Multi-factor authentication (MFA) is more than an annoying popup or text message when logging onto a company’s website or platform. Not only is using MFA a sound security practice and good business,[1] it is frequently becoming a prerequisite to procuring (and keeping) cyber liability coverage. Following the May 2021 Colonial Pipeline ransomware attack which shut down the country’s largest oil pipeline for several days, more cyber insurers are now requiring policyholders to implement MFA. Last month, one tech manufacturer learned this lesson the hard way when its insurer filed suit for rescission of its insurance policy and a declaration that the insurer owed no coverage for the company’s losses stemming from a ransomware attack. Travelers Property Casualty Co. of America v. International Control Services Inc., No. 22-cv-2145, complaint filed, 2022 WL 2532994 (C.D. Ill. July 6, 2022).
Continue Reading Using Multi-Factor Authentication as a Prerequisite to Cyber Liability Coverage

I recently wrote an article for Business Insurance on how the war exclusion will affect commercial policyholders. The war exclusion has received a lot of attention over the past year, particularly since Russia invaded Ukraine in February. Policyholders’ concern that insurers will assert the exclusion as a basis to deny coverage is increasing in light

Our lives and the products and devices we use become more dependent on data by the day. As a result, cyberattacks and data breaches present everchanging risks to companies and individuals, and the importance of applicable insurance never has been more important. While companies historically sought coverage for losses under traditional CGL, D&O, E&O, commercial crime, and business interruption policies, their mixed results––coupled with new exclusions singling out electronic data––have led to increasing need for cyber-specific coverages. However, as evidenced by Minnesota District Court’s recent decision in Target Corporation v. ACE American Insurance Company, 2022 WL 848095 (D. Minn. Mar. 22, 2022), CGL policies still may be in play where damages result from the inability to use tangible property.
Continue Reading Continuing Use of CGL Policies to Cover Data Breach Losses

The “war” exclusion has gotten more attention over the past couple of weeks in light of Russia’s invasion of Ukraine. For good reason. This exclusion, common in property and liability policies alike, typically eliminates coverage for losses caused by “hostile or warlike action” from a nation-state or its agencies, or by military forces. Insurers have recently invoked this exclusion in an attempt to avoid providing coverage for losses arising from Russia’s 2017 “NotPetya” cyberattack against Ukraine, which spread beyond Ukraine’s borders and caused widespread damage to computer systems, including hardware, at a number of companies around the world.

A New Jersey court recently rejected an insurer’s reliance on a “war” exclusion in a property insurance policy, under which the insured had sought coverage for losses caused by the NotPetya cyberattack. See Merck Co. Inc. et al. v. ACE American Insurance Co. et al., Case number UNN L 002682-18, in the Union County Superior Court of New Jersey.
Continue Reading The War Exclusion in a Time of War

The cyber insurance markets are beginning to adapt to the new California Consumer Privacy Act (CCPA) which went into effect on January 1, 2020.

There is great variation in how cyber insurance policies currently address risks under the CCPA. And further developments are expected as the law begins to impact companies under its jurisdiction—that is

Companies of all sizes have fallen victim to attacks whereby fraudsters will use deceptive communications, such as spoofed emails, to trick an employee into transferring money into the fraudsters’ control. While these increasingly prevalent schemes are an ever-present risk for businesses, the body of case law finding these losses covered under crime insurance policies continues to develop. In a previous post, we discussed decisions from the Second Circuit and Sixth Circuit that have found coverage under crime policies for phishing-related losses. Now, with its decision in Principle Sols. Grp., LLC v. Ironshore Indem., Inc., 944 F.3d 886 (11th Cir. 2019), the Eleventh Circuit has held that such losses are covered by policies insuring against fraudulent instructions.
Continue Reading Another Federal Circuit Finds Phishing Loss Covered Under Crime Policy

It is an all-too-common dilemma. As phishing schemes have become more prevalent and more sophisticated, businesses of all sizes have fallen victim to these attacks where a fraudster will use a spoofed email or other deceptive communication to trick an employee into transferring money into the fraudster’s control. While this is a difficult scenario for anyone to face, two decisions from federal circuit courts have offered policyholders some relief by finding coverage for these losses under policies insuring against Computer Fraud. In doing so, these opinions rejected insurers’ arguments that the theft accomplished through these fraudulent emails did not qualify as Computer Fraud or were not losses that were directly caused by Computer Fraud.
Continue Reading Are Losses Resulting from Phishing Incidents Covered by Crime Policies Insuring Against Computer Fraud?

In November, Tyler wrote about insurance issues raised by both the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, which goes into effect on January 1, 2020. California’s governor Jerry Brown signed two other cyber-related laws in September, which will also go into effect on January 1, 2020 – Assembly Bill 1906 and Senate Bill 327, which address security concerns relating to devices that are capable of connecting to the internet – the so-called Internet of Things or “IoT”. See California Civil Code 1798.91.04(a) et seq.

The bills largely mirror each other and, put very simply, require manufacturers of devices that are capable of being connected to the internet to equip them with “reasonable” security features that are both appropriate to the device and require a user to generate a new means of authentication before access is granted to the device for the first time. Technologists are debating whether the laws are good or bad, and if good, whether they go far enough. Regardless, the law will become effective and manufacturers of IoT devices will have to comply with them. The law does not provide for a private right of action; it permits the state’s Attorney General to enforce its provisions.

The new California law applies to all connected devices sold or offered for sale in California. Because California is such a large market, this likely means that all such devices sold in North America and Europe will comply with California’s regulations, and older, less secure devices will be diverted to countries with fewer regulations.Continue Reading Are You Covered for California’s New IoT Laws?

An obscure niche product less than a decade ago, cyber insurance is now a staple of many companies’ risk transfer programs. Its rise in prominence is no wonder. High-profile data breaches have caused businesses millions of dollars in losses and untold reputational harm. Companies are right to shed some of their cyber risks through insurance, and the basic protections it offers are well known. It pays for the business’s investigation and notification to consumers of data breaches, and it defends against ensuing class action lawsuits and regulatory actions.

As valuable as these basic coverages are, companies should carefully consider and address their risks beyond them. Those that fail to do so may leave some of their biggest risks uncovered.

Cyber insurance is not an off-the-shelf product; there is no standard form. Dozens of insurers sell it, each using its own proprietary language. And the market is evolving rapidly to keep up with the risk environment’s shifting sands. Thus, simply renewing last year’s policy will not provide the cutting-edge protection available today. Like other contracts that a business signs, a proposed cyber insurance policy must be scrutinized and negotiated to meet the business’s unique needs.  And the challenges in this area require a group effort that pulls in personnel and resources not just from the finance or risk management departments, but also IT, Legal and others.

Two areas of cyber insurance are seeing particularly rapid change and uncertainty: coverage for exposures relating to the European Union’s General Data Protection Regulation (GDPR) and business interruption coverages. Broad coverage is ostensibly available for GDPR risks, but its enforceability under applicable law is in question. Business interruption coverages are increasingly addressing the interconnectedness and complexity of computer systems in the age of the cloud, where one system’s downtime can affect many other companies’ operations.
Continue Reading Keeping Up With the Risks and Protections of Cyber Insurance

A federal district court in Florida has ruled that a claim against a policyholder arising out of a hacker’s theft of confidential credit card information was not covered under a commercial general liability (CGL) policy.  St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., M.D. Fla. Case No. 17-cv-540 (Sept. 28, 2018).  This is not the first such decision.  Courts have held similarly in Innovak Int’l, Inc. v. Hanover Ins. Co., 280 F.Supp.3d 1340, 1347-1348 (M.D. Fla. 2017) and Zurich American Ins. Co. v. Sony Corp. of America,  2014 WL 3253541, 2014 N.Y. Misc. LEXIS 5141 at *71 (N.Y. Sup. Ct. Feb. 21, 2014).

While we disagree with these courts’ reasoning, policyholders concerned about data breach liability should take note of these decisions and consider buying more reliable insurance protection for this risk.
Continue Reading Florida Court Finds No CGL Coverage for Data Breach Claim