Cyberliability

Subscribe to Cyberliability

Cybercrime, including ransomware, is one of the top challenges facing organizations today. Businesses across the globe are suffering staggering cyber-related losses, losing around $60 billion on cyber crime annually.  

We are excited to launch our thought leadership campaign, “Cyber Insurance claims: Minimize risk, maximize recovery,” which provides a comprehensive look into the key issues relating to cyber insurance and ransomware claims and how clients can minimize their risk and maximize their recovery before and after a cyberattack.

Continue Reading Cyber insurance claims: Minimize risk, maximize recovery

Cyber incidents and attacks, whereby hackers target companies for ransom, to obtain sensitive information, or for other reasons, are a significant and growing threat. In 2021 alone, cyber incidents caused roughly $6 trillion in losses, and the consensus is that the threat of incidents will remain strong. Corporations are increasingly seeking insurance against this risk, but coverage for cyber incidents is still a relatively new and rapidly changing field. In this post, we focus on key considerations for general counsel, chief technology officers and cyber security officers when it comes to cyber insurance and protecting against cyber risk.

Does my company need cyber insurance?

Getting cyber insurance is a unique business decision for each company weighing a variety of factors, but virtually every company faces risks from cyber incidents. Although cyber breaches involving customer or consumer data tend to get the most attention, even companies that collect no sensitive customer or consumer information may fall prey. For one thing, companies may possess private, sensitive information about their employees, including medical or pension information. Moreover, companies may have proprietary information or trade secrets that hackers would want to get their hands on.

In fact, many dangerous and costly cyber incidents actually do not involve the theft of sensitive personal information, because the risk of disclosure of any data of value to a company may be used as extortion leverage. Ransomware can encrypt a company’s data and information systems, and attackers then demand a ransom from the company to restore access. Finally, companies may be targeted as a means of obtaining access to the systems of third parties doing business with the targeted company, which may expose the target to liability to those parties as well as its own incident response and data restoration costs. This explains why the risk is so widespread.

Continue Reading Key questions corporate tech, legal, and security officers need to ask when considering cyber coverage

As cyber risks continue to grow and evolve, the cyber insurance market is increasingly likely to take steps to limit its risk profile, often in the form of new or broadened policy exclusions. Cyber insurers are continuously evaluating, amending, and restructuring their insurance products (including their capacity, and, importantly, their pricing) to reflect what they perceive to be growing risks and threats to the bottom line.

A perceived new risk: Merck v. Ace

In some cases, insurers perceive an evolving risk through a development in court decisions interpreting policy terms. The decision of a New Jersey Superior Court earlier this year in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18, appears to exemplify this type of situation. There, the court determined that a “hostile or warlike action” exclusion did not preclude coverage for losses caused by a “NotPetya” ransomware attack, despite insurance company arguments that the malware used in the NotPetya attack was an instrument of the Russian government “as part of its ongoing hostilities with Ukraine.”  The court reasoned that “hostile or warlike action” required “actual hostilities” and that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.”

Although Merck involved a first-party property insurance policy, its holding elicited a significant reaction from the cyber insurance market because it involved a coverage dispute related to a cyberattack. With the warning provided by Merck that courts may not be inclined to interpret traditional war exclusions as precluding coverage for state-backed cyberattacks, some insurers appear to be reevaluating their existing war exclusions and amending their policy forms to respond to Merck.

Continue Reading A tightening cyber insurance market: War exclusions in the wake of Merck v. Ace

How cryptocurrencies are viewed by courts can be determinative when seeking coverage for a cryptocurrency-related loss, and whether cryptocurrency is “money,” “securities,” or “property” has been the subject of heavy debate.

In our previous blog post, we explored how your current D&O and/or cyber insurance policies may provide coverage for crypto-related losses. In this article, we discuss whether and how coverage may also exist for certain losses under typical property and/or specie insurance policies.

Is cryptocurrency “property”?

When determining whether your loss of or inability to access your cryptocurrency is covered under your property and/or specie policy, the first question to ask is whether cryptocurrency constitutes covered “property.”

The Internal Revenue Service (“IRS”) has provided some guidance.  In March 2014, the IRS declared that “virtual currency”, such as Bitcoin and other cryptocurrency, will be taxed as “property” and not currency. See IRS Notice 2014-21, Guidance on Virtual Currency (March 25, 2014); see also IRS Has Begun Sending Letters to Virtual Currency, Internal Revenue Serv. (July 26, 2019), (“IRS Notice 2014-21 … states that virtual currency is property for federal tax purposes and provides guidance on how general federal tax principles apply to virtual currency transactions.”). 

Continue Reading Can property or specie insurance provide coverage for crypto losses?

In early February of this year, we wrote about a New Jersey court’s recent decision in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18 (N.J. Sup. Ct.) regarding the applicability of a “war exclusion” for acts of cyberwarfare.  Shortly thereafter, the Russian invasion of Ukraine once again brought to the forefront images of war—both in the traditional sense—as well as in the context of cyberwarfare.  While the war in Ukraine has thus far comprised of mainly mostly low-impact cyberattacks by Russian-linked hackers, the perceived increased risk of cyber-attacks in the Russia/Ukraine conflict certainly has the insurance market evaluating its appetite for coverage in this area and looking for ways to clarify coverage in the event of a cyber-attack. 

One way the market has sought to clarify coverage is through the use of the “war exclusion” that is typically found in property and casualty policies, cyberliability policies and other forms of coverage.  This exclusion was originally designed to exclude damage arising from these “traditional” warlike acts between sovereign and/or quasi-sovereign entities.  See Pan American World Airways, Inc. v. Aetna Casualty & Surety Company, 505 F.2d 989 (2nd Cir. 1974) (“[W]ar is waged by states or state-like entities and includes only hostilities carried on by entities that constitute governments, at least de facto in character”). 

But, traditional notions of warfare are evolving.  “Attacks” are now often committed behind the shield of computer screens and in a technological territory.  Unsurprisingly, this evolving landscape of war is translating to evolving views on insurance coverage and evolving arguments around the interpretation of the “war exclusion.”

Continue Reading War exclusion: changing battlefields and coverage implications

One of the top issues facing business today is the risk of business interruption resulting from a cyber-related attack. Regardless of the form of attack – ransomware, denial of service, data theft, or other form of malware – any resulting failure of an organization’s network systems can have severe consequences, financial and otherwise. These may include loss of productivity, lack of or impaired access to websites, and, importantly, loss of sales or income.

Given the potential for significant losses, a strategy for calculating and minimizing losses, and maximizing insurance recoveries for damage from a business interruption should be part of every organization’s cyber incident response plan.  Because every business is unique, there is no “one size fits all” plan that will neatly apply to all businesses or to all business interruption claims. Nevertheless, certain best practices exist and can be applied and adapted to individual businesses to facilitate an efficient and effective response to a cyber-related business interruption.

1. Know your insurance coverage

The first step to maximizing recovery for business interruption is understanding the coverage provided under the applicable insurance policies. Many stand-alone cyber liability insurance policies provide coverage for lost net profits and mitigation costs, and may also cover continuing expenses, such as employee salaries, resulting from a cyber incident. However, there are also certain limitations to such coverage common in most cyber policy forms, even though they are far from standardized. For example, most business interruption coverage includes a waiting period of a certain number of hours before coverage begins. The length of that waiting period can be critical as losses attributable to the business interruption may continue to grow until the network system and level of service has been fully restored.  Insurers also may limit the “period of interruption,” the period of time for which the policy will pay for losses. Depending on the policy language, coverage may end before operations are fully restored.

It is important to understand these limitations when purchasing cyber insurance and to obtain the insurance that best fits the needs of your business. For this reason, we recommend involving insurance coverage counsel to assist in the insurance placement and renewal process.

Continue Reading Responding to a cyber-related business interruption: best practices

Cyberattacks continue to grow in sophistication and frequency, with attackers targeting businesses of all industries and sizes with seeming impunity. In the wake of this ongoing pervasive and indiscriminate threat, corporate risk departments are taking measures to assess cyber risks and update network security and protocol in hopes of staying one step ahead of potential hackers.

But just as risk departments are reacting in real time to this ever-growing threat, so too are members of the insurance industry. As cyberattacks grow in sophistication and frequency, costs expended to recover from these attacks grow in kind, which has led to an explosion in insurance claims under cyber insurance policies and other responsive coverage. With insurers obligated to pay substantial sums to settle these claims, the result has been a tightening of the cyber insurance and related markets for renewals and placements and, with respect to claims under existing policies, heightened scrutiny and application of existing terms in rendering claims decisions.

The Court’s decision

An example of such novel application became front and center in a recent decision in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18 (N.J. Sup. Ct.). Merck, a multinational pharmaceutical company, sued its insurers after they denied coverage under an “all risks” insurance policy for a 2017 cyberattack that crippled Merck’s computer systems and caused an alleged $1.4 billion in losses to the company.

Although it was undisputed that the policies at issue provide coverage for “loss or damage resulting from the destruction or corruption of computer data and software,” insurers pointed to an unusual exclusion to support their argument that coverage must be denied: the “Hostile/Warlike Action Exclusion.”

Continue Reading Lessons from Merck v. Ace: A cyberattack does not amount to an ‘act of war’

At Reed Smith, we pride ourselves on forming true partnerships with our clients to find creative and unexpected solutions to the most challenging insurance coverage issues. As part of this commitment, we have authored a column for Thomson Reuters to provide advice, strategies, and information on the full range of insurance coverage issues affecting commercial

Experian Data Breach Resolution (Experian) has identified its “top data breach trends of 2020,” and the cannabis industry should take note. In its “Data Breach Industry Forecast 2020,” Experian predicts that “we will see many burgeoning industries, such as cannabis retailers, cryptocurrency entities, and even some environmental organizations targeted for cyberattacks as a result of online activism or ‘hacktivism.’”

In recognition of this risk, cannabis retailers as well as other cannabis-related businesses should – in addition to taking other prudent risk-mitigation steps – ensure that they have procured insurance to protect against potential cyber-related losses and claims. While the cyber-insurance market available to cannabis-related businesses is still rather limited, such businesses generally still can – and should – obtain at least some cyber coverage today.
Continue Reading Are you covered? Cannabis industry must prepare for cyberattacks in 2020

Purchasing insurance for a cannabusiness can feel like a daunting task, but it does not have to be one.

In addition to grappling with many of the same issues and questions that any business confronts when seeking insurance, a cannabusiness encounters certain additional, unique challenges due to the industry in which it operates. That is no reason to panic, however. And, it is certainly no reason to avoid purchasing insurance.

There are a number of steps that a cannabusiness – or, really, any business – can take to maximize the likelihood that the insurance-procurement process will be smooth and successful. In particular, when purchasing insurance, a cannabusiness should consider the following 10 steps:

Continue Reading Ten important steps a cannabusiness should consider when purchasing insurance