By John Palmeri, Danielle Gardiner and Carlos Rivera
Original Publish Date: July/August 2021, Claims Magazine
Experiencing a deluge of cyber breach incidents and claims, the insurance industry has responded in earnest by upping its cyber liability product offerings. But with the market still in its relative infancy, is there clarity around coverages and expectations? Cyber risk is real. But the risks faced by each organization can be quite nuanced. Carriers are racing to keep up with evolving risks while at the same time attempting to create insurance products that are both helpful and profitable. Along the way, there are bound to be misunderstandings and inevitably, issues. This article explores the interplay of errors & omissions (E&O) and cyber liability insurance. There is a natural inroad here to discuss bad faith (and good faith) on the part of insurers.
EXAMINING CYBER RISKS
Ransomware is a very hot issue right now so let’s start by considering the case of a business income loss claim coming from a hospital that suffered a ransomware attack. The entry for the attack happened when an employee of a software provider to the hospital accidentally exposed their credentials. The bad actor who picked up the credentials seized the opportunity to perform a ransomware attack, incapacitating the hospital for a period of time. The hospital files a business interruption (BI) claim with their insurer, but E&O coverage also comes into play on the software provider whose employee made an error in exposing their credentials. It wasn’t intentional or malicious. It was an innocent mistake. How are damages calculated and who holds the liability? Now consider a classic wire transfer fraud. The insured proceeds to their carrier to make a claim on their cyber insurance policy only to find out that such claims really don’t fall under the cyber policy but are actually considered social engineering. Was it an error or omission on the insurance broker’s part not to have included or suggested this coverage? Insurers should be warned that many people don’t understand their cyber policies and this can result in accusations of bad faith on the part of the insurer. There are important differences between first-party and third-party cyber liability policies. Policies often include sub-limits for certain coverages.
Although most states require insureds to read their insurance policies, the coverages can be confusing, which may give rise to arguments regarding the reasonable expectations of insureds. If
courts apply the so-called “reasonable expectations doctrine” or find ambiguities in the insurance policies, they will likely find coverage under the policies. Policyholders’ lawyers will then include bad faith claims, arguing there were unreasonable or reckless claim denials. These examples help to illustrate some of the interplay between cyber liability and E&O and the challenges insurers face in delivering insurance solutions in a rapidly-evolving cyber world.
Let’s take a step back.
CYBER LIABILITY INSURANCE BASICS
Cyber liability protects the user of technology services and devices. There are two types of insurance: First-party cyber liability insurance covers data breaches of an organizations’
own systems. The causes of these data breaches may include malware and viruses, phishing scams, application vulnerabilities, weak passwords and other employee errors, and
insider attacks. First-party cyber liability coverage helps pay for notifying affected customers, data recovery, damage control, such as for a PR campaign, credit and fraud monitoring services for affected customers, data breach source investigations and ransom demands. Third-party cyber liability insurance, on the other hand, covers data breaches on clients’ systems that a company worked on or that it is responsible for. This coverage helps to cover attorney’s fees, court costs and damages.
WHERE DOES E&O FIT IN?
Unlike cyber liability which protects the user of technology services and devices, E&O is meant to protect the merchant who sells the technology products or services. Cyber liability coverages are typically included in the E&O insurance package, referred to as tech E&O. Tech E&O covers a company for making an error that results in financially harming a client. Coverage will typically include errors or oversights, undelivered services, missed deadlines and breach of contract. Consider if a web designer designed a website for a customer that looks similar to one of the customer’s competitors and this resulted in a potential copyright infringement against the customer. Or a software developer sells a software program to a customer that had a ‘bug’ that resulted in operational problems when the customer implemented the software. Imagine the software bug caused new orders to be deleted from the system if there was no delivery date entered. The E&O would respond to pay for a firm’s legal expenses and other costs from customer claims.
A CAUTIONARY TALE: BAD FAITH CYBER LIABILITY AND TECH E&O
There is a lot of activity around bad faith litigation against carriers and when it comes to cyber liability, there is no exception. It happens in situations where a policy is in place, a claim occurs, then the conduct of the insurer in handling the claim comes under question. James Dodrill, the insurance commissioner of West Virginia, warns that when it comes to bad faith litigation, it is common to see it arise in low-limit insurance policies where the insured will use the bad faith argument to get around the low policy limit.
The goal is the same for the claimant irrespective of the type of coverage, whether cyber, E&O or property coverage. The cautionary tale for insurers, according to Dodrill is, “If you have a low EO limit or exclusions involved by language in the policy, those elements will come into play if you make an erroneous coverage call.” The bottom line is, while cyber is a relatively new type of coverage, the lessons that have been learned in other areas must be brought into play in the drafting of these policies and the exclusionary language in the policies. Dodrill warns, “Carriers must be cautious. I have seen low-limit policies of $25k result in bad faith verdicts north of $10M.”
THE ROLE OF A FORENSIC ACCOUNTANT IN CYBER LIABILITY
Claims professionals are accustomed to employing the services of forensic accountants in a business income/interruption loss. In the arena of cyber, the forensic accountant would be involved in a matter post-breach where a company’s first-party cyber liability coverage is responding to the incident. The accountant would assist with calculating the damages arising from the business income loss resulting from the breach. Going back to the example of the hospital where the hospital’s software provider had an employee whose credentials fell into the hands of a bad actor, the provider’s E&O coverage may respond. The forensic accountant would then be involved not only in the damage’s measurement for the hospital but also be involved in the potential subrogation against the software provider under their E&O coverage.
TAKEAWAYS FOR CARRIERS AND CLAIMS PROFESSIONALS
With so many elements in play, let’s bring it back to the claim handling perspective. In general, when a cyber liability claim arises, we want to consider the insured’s protocols. Did they follow established protocols? What is the true nature of the claim? Is it a cut and dry cyber claim or was it social engineering? If the coverage is declined, is there a well-documented rationale behind the decision? Are you exploring what limits are available? What is the potential for a causation defense? When it comes to demonstrating good faith and avoiding bad faith claims, carriers want to focus on training. Training claims teams to be responsive and show good faith, and for brokers to understand policies and clearly communicate limits, exclusions and expectations for insureds. The world of cyber insurance will continue its rapid evolution. Opportunity abounds for carriers who are prepared with the right products, processes and support.
Reprinted with permission from the July/August 2021 issue of Claims Magazine. © 2021 ALM. Further duplication without permission is prohibited. All rights reserved.