An obscure niche product less than a decade ago, cyber insurance is now a staple of many companies’ risk transfer programs. Its rise in prominence is no wonder. High-profile data breaches have caused businesses millions of dollars in losses and untold reputational harm. Companies are right to shed some of their cyber risks through insurance, and the basic protections it offers are well known. It pays for the business’s investigation and notification to consumers of data breaches, and it defends against ensuing class action lawsuits and regulatory actions.

As valuable as these basic coverages are, companies should carefully consider and address their risks beyond them. Those that fail to do so may leave some of their biggest risks uncovered.

Cyber insurance is not an off-the-shelf product; there is no standard form. Dozens of insurers sell it, each using its own proprietary language. And the market is evolving rapidly to keep up with the risk environment’s shifting sands. Thus, simply renewing last year’s policy will not provide the cutting-edge protection available today. Like other contracts that a business signs, a proposed cyber insurance policy must be scrutinized and negotiated to meet the business’s unique needs.  And the challenges in this area require a group effort that pulls in personnel and resources not just from the finance or risk management departments, but also IT, Legal and others.

Two areas of cyber insurance are seeing particularly rapid change and uncertainty: coverage for exposures relating to the European Union’s General Data Protection Regulation (GDPR) and business interruption coverages. Broad coverage is ostensibly available for GDPR risks, but its enforceability under applicable law is in question. Business interruption coverages are increasingly addressing the interconnectedness and complexity of computer systems in the age of the cloud, where one system’s downtime can affect many other companies’ operations. Continue Reading Keeping Up With the Risks and Protections of Cyber Insurance

The Sixth Circuit recently entered a ruling in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, data security image of digital locks2018 WL 3404708 (6th Cir. July 13, 2018), soundly rejecting a cyber carrier’s extremely narrow reading of its policy’s “Computer Fraud” coverage.  The insured American Tooling Center (“ATC”) had fallen for a “social engineering” scam.  ATC received emails from someone impersonating one of its vendors and claiming to have changed its wire instructions.  ATC transferred over $800,000 to the thief before realizing it was a scam.  Continue Reading Social Engineering Scam Covered By Cyber Insurance

A federal district court in Florida has ruled that a claim against a policyholder arising out of a hacker’s theft of confidential credit card information was not covered under a commercial general liability (CGL) policy.  St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., M.D. Fla. Case No. 17-cv-540 (Sept. 28, 2018).  This is not the first such decision.  Courts have held similarly in Innovak Int’l, Inc. v. Hanover Ins. Co., 280 F.Supp.3d 1340, 1347-1348 (M.D. Fla. 2017) and Zurich American Ins. Co. v. Sony Corp. of America,  2014 WL 3253541, 2014 N.Y. Misc. LEXIS 5141 at *71 (N.Y. Sup. Ct. Feb. 21, 2014).

While we disagree with these courts’ reasoning, policyholders concerned about data breach liability should take note of these decisions and consider buying more reliable insurance protection for this risk. Continue Reading Florida Court Finds No CGL Coverage for Data Breach Claim

While experts debate how quickly autonomous vehicles (AVs) will take over our roads, there is little doubt they will be a fixture in the next decade. Fully self-driving vehicles are predicted to substantially reduce the accident rate, given the dominant role of human error in most crashes today.

But there still will be accidents. And where there are accidents, there are plaintiffs’ lawyers. But who will these lawyers sue, and how will the defendants insure their liabilities?

We explore these questions in our article for WardsAuto. The full article is available, here.

John OrrFarella’s Insurance Recovery Group lawyers regularly collaborate with and learn from different players and functions within the insurance industry. To provide more value to our readers, we have reached out to a series of insurance brokers to create the Insurance Broker Series Q&A.

Our latest installment is with John M. Orr, Managing Principal – West Region Financial Lines Practice Leader with Integro Insurance Brokers. Continue Reading Insurance Broker Series: John Orr, Integro Insurance Brokers

cyber attack magnifying glassWhile I wrote this article for a wine industry audience, the information in it is relevant to every company that is in any way connected to the internet. You should consider whether your insurance coverage adequately addresses your actual cyber risks today.

Cyber insurance can cover some of the more well-known risks, such as the costs to investigate and respond to the loss or theft of personally identifiable information. But cyber insurance won’t cover everything. It often will not cover bodily injury and property damage due to a cyber attack, which now is a real risk for certain companies whose critical infrastructure or products are internet-connected. Cyber insurance can provide business interruption coverage due to a cyber attack, but this coverage is often quite limited, though broader and better coverage is now starting to emerge in the market.

As a result, my article suggests that companies take a close look at what their real cyber risks are and then holistically review their insurance programs (not just the cyber policy, but also “traditional” policies such as property insurance) to ensure they are adequately protected.

Read the full article on fbm.com: Winery, Vineyard Cyber Attack Risk Grows With Web-Connected Systems

shutterstock_109214660-Cyber-Attack-BlogThe Internet of Things gives rise to many risks and exposures that companies and their insurers were not thinking about as recently as a couple years ago, and probably aren’t fully cognizant of today.

The DDoS attack late last week on internet infrastructure company Dyn should act as a wake-up call.  It shows how large and disruptive a cyber attack can become because of all the seemingly benign “things” connected to the internet.  And it should cause companies to think about what their risks really are and whether their current risk management approaches address them.

Just one example from this latest attack – I’m reading that one or more of the manufacturers of the devices that were used as bots in this attack must recall a very large number of products because the passwords (which were easily cracked) cannot be changed by the user.  The software that runs those products came ready installed on components bought from China, and it is this software that contains the vulnerability.  Now that the passwords are known, the devices can no longer be considered secure.  Maybe the manufacturers have product recall insurance or maybe they don’t.  But they likely never thought they would have to conduct a product recall under these circumstances and whether such a recall might be covered under their current insurance program.

Protect your company by:

  • Understanding your company’s IoT exposures.
  • Using your company’s broker and coverage counsel to review all insurance policies with IoT exposures in mind and negotiate favorable policy terms.
  • Revisiting the policies annually at renewal time because of quickly changing risks and policy terms.

Blog-Image---DataSecurity

Policyholders should always consider the potential for coverage under their CGL policies if they suffer a data security breach. However, as the cases described in my article for Corporate Counsel, coverage is highly fact-dependent and subject to interpretation by the courts even in the absence of a data-related exclusion. The addition of such an exclusion narrows the policyholder’s options.

As a result, policyholders should carefully consider their insurance programs and the unique risks that their businesses face in light of their own computer systems, third-party computer systems on which they rely and the data they collect and/or hold. They should consider whether technology errors and omissions liability or cyberinsurance would more effectively address their risks. With the help of their insurance brokers and counsel, companies can negotiate and tailor those policies to their risks and exposures relating to computer systems, personally identifiable information and confidential third-party business information. Some businesses may choose to rely exclusively on their CGL policies for protection against data breach lawsuits. But that decision should be made deliberately after understanding all the risks and options.

Read the full article: Data Security Breach Liability: Is Your Business Covered?

Law firms are important gatekeepers between cybercriminals and clients’ sensitive data. The release of the Panama Papers and several other recent high-profile breaches have brought to light vulnerabilities in law firm cyber security.

I recently participated in a podcast with journalist Ben Hammersley and eSentire’s VP and industry security strategist Mark Sangster. Our discussion focused on cyber risks that law firms face and risk mitigation strategies to protect themselves and the data they hold, including cyber insurance.

Listen to the podcast here

In the December post Systemic Cyber Risks And The Internet of Things, we wrote about the increasing risk of cyber attacks on infrastructure and consumer products, and related insurance issues. We noted in that post that, while there have been a few cyber attacks on the Internet of Things (IoT) reported over the past few years, the number of such attacks was certain to grow. It has. Since our December post, several new attacks and developments have been publicly disclosed. These attacks again remind us that companies should evaluate their risks and exposures relating to the IoT and carefully negotiate their insurance policy renewals or purchases. Continue Reading Cyber Attacks on Infrastructure Are Increasing: Review Your Insurance As “Internet of Things” Risks Grow and Change