Photo of David Cummings

The U.S. Securities and Exchange Commission (“SEC”) implemented rules governing registrants’ disclosure requirements pertaining to cybersecurity risk management, governance, and incident reporting on July 26, 2023. These rules are likely to give rise to novel issues pertaining to public companies’ insurance portfolios, in particular, directors’ and officers’ liability (“D&O”) and cyber insurance policies. This post provides a short overview of the rules and some of the insurance issues likely to arise going forward.

The SEC’s cyber security disclosure rules and increased exposure

The new rules require registrants to disclose information in three categories: (1) cybersecurity risk management; (2) cybersecurity governance; and (3) cybersecurity incident reporting.

With regard to cybersecurity risk management and governance, public companies are now required to annually report their cybersecurity risk processes and governance of risks in Form 10-K SEC. Under the cybersecurity risk management disclosure rules, registrants have to describe how they assess, identify, and manage material cybersecurity risks and whether they have materially affected or are reasonably likely to materially affect their businesses. Similarly, under the cybersecurity governance disclosure rules, registrants have to describe board oversight of cybersecurity risks and the role management plays in assessing and managing material cybersecurity risks.Continue Reading Insurance coverage implications of SEC’s cybersecurity disclosure rules

The U.S. Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization and its progeny have sparked confusion and uncertainty for individuals, medical providers, and employers with respect to the consequences of providing, seeking, or facilitating abortion care. Moreover, for both medical providers and employers, questions arose as to whether and how liability insurance might help alleviate these risks.

Now that a year has passed since the Dobbs decision, it is worth revisiting the liability landscape, as well as the question of how insurance coverage might play a role in providing relief with respect to the ongoing risk of litigation.

Background

The Dobbs decision, which held that access to abortion care is no longer a constitutionally protected right, raised a host of questions as to whether medical providers and employers might face civil or criminal liability for facilitating access to abortions, particularly in states that responded by enacting a panoply of restrictions in response to Dobbs. This uncertainty was heightened by inevitable litigation concerning the viability of the new statutes and has led to widespread confusion in many states. This confusion has been exacerbated by the Centers for Medicare & Medicaid Services (“CMS”), which initiated investigations into hospitals in Missouri and Kansas, asserting that they were in violation of the law by failing to offer necessary, life-saving abortion services.Continue Reading One year after Dobbs: Are medical providers and employers still at risk for lawsuits stemming from abortion access, and should they consider the role of liability coverage?

As cyber risks continue to grow and evolve, the cyber insurance market is increasingly likely to take steps to limit its risk profile, often in the form of new or broadened policy exclusions. Cyber insurers are continuously evaluating, amending, and restructuring their insurance products (including their capacity, and, importantly, their pricing) to reflect what they perceive to be growing risks and threats to the bottom line.

A perceived new risk: Merck v. Ace

In some cases, insurers perceive an evolving risk through a development in court decisions interpreting policy terms. The decision of a New Jersey Superior Court earlier this year in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18, appears to exemplify this type of situation. There, the court determined that a “hostile or warlike action” exclusion did not preclude coverage for losses caused by a “NotPetya” ransomware attack, despite insurance company arguments that the malware used in the NotPetya attack was an instrument of the Russian government “as part of its ongoing hostilities with Ukraine.”  The court reasoned that “hostile or warlike action” required “actual hostilities” and that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.”

Although Merck involved a first-party property insurance policy, its holding elicited a significant reaction from the cyber insurance market because it involved a coverage dispute related to a cyberattack. With the warning provided by Merck that courts may not be inclined to interpret traditional war exclusions as precluding coverage for state-backed cyberattacks, some insurers appear to be reevaluating their existing war exclusions and amending their policy forms to respond to Merck.Continue Reading A tightening cyber insurance market: War exclusions in the wake of Merck v. Ace

Cyberattacks continue to grow in sophistication and frequency, with attackers targeting businesses of all industries and sizes with seeming impunity. In the wake of this ongoing pervasive and indiscriminate threat, corporate risk departments are taking measures to assess cyber risks and update network security and protocol in hopes of staying one step ahead of potential hackers.

But just as risk departments are reacting in real time to this ever-growing threat, so too are members of the insurance industry. As cyberattacks grow in sophistication and frequency, costs expended to recover from these attacks grow in kind, which has led to an explosion in insurance claims under cyber insurance policies and other responsive coverage. With insurers obligated to pay substantial sums to settle these claims, the result has been a tightening of the cyber insurance and related markets for renewals and placements and, with respect to claims under existing policies, heightened scrutiny and application of existing terms in rendering claims decisions.

The Court’s decision

An example of such novel application became front and center in a recent decision in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18 (N.J. Sup. Ct.). Merck, a multinational pharmaceutical company, sued its insurers after they denied coverage under an “all risks” insurance policy for a 2017 cyberattack that crippled Merck’s computer systems and caused an alleged $1.4 billion in losses to the company.

Although it was undisputed that the policies at issue provide coverage for “loss or damage resulting from the destruction or corruption of computer data and software,” insurers pointed to an unusual exclusion to support their argument that coverage must be denied: the “Hostile/Warlike Action Exclusion.”Continue Reading Lessons from Merck v. Ace: A cyberattack does not amount to an ‘act of war’

Since July 2017, national, regional and local businesses operating in Illinois have been hit with a virtual storm of class actions under the Illinois Biometrics Privacy Act (“BIPA”), 740 ILCS 14 et seq.  BIPA regulates how businesses may record and store biometric data from customers or employees, and these actions create the potential for significant losses, including the costs of defending class action litigation and potential awards of statutory damages. Defending, settling and paying judgments in claims under BIPA may be covered in whole or in part under cyberliability, media liability, and/or employment practices liability insurance. Businesses operating in Illinois and states with similar laws (such as Texas and Washington) should carefully review their liability insurance programs to determine whether they may respond to a claim under BIPA or a similar statute, and should provide prompt notice of claim in the event of a suit.

The Illinois BIPA requires written consent before any biometric data can be collected and stored; requires companies to develop a publicly available written policy disclosing its schedule and guidelines for its retention of, and eventual permanent destruction of, employees’ biometrics; and mandates how companies must handle biometric data once in possession. If a company fails to abide by the consent, disclosure, or handling requirements, an employee may recover the greater of either (i) actual damages, (ii) $1,000 for a negligent violation, or (iii) $5,000 for an intentional or reckless violation. Awards of plaintiffs’ attorneys’ fees and injunctive relief are also available.
Continue Reading Beware the Fine (Thumb) Print: Insurance Coverage for Class Actions Under the Illinois Biometric Information Privacy Act, and Similar Biometric Privacy Statutes