In what is described as the largest cyber loss event in years, on Friday, July 19, 2024, customers of CrowdStrike and many others throughout the world discovered that they could not access critical software and enterprise systems to run their businesses.
The mass outage was due to a defective CrowdStrike software update. The outage notably
Early this year, on January 25, 2023, the Delaware Court of Chancery extended the duty of oversight required of a corporation’s directors to its corporate officers, in In re McDonald’s Corp. Stockholder Derivative Litigation, No. 2021-0324-JT, 2023 Del. Ch. LEXIS 23 (Jan. 25, 2023). Before McDonald’s, the Delaware standard had been governed by the 1996 decision in In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). Caremark held that corporate directors breach their duty of oversight if they:
The reasoning in Caremark was adopted by the Delaware Supreme Court, again only recognizing the oversight duties for directors. See Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006).Continue Reading Recapping the McDonald’s Delaware court decision – Duty of oversight and D&O considerations
The U.S. Securities and Exchange Commission (“SEC”) implemented rules governing registrants’ disclosure requirements pertaining to cybersecurity risk management, governance, and incident reporting on July 26, 2023. These rules are likely to give rise to novel issues pertaining to public companies’ insurance portfolios, in particular, directors’ and officers’ liability (“D&O”) and cyber insurance policies. This post provides a short overview of the rules and some of the insurance issues likely to arise going forward.
The SEC’s cyber security disclosure rules and increased exposure
The new rules require registrants to disclose information in three categories: (1) cybersecurity risk management; (2) cybersecurity governance; and (3) cybersecurity incident reporting.
With regard to cybersecurity risk management and governance, public companies are now required to annually report their cybersecurity risk processes and governance of risks in Form 10-K SEC. Under the cybersecurity risk management disclosure rules, registrants have to describe how they assess, identify, and manage material cybersecurity risks and whether they have materially affected or are reasonably likely to materially affect their businesses. Similarly, under the cybersecurity governance disclosure rules, registrants have to describe board oversight of cybersecurity risks and the role management plays in assessing and managing material cybersecurity risks.Continue Reading Insurance coverage implications of SEC’s cybersecurity disclosure rules
Cybercrime, including ransomware, is one of the top challenges facing organizations today. Businesses across the globe are suffering staggering cyber-related losses, losing around $60 billion on cyber crime annually.
We are excited to launch our thought leadership campaign, “Cyber Insurance claims: Minimize risk, maximize recovery,” which provides a comprehensive look into the key issues relating to cyber insurance and ransomware claims and how clients can minimize their risk and maximize their recovery before and after a cyberattack.Continue Reading Cyber insurance claims: Minimize risk, maximize recovery
M&A activity is making a comeback in 2023, according to Bloomberg Law (“M&A Roars Back in $40 Billion Surge Led by Miners, Storage” A. Kirchfeld and D. Nair, Feb. 6, 2023). The rise in transactions—and the likelihood of claims involving them—will no doubt lead to continued D&O insurance coverage disputes over the “bump up” exclusion.
Policyholders can navigate this speed bump, carriers waving the recent Seventh Circuit decision in Komatsu Mining Corp. v. Columbia Casualty Co., No. 21-2695 (7th Cir. Jan. 23, 2023), and the Final Statement of Decision After Phase One Court Trial entered in Onyx Pharmaceuticals, Inc. v. Old Republic Insurance Co., Case No. CIV 538248 (Cal. Super. Ct. San Mateo Cty. Dec. 30, 2022), notwithstanding.
Rules for the Road to keep in mind:
1. Choice of law matters
Several courts have addressed the bump-up exclusion recently, and arrived at different results. Indeed, despite analyzing the same bump-up exclusion, the San Mateo County Court in California (applying California law) ruled in favor of insurers in Onyx whereas the Delaware Superior Court ruled in favor of the policyholders in Northrup Grumman Innovation Systems, Inc. v. Zurich American Insurance Co., 2021 Del. Super. LEXIS 92 (February 2, 2021) (the Delaware Supreme Court denied interlocutory appeal), and the Eastern District of Virginia Court (applying Virginia law) did as well in Towers Watson & Co. v. National Union Fire Insurance Co., 2021 U.S. Dist. LEXIS 192480 (E.D. Va. Oct. 5, 2021) (currently on appeal in the Fourth Circuit). The Seventh Circuit applied Wisconsin law in Komatsu, ruling in favor of insurers based on a different version of the exclusion. In short, Delaware and Virginia law remain favorable whereas policyholders have not fared as well thus far under California and Wisconsin law. Continue Reading Navigating the “Bump-Up” exclusion in 2023: Rules for the road
Directors’ and Officers’ liability (“D&O”) insurance offers key protections to a company’s board members and management by serving as a financial backstop for their indemnification rights as well as their personal assets in the event directors or officers are the subject of claims or investigations based on their service to the company. D&O insurance also adds value and financial protection directly to the company that purchases it, including by reimbursing the company when it indemnifies a director or officer, and insuring the company directly against its own liability for securities claims or (in the case of private companies) certain other claims.
Given the importance of D&O insurance to a company’s corporate governance and risk management, it is critical that companies carefully approach the procurement and renewal process for their D&O insurance. Unlike many other types of insurance policies, D&O policies are neither standardized nor regulated, and the procurement and renewal process can be more complex to navigate. Although, the individual facts and circumstances of each particular company will dictate the coverages that are needed, there are a number of key issues and policy provisions that should be at the forefront for every company engaged in the procurement or renewal process. We address a few of these considerations here.
Key definitional terms
Certain key definitions found in D&O policies impact whether and when coverage will be owed, including who is an insured and the types of matters that constitute a “Claim” for which coverage may be owed.
With respect to the term “Insured Person” (or similar terms), definitions vary widely as to who qualifies for coverage. Despite being called “directors and officers” insurance, D&O policies often insure individuals who are neither directors nor officers of the company. To determine what policy language is necessary for a particular company, it is imperative to closely evaluate the proposed language and ensure that the definition captures the company’s decision-makers—whether that includes just directors and officers, or other employees or consultants beyond those individuals.Continue Reading Key considerations for companies in procuring or renewing D&O coverage
As cyber risks continue to grow and evolve, the cyber insurance market is increasingly likely to take steps to limit its risk profile, often in the form of new or broadened policy exclusions. Cyber insurers are continuously evaluating, amending, and restructuring their insurance products (including their capacity, and, importantly, their pricing) to reflect what they perceive to be growing risks and threats to the bottom line.
A perceived new risk: Merck v. Ace
In some cases, insurers perceive an evolving risk through a development in court decisions interpreting policy terms. The decision of a New Jersey Superior Court earlier this year in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18, appears to exemplify this type of situation. There, the court determined that a “hostile or warlike action” exclusion did not preclude coverage for losses caused by a “NotPetya” ransomware attack, despite insurance company arguments that the malware used in the NotPetya attack was an instrument of the Russian government “as part of its ongoing hostilities with Ukraine.” The court reasoned that “hostile or warlike action” required “actual hostilities” and that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.”
Although Merck involved a first-party property insurance policy, its holding elicited a significant reaction from the cyber insurance market because it involved a coverage dispute related to a cyberattack. With the warning provided by Merck that courts may not be inclined to interpret traditional war exclusions as precluding coverage for state-backed cyberattacks, some insurers appear to be reevaluating their existing war exclusions and amending their policy forms to respond to Merck.Continue Reading A tightening cyber insurance market: War exclusions in the wake of Merck v. Ace
Evidenced by its $1.29 trillion market cap, (CoinMarketCap, May 17, 2022) interest in cryptocurrency has skyrocketed in recent years (Haar, 2022). Indeed, as of April 2, 2022, the cryptocurrency market was larger than Italy’s GDP, the eighth largest in the world (Adams and Walker, 2022).
Of course, with more interest and value comes more risk, such as theft of digital assets, cyber security concerns, and regulatory impacts. With respect to the evolving crypto markets, this increase in risk is widespread and readily apparent. Indeed, President Biden signed an executive order on March 9, 2022 requiring the government to assess the risks and benefits of creating a central bank digital dollar, as well as other cryptocurrency issues (Johnson and Shalal, 2022; White House, 2022).
Who is at risk?
If you or your company trade cryptocurrencies on your own behalf or on behalf of clients, make or receive payments in cryptocurrency, store the keys and digital wallets that secure cryptocurrencies and other digital assets like NFTs, develop blockchain technologies, or advise whether cryptocurrencies are a sound investment, then you or your company may be exposed to crypto-related losses.
As an example, companies and their directors and officers could face shareholder or derivative actions alleging gross negligence or breach of fiduciary duties based on allegedly unsound advice relating to the investment in, use of, or management of cryptocurrencies or other digital assets. Public companies may also be subject to regulatory investigations involving cryptocurrencies.
Cryptocurrency is also a popular target for ransomware hackers. Since the first bitcoin block was mined in 2009, more than $1.3 billion has been stolen from cryptocurrency exchanges (Kenneth, 2021).
Will insurance cover crypto-related losses?
Given that cryptocurrency is in its infancy, most insurance policy forms do not expressly address crypto-related losses or risks. That said, specific coverage for such losses may be available, particularly under D&O (directors’ and officers’ liability or management liability) coverage or cyber (network security/privacy liability) coverage. Depending on the text of the policy and the nature of the loss at issue, coverage may lie under existing E&O, crime, and property policies as well.
D&O insurance
D&O insurance protects the personal assets of and provides armor for a company’s board and management. More specifically, it insures (1) claims made against the directors and officers when the company cannot indemnify them (“Side A” coverage); (2) the company itself when the company is required to indemnify its insured directors and officers for claims made against them (“Side B” coverage); and (3) the company against its own liability in a securities claim or (in the case of private companies) any non-excluded claim made against the company as an insured entity (“Side C” coverage).
The policy’s definitions of “Claim” and “Loss” are a good place to start to determine whether D&O coverage may be triggered for crypto-related losses. The term “Claim” should be broad enough to include civil lawsuits, criminal proceedings, administrative proceedings, and investigations against directors and officers, and sometimes include demands to enter into a tolling agreement or requests for interviews or to produce documents made to directors and officers. The term “Loss” should include defense costs, damages, settlements, judgments, and pre- and post-judgment interest, and also should include certain fines and penalties, punitive, exemplary, and multiplied damages (when insurable under applicable law), and awards of plaintiff’s attorney’s fees, among other items.Continue Reading Are your crypto risks insured? Look at D&O and cyber policies first
One of the top issues facing business today is the risk of business interruption resulting from a cyber-related attack. Regardless of the form of attack – ransomware, denial of service, data theft, or other form of malware – any resulting failure of an organization’s network systems can have severe consequences, financial and otherwise. These may include loss of productivity, lack of or impaired access to websites, and, importantly, loss of sales or income.
Given the potential for significant losses, a strategy for calculating and minimizing losses, and maximizing insurance recoveries for damage from a business interruption should be part of every organization’s cyber incident response plan. Because every business is unique, there is no “one size fits all” plan that will neatly apply to all businesses or to all business interruption claims. Nevertheless, certain best practices exist and can be applied and adapted to individual businesses to facilitate an efficient and effective response to a cyber-related business interruption.
1. Know your insurance coverage
The first step to maximizing recovery for business interruption is understanding the coverage provided under the applicable insurance policies. Many stand-alone cyber liability insurance policies provide coverage for lost net profits and mitigation costs, and may also cover continuing expenses, such as employee salaries, resulting from a cyber incident. However, there are also certain limitations to such coverage common in most cyber policy forms, even though they are far from standardized. For example, most business interruption coverage includes a waiting period of a certain number of hours before coverage begins. The length of that waiting period can be critical as losses attributable to the business interruption may continue to grow until the network system and level of service has been fully restored. Insurers also may limit the “period of interruption,” the period of time for which the policy will pay for losses. Depending on the policy language, coverage may end before operations are fully restored.
It is important to understand these limitations when purchasing cyber insurance and to obtain the insurance that best fits the needs of your business. For this reason, we recommend involving insurance coverage counsel to assist in the insurance placement and renewal process.Continue Reading Responding to a cyber-related business interruption: best practices
Cyberattacks continue to grow in sophistication and frequency, with attackers targeting businesses of all industries and sizes with seeming impunity. In the wake of this ongoing pervasive and indiscriminate threat, corporate risk departments are taking measures to assess cyber risks and update network security and protocol in hopes of staying one step ahead of potential hackers.
But just as risk departments are reacting in real time to this ever-growing threat, so too are members of the insurance industry. As cyberattacks grow in sophistication and frequency, costs expended to recover from these attacks grow in kind, which has led to an explosion in insurance claims under cyber insurance policies and other responsive coverage. With insurers obligated to pay substantial sums to settle these claims, the result has been a tightening of the cyber insurance and related markets for renewals and placements and, with respect to claims under existing policies, heightened scrutiny and application of existing terms in rendering claims decisions.
The Court’s decision
An example of such novel application became front and center in a recent decision in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18 (N.J. Sup. Ct.). Merck, a multinational pharmaceutical company, sued its insurers after they denied coverage under an “all risks” insurance policy for a 2017 cyberattack that crippled Merck’s computer systems and caused an alleged $1.4 billion in losses to the company.
Although it was undisputed that the policies at issue provide coverage for “loss or damage resulting from the destruction or corruption of computer data and software,” insurers pointed to an unusual exclusion to support their argument that coverage must be denied: the “Hostile/Warlike Action Exclusion.”Continue Reading Lessons from Merck v. Ace: A cyberattack does not amount to an ‘act of war’