Photo of Andy Moss

Andy Moss

Subscribe to Andy Moss's Posts
Contact:Read more about Andy Moss

Cyberattacks continue to grow in sophistication and frequency, with attackers targeting businesses of all industries and sizes with seeming impunity. In the wake of this ongoing pervasive and indiscriminate threat, corporate risk departments are taking measures to assess cyber risks and update network security and protocol in hopes of staying one step ahead of potential hackers.

But just as risk departments are reacting in real time to this ever-growing threat, so too are members of the insurance industry. As cyberattacks grow in sophistication and frequency, costs expended to recover from these attacks grow in kind, which has led to an explosion in insurance claims under cyber insurance policies and other responsive coverage. With insurers obligated to pay substantial sums to settle these claims, the result has been a tightening of the cyber insurance and related markets for renewals and placements and, with respect to claims under existing policies, heightened scrutiny and application of existing terms in rendering claims decisions.

The Court’s decision

An example of such novel application became front and center in a recent decision in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18 (N.J. Sup. Ct.). Merck, a multinational pharmaceutical company, sued its insurers after they denied coverage under an “all risks” insurance policy for a 2017 cyberattack that crippled Merck’s computer systems and caused an alleged $1.4 billion in losses to the company.

Although it was undisputed that the policies at issue provide coverage for “loss or damage resulting from the destruction or corruption of computer data and software,” insurers pointed to an unusual exclusion to support their argument that coverage must be denied: the “Hostile/Warlike Action Exclusion.”Continue Reading Lessons from Merck v. Ace: A cyberattack does not amount to an ‘act of war’

Directors’ and officers’ liability (D&O) insurance protects the personal assets of corporate directors and officers in the event of a lawsuit or other “claim” made against them for, among other things, an alleged breach of their duties in managing the organization.  D&O insurance directly covers individual directors and officers for their defense costs, judgments against them, and settlements when they cannot be indemnified by the company, and also covers the company to the extent it pays defense costs, judgments, and settlements as indemnification.  It may also cover the legal fees and other costs incurred by the company as a result of a securities claim made against the company as an entity.

The first installment of this blog series on D&O insurance addressed several “nuts and bolts” features of D&O insurance, including the key insuring agreements and definitions. This post discusses key exclusions, as well as common policyholder pitfalls, and new issues that are emerging in 2020.

Key D&O exclusions

All D&O insurance policies contain exclusions.  D&O insurance policies are not standardized, however, so the number and wording of the exclusions may vary from policy to policy and insurer to insurer.  Most traditional D&O insurance policies can be expected to contain the following exclusions:Continue Reading D&O insurance basics (Part 2)

This is the first of two posts discussing several major aspects of directors’ and officers’ liability (“D&O”) insurance coverage.  Companies approaching a policy renewal deadline, looking to place D&O insurance for the first time, considering increasing the size or structure of an existing D&O insurance program, or otherwise evaluating their overall risk management strategy may find it useful to review some basic features of D&O insurance and potential enhancements.

Why is D&O insurance important?

D&O insurance is an important risk management tool for any company.  It functions as a financial backstop for directors and officers by shielding these individuals from personal liability if the company is unable to indemnify them (usually due to a legal prohibition on indemnification or insolvency).  D&O insurance also adds value to and financial protection for the company by providing coverage for certain claims asserted against the company—most typically, securities claims—and its management.

Coverage basics

D&O policies typically provide coverage in several parts:

  • “Side A” or Insured Person Coverage directly covers Insured Persons—including directors, officers and other individuals defined under the policy—for non-indemnifiable claims made against them.
  • “Side B” or Corporate Reimbursement Coverage reimburses the company for amounts paid by the company as indemnification on behalf of Insured Persons for claims made against the Insured Persons.
  • “Side C” or Entity Securities Coverage applies in the case of securities claims made against the company as an entity.  Some D&O policies issued to private or non-profit companies may provide broader coverage for other types of claims made against the company.
  • Additionally, some policies may include “Inquiry” or “Interview” Coverage or other investigative costs coverage for certain non-routine document requests, interviews, and other pre-claim matters involving Insured Persons.

Continue Reading D&O insurance basics (Part 1)

U.S. and international businesses are accelerating their use of artificial intelligence (AI)[1] at an unprecedented rate. The second AI Index Report published in December 2018 by a Stanford University-led group concluded that “AI activity is increasing nearly everywhere and technological performance is improving across the board.” The AI Index Report further found that “the number of AI startups has seen exponential growth” and that “[f]rom 2013 to 2017, AI VC [venture capital] funding increased 350%.” Growth in this area will continue and will infiltrate every imaginable industry: from assisting doctors in detecting lung cancer to the use of self-driving trucks to deliver mail, AI is the New Frontier.

As businesses race to implement AI solutions and processes that may improve efficiency and lower costs, AI will also create new and ever-evolving risks. And when a company’s AI fails to perform as expected, or AI is breached or manipulated in a cyberattack, new and thorny questions about how to apportion liability for resulting losses emerge. The question only becomes thornier when it is a company’s supplier, contractor, or service provider that experiences a breach or failure.

It will be difficult to apply traditional tort liability schemes to AI-related loss scenarios, but there is no doubt that AI will change the way we look at the insurability of losses. Nonetheless, for businesses that use, or are considering using, AI, either directly or indirectly, there are concrete steps those companies can take to enhance their insurance and risk management programs to mitigate against the threat of AI-related loss. Although coverage needs vary from company to company and should be assessed on an individual basis, a non-exhaustive list of threshold issues to consider are as follows:Continue Reading Artificial Intelligence: The New Frontier for Assessing Insurance Coverage

Since July 2017, national, regional and local businesses operating in Illinois have been hit with a virtual storm of class actions under the Illinois Biometrics Privacy Act (“BIPA”), 740 ILCS 14 et seq.  BIPA regulates how businesses may record and store biometric data from customers or employees, and these actions create the potential for significant losses, including the costs of defending class action litigation and potential awards of statutory damages. Defending, settling and paying judgments in claims under BIPA may be covered in whole or in part under cyberliability, media liability, and/or employment practices liability insurance. Businesses operating in Illinois and states with similar laws (such as Texas and Washington) should carefully review their liability insurance programs to determine whether they may respond to a claim under BIPA or a similar statute, and should provide prompt notice of claim in the event of a suit.

The Illinois BIPA requires written consent before any biometric data can be collected and stored; requires companies to develop a publicly available written policy disclosing its schedule and guidelines for its retention of, and eventual permanent destruction of, employees’ biometrics; and mandates how companies must handle biometric data once in possession. If a company fails to abide by the consent, disclosure, or handling requirements, an employee may recover the greater of either (i) actual damages, (ii) $1,000 for a negligent violation, or (iii) $5,000 for an intentional or reckless violation. Awards of plaintiffs’ attorneys’ fees and injunctive relief are also available.
Continue Reading Beware the Fine (Thumb) Print: Insurance Coverage for Class Actions Under the Illinois Biometric Information Privacy Act, and Similar Biometric Privacy Statutes

When is a person an “employee” under one insurance policy but not an employee under another?   Conflicting or inconsistent definitions across multiple policy lines issued to the same company can give rise to significant gaps in insurance coverage, as a recent opinion of the U.S. Court of Appeals for the Seventh Circuit instructs, Telamon Corp. v. Charter Oak Fire Insurance Co., Nos. 16-1205 & 16-1815 (7th Cir. March 9, 2017).

Telamon hired Juanita Berry in 2005 under a series of consulting agreements with her personal communications company, J. Starr Communications. Over the next six years, Berry’s job responsibilities expanded beyond the terms of the consulting agreements, with Telamon eventually naming her Vice President of Major Accounts, the senior-most manager in one of the company’s divisions on the East Coast.  Part of Berry’s job was to oversee an asset recovery program under which Telamon removed old AT&T equipment and sold it to salvagers.  But without the company’s knowledge, Berry personally removed the old equipment and sold it, keeping the money for herself.  By the time Telamon discovered the scheme, Berry had embezzled $5.2 million.  Telamon fired Berry, and the government indicted her on wire fraud and tax evasion charges.  She was convicted and sentenced to five years in prison.Continue Reading Schrödinger’s Coverage: When a Risk is Covered and Not Covered by Insurance

The October 21, 2016 DDoS attack on the internet’s domain name system infrastructure underscores the need to consider cyberliability insurance coverage as a critical component of your company’s security and privacy breach response plan, and if your company carries cyberliability insurance, to ensure that your coverage will respond to a network business interruption, security breach

The New York Court of Appeals, the state’s highest court, recently rejected an attempt to apply the “common interest doctrine,” an exception to the general rule that communicating privileged information to a third party waives the attorney-client privilege, to situations where separately represented parties communicate attorney-client privileged information in connection with transactions or other circumstances other than in anticipation of litigation. Ambac Assur. Corp. v. Countrywide Home Loans, Inc., No. 80, 2016 WL 3188989 (N.Y. June 9, 2016). As this case shows, companies should be mindful of what information they share outside the litigation context, because the common interest doctrine may not be available to protect that information.
Continue Reading ‘Sorry, But You Have Nothing in Common’: The New York Court of Appeals’ Recent Rejection of the ‘Common Interest Doctrine’ Outside the Context of Litigation

National Public Radio and other news outlets are reporting that a Los Angeles-area hospital recently paid a $17,000 ransom (in the form of 40 bitcoins) to hackers to unencrypt its computer networks, which had been held hostage after “ransomware” was introduced into the hospital’s network. Ransomware is a form of malicious software, or “malware,” that encrypts information or aspects of an organization’s computer network, preventing authorized users from accessing it. Persons maliciously cause the ransomware to be placed on the network, then demand money in exchange for an encryption key to unlock the network. It is not difficult to see the tremendous economic losses and liability risks of a ransomware attack, in particular to a medical facility treating vulnerable patients.
Continue Reading Companies can insure against cyber ransom