Cyberliability

Subscribe to Cyberliability

The U.S. Securities and Exchange Commission (“SEC”) implemented rules governing registrants’ disclosure requirements pertaining to cybersecurity risk management, governance, and incident reporting on July 26, 2023. These rules are likely to give rise to novel issues pertaining to public companies’ insurance portfolios, in particular, directors’ and officers’ liability (“D&O”) and cyber insurance policies. This post provides a short overview of the rules and some of the insurance issues likely to arise going forward.

The SEC’s cyber security disclosure rules and increased exposure

The new rules require registrants to disclose information in three categories: (1) cybersecurity risk management; (2) cybersecurity governance; and (3) cybersecurity incident reporting.

With regard to cybersecurity risk management and governance, public companies are now required to annually report their cybersecurity risk processes and governance of risks in Form 10-K SEC. Under the cybersecurity risk management disclosure rules, registrants have to describe how they assess, identify, and manage material cybersecurity risks and whether they have materially affected or are reasonably likely to materially affect their businesses. Similarly, under the cybersecurity governance disclosure rules, registrants have to describe board oversight of cybersecurity risks and the role management plays in assessing and managing material cybersecurity risks.

Continue Reading Insurance coverage implications of SEC’s cybersecurity disclosure rules

Cybercrime, including ransomware, is one of the top challenges facing organizations today. Businesses across the globe are suffering staggering cyber-related losses, losing around $60 billion on cyber crime annually.  

We are excited to launch our thought leadership campaign, “Cyber Insurance claims: Minimize risk, maximize recovery,” which provides a comprehensive look into the key issues relating to cyber insurance and ransomware claims and how clients can minimize their risk and maximize their recovery before and after a cyberattack.

Continue Reading Cyber insurance claims: Minimize risk, maximize recovery

Cyber incidents and attacks, whereby hackers target companies for ransom, to obtain sensitive information, or for other reasons, are a significant and growing threat. In 2021 alone, cyber incidents caused roughly $6 trillion in losses, and the consensus is that the threat of incidents will remain strong. Corporations are increasingly seeking insurance against this risk, but coverage for cyber incidents is still a relatively new and rapidly changing field. In this post, we focus on key considerations for general counsel, chief technology officers and cyber security officers when it comes to cyber insurance and protecting against cyber risk.

Does my company need cyber insurance?

Getting cyber insurance is a unique business decision for each company weighing a variety of factors, but virtually every company faces risks from cyber incidents. Although cyber breaches involving customer or consumer data tend to get the most attention, even companies that collect no sensitive customer or consumer information may fall prey. For one thing, companies may possess private, sensitive information about their employees, including medical or pension information. Moreover, companies may have proprietary information or trade secrets that hackers would want to get their hands on.

In fact, many dangerous and costly cyber incidents actually do not involve the theft of sensitive personal information, because the risk of disclosure of any data of value to a company may be used as extortion leverage. Ransomware can encrypt a company’s data and information systems, and attackers then demand a ransom from the company to restore access. Finally, companies may be targeted as a means of obtaining access to the systems of third parties doing business with the targeted company, which may expose the target to liability to those parties as well as its own incident response and data restoration costs. This explains why the risk is so widespread.

Continue Reading Key questions corporate tech, legal, and security officers need to ask when considering cyber coverage

As cyber risks continue to grow and evolve, the cyber insurance market is increasingly likely to take steps to limit its risk profile, often in the form of new or broadened policy exclusions. Cyber insurers are continuously evaluating, amending, and restructuring their insurance products (including their capacity, and, importantly, their pricing) to reflect what they perceive to be growing risks and threats to the bottom line.

A perceived new risk: Merck v. Ace

In some cases, insurers perceive an evolving risk through a development in court decisions interpreting policy terms. The decision of a New Jersey Superior Court earlier this year in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18, appears to exemplify this type of situation. There, the court determined that a “hostile or warlike action” exclusion did not preclude coverage for losses caused by a “NotPetya” ransomware attack, despite insurance company arguments that the malware used in the NotPetya attack was an instrument of the Russian government “as part of its ongoing hostilities with Ukraine.”  The court reasoned that “hostile or warlike action” required “actual hostilities” and that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.”

Although Merck involved a first-party property insurance policy, its holding elicited a significant reaction from the cyber insurance market because it involved a coverage dispute related to a cyberattack. With the warning provided by Merck that courts may not be inclined to interpret traditional war exclusions as precluding coverage for state-backed cyberattacks, some insurers appear to be reevaluating their existing war exclusions and amending their policy forms to respond to Merck.

Continue Reading A tightening cyber insurance market: War exclusions in the wake of Merck v. Ace

How cryptocurrencies are viewed by courts can be determinative when seeking coverage for a cryptocurrency-related loss, and whether cryptocurrency is “money,” “securities,” or “property” has been the subject of heavy debate.

In our previous blog post, we explored how your current D&O and/or cyber insurance policies may provide coverage for crypto-related losses. In this article, we discuss whether and how coverage may also exist for certain losses under typical property and/or specie insurance policies.

Is cryptocurrency “property”?

When determining whether your loss of or inability to access your cryptocurrency is covered under your property and/or specie policy, the first question to ask is whether cryptocurrency constitutes covered “property.”

The Internal Revenue Service (“IRS”) has provided some guidance.  In March 2014, the IRS declared that “virtual currency”, such as Bitcoin and other cryptocurrency, will be taxed as “property” and not currency. See IRS Notice 2014-21, Guidance on Virtual Currency (March 25, 2014); see also IRS Has Begun Sending Letters to Virtual Currency, Internal Revenue Serv. (July 26, 2019), (“IRS Notice 2014-21 … states that virtual currency is property for federal tax purposes and provides guidance on how general federal tax principles apply to virtual currency transactions.”). 

Continue Reading Can property or specie insurance provide coverage for crypto losses?

In early February of this year, we wrote about a New Jersey court’s recent decision in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18 (N.J. Sup. Ct.) regarding the applicability of a “war exclusion” for acts of cyberwarfare.  Shortly thereafter, the Russian invasion of Ukraine once again brought to the forefront images of war—both in the traditional sense—as well as in the context of cyberwarfare.  While the war in Ukraine has thus far comprised of mainly mostly low-impact cyberattacks by Russian-linked hackers, the perceived increased risk of cyber-attacks in the Russia/Ukraine conflict certainly has the insurance market evaluating its appetite for coverage in this area and looking for ways to clarify coverage in the event of a cyber-attack. 

One way the market has sought to clarify coverage is through the use of the “war exclusion” that is typically found in property and casualty policies, cyberliability policies and other forms of coverage.  This exclusion was originally designed to exclude damage arising from these “traditional” warlike acts between sovereign and/or quasi-sovereign entities.  See Pan American World Airways, Inc. v. Aetna Casualty & Surety Company, 505 F.2d 989 (2nd Cir. 1974) (“[W]ar is waged by states or state-like entities and includes only hostilities carried on by entities that constitute governments, at least de facto in character”). 

But, traditional notions of warfare are evolving.  “Attacks” are now often committed behind the shield of computer screens and in a technological territory.  Unsurprisingly, this evolving landscape of war is translating to evolving views on insurance coverage and evolving arguments around the interpretation of the “war exclusion.”

Continue Reading War exclusion: changing battlefields and coverage implications

One of the top issues facing business today is the risk of business interruption resulting from a cyber-related attack. Regardless of the form of attack – ransomware, denial of service, data theft, or other form of malware – any resulting failure of an organization’s network systems can have severe consequences, financial and otherwise. These may include loss of productivity, lack of or impaired access to websites, and, importantly, loss of sales or income.

Given the potential for significant losses, a strategy for calculating and minimizing losses, and maximizing insurance recoveries for damage from a business interruption should be part of every organization’s cyber incident response plan.  Because every business is unique, there is no “one size fits all” plan that will neatly apply to all businesses or to all business interruption claims. Nevertheless, certain best practices exist and can be applied and adapted to individual businesses to facilitate an efficient and effective response to a cyber-related business interruption.

1. Know your insurance coverage

The first step to maximizing recovery for business interruption is understanding the coverage provided under the applicable insurance policies. Many stand-alone cyber liability insurance policies provide coverage for lost net profits and mitigation costs, and may also cover continuing expenses, such as employee salaries, resulting from a cyber incident. However, there are also certain limitations to such coverage common in most cyber policy forms, even though they are far from standardized. For example, most business interruption coverage includes a waiting period of a certain number of hours before coverage begins. The length of that waiting period can be critical as losses attributable to the business interruption may continue to grow until the network system and level of service has been fully restored.  Insurers also may limit the “period of interruption,” the period of time for which the policy will pay for losses. Depending on the policy language, coverage may end before operations are fully restored.

It is important to understand these limitations when purchasing cyber insurance and to obtain the insurance that best fits the needs of your business. For this reason, we recommend involving insurance coverage counsel to assist in the insurance placement and renewal process.

Continue Reading Responding to a cyber-related business interruption: best practices

If an insurance company owes a duty to defend, the dispute should be decided promptly, on the pleadings. Any delay undermines the duty to defend. The scope of the duty to defend should be adjudicated on the pleadings as quickly as possible to give policyholders the true value of their policies and the benefit of their contracts.

The value and purpose of the duty to defend

The duty to defend is one of the most valuable components of an insurance policy. Like it or not, American society is litigious. Companies cannot prevent lawsuits through good conduct, laudable intentions, or strong compliance programs.  Refuting liability and damages is expensive even if the core facts are undisputed or the case is frivolous.

For a single company or individual, the frequency and size of litigation generally is unpredictable, making budgeting for defense costs a difficult task.  In any single year, the risk of litigation is low, but when a claim does come in, defense costs can be significant.  This litigation landscape is a problem for legal departments trying to budget or reserve for litigation costs.

The duty to defend addresses this problem using the principles of risk transfer and risk pooling.

  • Risk transfer: the risk and costs of defending litigation is transferred to the insurance company in exchange for a premium payment.
  • Risk pooling: the insurance company takes the collective risks of litigation against all policyholders in a pool large enough that aggregate defense costs can be statistically analyzed and predicted on an annual basis.

This way no one has to assess the risk that any individual company is sued or anticipate those defense costs. Policyholders can include insurance premium costs in their legal budgets, and shift covered defense costs onto the insurer. The insurance company underwriters can evaluate the aggregate defense spend at a gross systemic level and charge premiums to cover those costs (with a healthy profit margin).

Continue Reading The duty to defend requires an early judgment

Cyberattacks continue to grow in sophistication and frequency, with attackers targeting businesses of all industries and sizes with seeming impunity. In the wake of this ongoing pervasive and indiscriminate threat, corporate risk departments are taking measures to assess cyber risks and update network security and protocol in hopes of staying one step ahead of potential hackers.

But just as risk departments are reacting in real time to this ever-growing threat, so too are members of the insurance industry. As cyberattacks grow in sophistication and frequency, costs expended to recover from these attacks grow in kind, which has led to an explosion in insurance claims under cyber insurance policies and other responsive coverage. With insurers obligated to pay substantial sums to settle these claims, the result has been a tightening of the cyber insurance and related markets for renewals and placements and, with respect to claims under existing policies, heightened scrutiny and application of existing terms in rendering claims decisions.

The Court’s decision

An example of such novel application became front and center in a recent decision in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18 (N.J. Sup. Ct.). Merck, a multinational pharmaceutical company, sued its insurers after they denied coverage under an “all risks” insurance policy for a 2017 cyberattack that crippled Merck’s computer systems and caused an alleged $1.4 billion in losses to the company.

Although it was undisputed that the policies at issue provide coverage for “loss or damage resulting from the destruction or corruption of computer data and software,” insurers pointed to an unusual exclusion to support their argument that coverage must be denied: the “Hostile/Warlike Action Exclusion.”

Continue Reading Lessons from Merck v. Ace: A cyberattack does not amount to an ‘act of war’

At Reed Smith, we pride ourselves on forming true partnerships with our clients to find creative and unexpected solutions to the most challenging insurance coverage issues. As part of this commitment, we have authored a column for Thomson Reuters to provide advice, strategies, and information on the full range of insurance coverage issues affecting commercial