytellix

Cytellix

Cytellix is an industry-standards-based, managed cybersecurity service provider, specializing in proactive behavioral analytics and situational awareness of an organization’s cyber posture.

Cylera

Cylera

Cylera is a Healthcare IoT cybersecurity and intelligence company built in close partnership with healthcare providers.

ProcessUnity

ProcessUnity

ProcessUnity is a leading provider of Third-Party Risk Management software, helping companies remediate risks posed by third-party service providers.

SafeStack Academy

SafeStack Academy

SafeStack Academy is an online cyber security and privacy education platform. Our content is designed by experts to suit small businesses, growing companies, and development teams.

Ermetic

Ermetic

Ermetic’s identity-first cloud infrastructure security platform provides holistic, multi-cloud protection in an easy-to-deploy SaaS solution.

Verica

Verica

Verica uses chaos engineering to make systems more secure and less vulnerable to costly incidents.

RKVST

RKVST

RKVST is a powerful tool that builds trust in multi-party processes when it’s critical to have high assurance in data for confident decisions.

Legit Security

Legit Security

Legit Security's mission is to secure every organization's software factory by protecting the pipelines, infrastructure, code and people for faster and more secure software releases.

European Union Agency for Network and Information Security (ENISA)

European Union Agency for Network and Information Security (ENISA)

The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe.

LMNTRIX

LMNTRIX

LMNTRIX eliminates the complexity and burden of cyber security for organizations struggling to prepare for, prevent and respond to cyberattacks.

Harmony Intelligence

Harmony Intelligence

Harmony builds cutting-edge defensive AI products that safeguard people and critical infrastructure around the world from AI-powered threats.