While cyber insurance policies are popular, and can be an effective risk-mitigation tool, we have advised clients to be cautious, to evaluate policy language carefully, and to anticipate coverage disputes. Recent cases bear this out: it is critically important that the language in the policy cover, without exclusion, the key losses anticipated by the insured. Where there is grey area, it may be in the best interest of the insurer to deny coverage, and coverage disputes can go either way. Here are some recent examples:
Just this month, an insured (Aqua Star) lost a coverage dispute over a loss that occurred when its employees were tricked into wiring money into the wrong bank accounts. Aqua Star’s supplier was hacked, and the hackers spoofed emails to Aqua Star employees, providing false routing information. The court agreed with the insurer that Aqua Star’s computer fraud policy did not provide coverage because an Aqua Star employee copied information from the spoofed email and saved it into a spreadsheet on the Aqua Star system. The policy excluded coverage for losses caused, even in part, by an authorized user’s entry of electronic data into the company’s computer system. Under this ruling, Aqua Star’s computer fraud policy did not provide coverage for one of the most prevalent computer fraud scams being perpetrated today.
In a case decided earlier this year, PF Chang’s had purchased a cyber policy that was marketed as a “solution designed by experts to address the full breadth of risks” from cyber incidents. As a large, consumer-facing company, PF Chang’s was rated as high-risk and high exposure, and it paid a large premium. Although the policy covered a significant portion of PF Chang’s expenses after customer credit-card information was compromised, the insurer denied coverage for $1.7 million of “fraud recovery” charges assessed by credit-card companies. Per standard industry practice and contracts, these charges were billed by the credit-card companies to PF Chang’s’ processing servicer (an entity referred to as “BAMS”), which passed the charges through to PF Chang’s. PF Chang’s reimbursed BAMS and sought coverage.
The insurance company denied coverage—and won—for two reasons. First, the policy defined a “Privacy Injury” as an injury suffered by a Person whose information had been compromised. In this case, BAMS was injured, but it wasn’t BAMS’s information that was lost. As a result, there was no Privacy Injury, and no coverage. The court also relied on exclusion in the policy for contractual liability. As noted above, PF Chang’s obligation to reimburse BAMS was contained in the parties’ contract, which the Court found squarely within the exclusion. Thus, PF Chang’s was denied coverage for a loss that it knew it would incur if credit card information was compromised.
And in another recent case, a bank employee left a computer on, with login and authentication information still in the profile. The computer was hacked, and the credentials were used to initiate two wire transfers. The insurer denied coverage, claiming that the loss was not caused by “computer system fraud” because the employee had not logged out, and had not strictly followed company policy. While the insured won this case, it had to litigate in federal court, all the way up to the Eighth Circuit Court of Appeals, in order to secure the coverage that it thought it had originally purchased.
The lessons are clear. It is not enough that your company buy a comprehensive cyber policy designed for your type of business. You must consider the precise losses you are trying to protect against, and ensure that the policy language gives you what you think you are buying. Even then, as this market continues to grow, and the number of claims increases, insurance companies will find creative ways to deny coverage.