I recently wrote an article for Business Insurance on how the war exclusion will affect commercial policyholders. The war exclusion has received a lot of attention over the past year, particularly since Russia invaded Ukraine in February. Policyholders’ concern that insurers will assert the exclusion as a basis to deny coverage is increasing in light
Tyler has a commercial litigation practice focused on recovering money for individual and corporate policyholders under all types of insurance policies, including commercial general liability, directors' and officers' liability, professional errors and omissions liability, employment practices liability and first-party property policies. Tyler is a fellow in the American College of Coverage Counsel.
The “war” exclusion has gotten more attention over the past couple of weeks in light of Russia’s invasion of Ukraine. For good reason. This exclusion, common in property and liability policies alike, typically eliminates coverage for losses caused by “hostile or warlike action” from a nation-state or its agencies, or by military forces. Insurers have recently invoked this exclusion in an attempt to avoid providing coverage for losses arising from Russia’s 2017 “NotPetya” cyberattack against Ukraine, which spread beyond Ukraine’s borders and caused widespread damage to computer systems, including hardware, at a number of companies around the world.
A New Jersey court recently rejected an insurer’s reliance on a “war” exclusion in a property insurance policy, under which the insured had sought coverage for losses caused by the NotPetya cyberattack. See Merck Co. Inc. et al. v. ACE American Insurance Co. et al., Case number UNN L 002682-18, in the Union County Superior Court of New Jersey. …
Continue Reading The War Exclusion in a Time of War
Corporate policyholders often assume their computer fraud crime insurance will cover so-called social engineering thefts. Reasonably so. Fraudsters commit these crimes by using computers to trick innocent employees into transferring corporate funds to what they believe are legitimate bank accounts, only to discover later that the accounts are controlled by criminals who have stolen the money. Although most people would consider this to be computer fraud, crime insurers have resisted covering such thefts. And some courts have sided with the insurers. Until recently, insurers could point to the Ninth Circuit Court of Appeals as being one of those courts. On January 26, the Ninth Circuit finally set the record straight in Ernst and Haas Management Company, Inc. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022), by repudiating a prior unpublished ruling and finding coverage for a social engineering theft under California law. This ruling gives policyholders a boost in their crime coverage claims for social engineering theft losses and removes a cudgel from the insurers’ hands.
Continue Reading Crime Insurance for Social Engineering Thefts: The Ninth Circuit Finally Joins the Party
Unfortunately, we again write while wildfire is devouring homes and businesses in Napa and Sonoma, and threatening many more. We’ve previously posted tips about first steps that you should take in the event your business has suffered a fire loss. We want to provide this refresher, as prompt action is important to preserve your business’ rights under its insurance policies and to maximize its ultimate insurance recovery. If your business has sustained a fire loss, below are steps for you to take in working with your insurers to ensure that you receive the maximum benefits under any applicable insurance policies.
Continue Reading Maximizing Business Insurance Coverage Benefits After a Fire
Though much of the conversation regarding insurance coverage for COVID-19-related losses has focused on the potential for business interruption-type coverage (see prior discussion here), insureds should not overlook the potential that COVID risks trigger other types of coverage. For example, as previously discussed here, some insureds may seek coverage under D&O policies should they face securities and derivative-type claims.
In addition to the forms of coverage we’ve previously blogged about, businesses who have continued operations during the pandemic as well as those considering whether, when, and how to reopen their businesses in the coming weeks and months should consider whether they will be able to access coverage under their GL policies for some COVID-related claims. For example, companies that continue or restart operations in some form during the pandemic may anticipate claims from individuals who allegedly contracted the virus while interacting with that company’s employees or independent contractors. While those claims will likely face significant causation issues (will plaintiffs be able to substantiate transmission from a particular source though some combination of location tracking data and genetic testing of the virus?), these kinds of claims can be costly to defend and may create significant risks for certain businesses.
Continue Reading COVID-19 Exposure and GL Coverage: Issues for Personal Injury Claims
The cyber insurance markets are beginning to adapt to the new California Consumer Privacy Act (CCPA) which went into effect on January 1, 2020.
There is great variation in how cyber insurance policies currently address risks under the CCPA. And further developments are expected as the law begins to impact companies under its jurisdiction—that is…
In an article I wrote for the North Bay Business Journal’s Vine Notes column, I review the issues around insurance coverage for smoke taint damage to grapes and wine. Insurers’ attempted clean lines of distinction can quickly become hazy when it comes to smoke taint. Now that we are just over two years past…
Tyler Gerking was inducted as a Fellow of the American College of Coverage Counsel’s 7th Annual Meeting in Chicago, Illinois on May 9, 2019. Mary McCutcheon presided over the meeting as she completed her term as President of the College.
The American College of Coverage Counsel (ACCC), established in 2012, is the preeminent association of…
In November, Tyler wrote about insurance issues raised by both the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, which goes into effect on January 1, 2020. California’s governor Jerry Brown signed two other cyber-related laws in September, which will also go into effect on January 1, 2020 – Assembly Bill 1906 and Senate Bill 327, which address security concerns relating to devices that are capable of connecting to the internet – the so-called Internet of Things or “IoT”. See California Civil Code 1798.91.04(a) et seq.
The bills largely mirror each other and, put very simply, require manufacturers of devices that are capable of being connected to the internet to equip them with “reasonable” security features that are both appropriate to the device and require a user to generate a new means of authentication before access is granted to the device for the first time. Technologists are debating whether the laws are good or bad, and if good, whether they go far enough. Regardless, the law will become effective and manufacturers of IoT devices will have to comply with them. The law does not provide for a private right of action; it permits the state’s Attorney General to enforce its provisions.
The new California law applies to all connected devices sold or offered for sale in California. Because California is such a large market, this likely means that all such devices sold in North America and Europe will comply with California’s regulations, and older, less secure devices will be diverted to countries with fewer regulations.…
An obscure niche product less than a decade ago, cyber insurance is now a staple of many companies’ risk transfer programs. Its rise in prominence is no wonder. High-profile data breaches have caused businesses millions of dollars in losses and untold reputational harm. Companies are right to shed some of their cyber risks through insurance, and the basic protections it offers are well known. It pays for the business’s investigation and notification to consumers of data breaches, and it defends against ensuing class action lawsuits and regulatory actions.
As valuable as these basic coverages are, companies should carefully consider and address their risks beyond them. Those that fail to do so may leave some of their biggest risks uncovered.
Cyber insurance is not an off-the-shelf product; there is no standard form. Dozens of insurers sell it, each using its own proprietary language. And the market is evolving rapidly to keep up with the risk environment’s shifting sands. Thus, simply renewing last year’s policy will not provide the cutting-edge protection available today. Like other contracts that a business signs, a proposed cyber insurance policy must be scrutinized and negotiated to meet the business’s unique needs. And the challenges in this area require a group effort that pulls in personnel and resources not just from the finance or risk management departments, but also IT, Legal and others.
Two areas of cyber insurance are seeing particularly rapid change and uncertainty: coverage for exposures relating to the European Union’s General Data Protection Regulation (GDPR) and business interruption coverages. Broad coverage is ostensibly available for GDPR risks, but its enforceability under applicable law is in question. Business interruption coverages are increasingly addressing the interconnectedness and complexity of computer systems in the age of the cloud, where one system’s downtime can affect many other companies’ operations.
Continue Reading Keeping Up With the Risks and Protections of Cyber Insurance