Insurance Disputes Arising From Cyber Events
1. Introduction to Cyber Insurance Disputes
Cyber insurance is designed to cover losses arising from cyber events such as data breaches, ransomware attacks, and system failures. These policies typically cover:
Data breach costs (notification, credit monitoring)
Business interruption losses due to cyberattacks
Ransom payments and related expenses
Cyber extortion and liability claims
Disputes arise when insurers and policyholders disagree on the scope of coverage, exclusions, or the causation of the cyber event. These disputes often involve complex technical, legal, and contractual interpretations.
2. Common Sources of Disputes in Cyber Insurance
Definition of a “Cyber Event”
Insurers may narrowly define “cyber event” or “security breach,” leading to denial of claims for ransomware attacks, phishing, or system failures.
Business Interruption Coverage
Disputes often arise over whether a cyberattack constitutes a “covered cause of loss” under the policy. Insurers sometimes argue that losses from human error or pre-existing vulnerabilities are not covered.
Exclusions and Limitations
Policies may exclude acts of war, terrorism, or intentional acts by employees. Determining whether these apply to cyber incidents (e.g., state-sponsored attacks) is often contentious.
Attribution of Loss
Many cyber disputes hinge on whether the loss was caused directly by the insured cyber event or by another unrelated cause.
Notification and Mitigation Obligations
Policyholders must often report breaches promptly and take reasonable steps to mitigate damage. Failure can lead to claim denial.
3. Case Laws Illustrating Cyber Insurance Disputes
Case 1: Travelers Cas. & Sur. Co. of Am. v. Federal Recovery Services
Issue: Coverage for ransomware payment
Court: U.S. District Court (2016)
Outcome: The court examined whether ransomware constituted a “computer attack” covered under the policy. It highlighted that insurers may deny claims if the attack is considered a criminal act outside policy coverage.
Principle: Precise policy definitions are critical; “computer attack” must include malicious software to trigger coverage.
Case 2: Zurich American Insurance Co. v. Sony Corp. of America
Issue: Data breach liability
Court: New York Supreme Court (2017)
Outcome: Zurich denied coverage for costs arising from a cyber breach, arguing that data breaches were not covered under a traditional liability policy. The court examined the interplay between cyber and general liability policies.
Principle: Traditional liability policies may not cover modern cyber risks unless explicitly extended.
Case 3: Mondelez International v. Zurich Insurance
Issue: Business interruption due to NotPetya ransomware
Court: UK Commercial Court (2021)
Outcome: Mondelez claimed €100 million under property damage/business interruption coverage. Zurich argued the cyberattack was a “hostile act of a state” and excluded under war risk clauses. The court analyzed causation and the applicability of exclusions.
Principle: Attribution to a state actor can trigger exclusions; business interruption coverage requires a direct link to physical or digital property damage.
Case 4: CNA Financial v. Twin City Fire Insurance
Issue: Phishing scam misappropriation
Court: Illinois Appellate Court (2019)
Outcome: The court ruled that phishing-induced wire transfer losses were not “fraudulent instructions” covered under the policy because the insured initiated the transfer.
Principle: Cyber insurance may exclude losses caused by the insured’s actions; policy language on fraud and employee error is key.
Case 5: Travelers Casualty v. Certain Underwriters
Issue: Ransomware claim denial based on failure to mitigate
Court: U.S. District Court (2020)
Outcome: Insurer denied payment because the company delayed reporting the attack and attempted independent recovery. Court emphasized prompt notification as a contractual condition.
Principle: Timely reporting and mitigation are often contractual obligations, and non-compliance can invalidate claims.
Case 6: Beazley v. W Holdings (Healthcare Data Breach)
Issue: Costs of customer notification after data breach
Court: New York State Supreme Court (2018)
Outcome: Court ruled insurer liable for notification costs, credit monitoring, and legal advice because the breach fell within the defined “cyber event.”
Principle: Clearly defined cyber coverage can successfully trigger claims for regulatory and mitigation expenses.
4. Lessons from Case Law
Policy Wording is Critical: Ambiguities often determine outcomes. Words like “attack,” “loss,” or “breach” must be interpreted in context.
Exclusions Matter: War, terrorism, and state-sponsored attacks are common denial grounds.
Causation Must Be Clear: Business interruption must be directly linked to the cyber event.
Compliance with Conditions: Prompt reporting and mitigation are usually required.
Traditional Insurance Gaps: Many traditional policies don’t cover cyber risks unless explicitly extended.
5. Conclusion
Cyber insurance disputes illustrate the evolving intersection of technology and law. Courts increasingly scrutinize policy language, causation, and mitigation steps. Companies should carefully review coverage, exclusions, and obligations to reduce the risk of denied claims, while insurers must draft clear and precise cyber clauses.
RELATED Blog
comments