Insurance Coverage for and IT Consultant’s Role in Media/Cyber Policy Application

Insurance Coverage for and IT Consultant’s Role in Media/Cyber Policy Application

By David Gauntlett*

As many entities shift a number of employees to remote desktop work, policyholders face the challenge of procuring appropriate coverage for risks arising from their growing online business operations.[1] Traditional policies leave gaps in coverage for cyber-related claims as their policy language rarely include the necessary protections for injury cause through online operations.

Issues in Completing Cyber Policy Applications

Media/Cyber policies offer a valuable element to manage risks that arise from attacks via technology and computers and cyber operations. Under Cyber/Media policies, business that experience cybercrime attacks can receive appropriate references to cyber experts, legal counsel, and computer forensic scientists.[2] Cyber coverage is often sold in conjunction with Media coverage which provides valuable coverage beyond that in the shrinking Commercial General Liability (“CGL”) coverage respecting to Media claims. The lack of predictability as to what risks distinct cyber policy forms will address makes evaluating policyholder protections challenging and calls for the expertise of experienced coverage counsel in procuring appropriate cyber coverage.

Currently, Media/Cyber policies cover[3]:

-          Network security and data privacy

-          Lost resulting from network business interruption

-          Rebuilding damaged business reputation

-          Extortion occurring online

Most, Media/Cyber policies, typically, do not cover:

-          Property loss resulting from breach

-          Loss of potential (or future) profits or sales revenue

-          Upgrading software and security

-          Loss of intellectual property resulting from theft

-          Social engineering fraud caused by spoofing key actions within a business

This exercise works best when coverage counsel coordinates with IT consultants who can identify procedures and provide expertise on cyber risk factors allowing for favorable answers to the many questions asked regarding cyber risks and cyber policy applications.[4] Towers Watson observed “the growing awareness that the increasingly sophisticated cyber-attack capabilities of hackers could require a more comprehensive protective net than a reliance on even the most capable IT staff."[5] IT consultant’s expertise in auditing and vetting adds gravitas to cyber oversight function.[6]

Media/Cyber Liability Coverage Limits

Cyber/Media policies define “Loss” to include “defense costs, damages and settlements… prejudgment and post-judgement interests, and statutory damages and regulatory fines.”[7] Loss that is non-monetary or costs of complying with an injunction are not covered under Cyber/Media policies. Problematic exclusions bar coverage for payment card industry fines or self-regulatory fines and/or contractual liability.[8]

In P.F. Chang’s China Bistro v. Fed. Ins. Co.[9], “Loss” from a credit card hack causing customers’ credit card data being posted online was not covered because “both exclusions as well as the definition of ‘Loss’ … hold that such contractual liability apply to ‘the assumption of another’s liability, such as an agreement to indemnify or hold another harmless.”[10]  Case law for Media/Cyber policies is developing. The court in P.F. Chang “turned to cases analyzing Commercial General Liability policies for guidance, because cybersecurity insurance policies are relatively new to the market, but the fundamental principles are the same.”[11]

Securing Effective “Social Engineering” Coverage

The most common “Loss” most businesses confront are from “social engineering” attacks that deceive businesses into making wire transfers to unknown banks and bank accounts. No standard policy language defines “social engineering fraud” but it can refer to “financial fraud loss”, “unwitting data breach”, “business instruction fraud”, and “wire fraud”.[12] Typically, the trigger for coverage requires more than an outside party manipulating a business using executive  or client impersonation, vendor compromise, conversation hacking, client hacking, employee compromise, or credential phishing.[13]

Court decisions addressing “social engineering fraud” resulting from a “direct loss”.  In Medidata Sol. Inc. v Fed. Ins. Co.[14], the Second Circuit determined that Medidata suffered a direct loss resulting from an email ‘spoofing’ attack in which an email is “disguise[ed]… to make the email appear to come from and address from which it actually did not originate.”[15] The court interpreted a policy provision that “covered losses stemming from an ‘entry of Data into’ or ‘change to Data elements or program logic of’ a computer system.”[16] In this court’s view, the “spoofing attack… clearly amounted to a ‘violation of the integrity of the computer system through deceitful and dishonest access… [and]… the spoofing attack was the proximate cause of Medidata’s losses.”[17]

In contrast, the Fifth Circuit ruled, in Apache Corp. v. Great Am. Ins. Co.[18], that the Loss Apache suffered from sending invoice payments to a fraudulent bank account was not covered because “the email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money”[19]  and thus was not a Loss “resulting directly from the use of a computer” as that termed under policy.[20] The court took too narrow a view of the “resulting directly” policy language regarding the email “incidental” that initially facilitated the scheme. As illustrated by Medidata[21], “direct cause” is synonymous with “proximate cause.”[22]

Media/Cyber Coverage for Ransomware Attacks

Policyholder may be able to find coverage for ransomware claims under traditional commercial liability coverage.[23] However, “property damage” and “property loss” do not encompass computer systems and data so policyholders will more often than not find themselves without coverage for ransomware. [24]  As Sony[25] was denied coverage after experiencing a data breach by hackers accessing secure company information because Sony’s Coverage B under CGL policy  does not extend to third-party acts (e.g. hackers).

Conclusion

The lack of standard policy language for Media/Cyber policies makes it imperative that policyholders consult legal counsel when evaluating their liability policies to secure the broadest Media/Cyber policy to add to their insurance portfolio. Enlisting IT consultants in the policy application process can enhance both prospects for securing a policy that provides the value anticipated with id was accepted.

If you enjoy this content, you can find my full list of blogs here: https://docs.google.com/document/d/1N3YsMmn0Ii1GqHWSBEE1pPzh1jQbU6htkJZ2e55Y2eM/edit?usp=sharing

* David A. Gauntlett is a principal of Gauntlett & Associates and represents policyholders in insurance coverage disputes. For more information, visit Gauntlett & Associates at www.gauntlettlaw.com. 

[1] But see, Peter Grant, Return of Office Workers Reaches Pandemic High as Employees Trickle in. Wall Street Journal (Oct. 12, 2021)

[2] Adrian Croft, The Negotiator You Hope You’ll Never Need. Fortune Magazine, pp. 47-49. (June/July 2021)

[3] Dan Burke, Cyber 101: Understand the Basics of Cyber Liability Insurance, Woodruff Sawyer (Nov. 2, 2020)

[4] John Reed Stark, Services: Cyber Insurance. (accessed Oct. 13, 2012) https://www.johnreedstark.com/practice-areas/cyber-insurance/

[5] Towers Watson Risk and Finance Manager Survey, p. 2 (Apr. 2013)

[6] MarshMcLennan, Services: Cyber Risk Consulting. (accessed Oct. 13, 2012) https://www.marsh.com/us/services/risk-consulting/products/cybersecurity-consulting-and-advisory-services.html

[7] Richard DeNatale and Brian McDonald. The Guide to Cyber Investigations – Second Edition: Insurance, Global Investigations Review. (Jun. 8, 2021)

[8] GB&A Insurance, Avoiding the Most Common Cyber Insurance Claim Denials. (accessed Oct. 1, 2021)

[9] P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., 2016 U.S. Dist. LEXIS 70749 (D. Ariz. May 31, 2016)

[10] Id. at *22

[11] Id. at *24

[12] Peter Hedberg, Cyber Coverage Explained: Social Engineering & Cyber Crime Coverage, Corvus Insurance (Oct. 20, 2020)

[13] James Carter, Is there a Glitch in Insurance Coverage for Social Engineering Scams?, JDSupra (Aug. 12, 2020)

[14] Medidata Sol. Inc. v. Fed. Ins. Co., 729 F. Appx 117 (2nd Cir. (N.Y.) 2018).

[15] Karvaly v. eBay, Inc., 245 F.R.D. 71, 91 (E.D.N.Y. 2007).

[16] Medidata, 429 F. Appx. at 118

[17] Id. at *119 (“The chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt…having concluded that Meditata’s losses were covered under the computer fraud provision.”) See also, Am Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 895 F. 3d 455, 463 (6th Cir. (Ohio) 2018) (“ATC received the fraudulent email…[and] ATC employees then conducted a series of internal actions, all induced by the fraudulent email, which led to the transfer of the money to the impersonator… This was "the point of no return," because the loss occurred once ATC transferred the money in response to the fraudulent emails. Thus, the computer fraud "directly caused" ATC's ‘direct loss.’”)

[18] Apache Corp. v. Great Am. Ins. Co., 662 F. Appx 252 (5th Cir. (La.) 2016).

[19] Id. at 258

[20] Id. at 254 (“We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises.”)

[21] See also, Owens, Schine & Nicola, P.C. v. Travelers Cas. & Sur. Co. of Am,. 2010 Conn. Super. LEXIS 2386, *22 (Conn. Super. Ct. Sept. 17, 2010) ([T]he issue of causation generally is a question reserved for the trier of fact . . . the issue becomes one of law when the mind of a fair and reasonable person could reach only one conclusion.”) vacated Ownes, Schine & Nicola, P.C. v Travelers Cas. & Sur. Co., 2012 Conn. Super. LEXIS 5053 (Conn. Super. Ct. April 18, 2012).

[22] Frontis v. Milwaukee ins. Co.,  156 Conn. 492, 499 (Conn. 1968). (“The active efficient cause that sets in motion a train of events which brings about a result…is the proximate cause.”)

[23] National Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., 435 F. Supp. 3d 679, 686 (4th Cir. (Md.) Jan. 23, 2020) (A ransomware attack can cause “loss of use, loss of reliability, or impaired functionality demonstrate[ing] the required damage to a computer system, consistent with the "physical loss or damage to" language in the Policy (emphasis added).”)

[24] Marsh McLennan, Cyber Insurance is Supporting the Fight Against Ransomware. (accessed Oct. 1, 2021)

[25] Zurich Am. Ins. Co. v Sony Corp of Am. et al, Case No. 651982/2011 (N.Y. Sup. Ct. February 21, 2014)