Cyber Insurance: Beware of the Fine Print

Seth Berman, Partner, Nutter and Ashley Paquin, Associate, Nutter

Seth Berman, Partner, Nutter

As the frequency of data breaches continues to skyrocket, the cyber insurance market has exploded too. Indeed, cyber insurance is now as important to a company’s cyber defence strategy as firewalls, strong passwords, and well-thought-out incident response plans. However, buying cyber insurance is not nearly as simple as buying other types of corporate insurance policies. The cyber insurance market is too new and too varied for there to be a set of clearly defined terms and expectations around what is covered and what is excluded from policies.

Buying cyber insurance is not nearly as simple as buying other types of corporate insurance policies

Meanwhile, the cost of breaches continues to soar. Cybersecurity Ventures predicts cybercrime damages will cost $6 trillion annually by 2021. The insurance market is both intrigued by and wary of this risk. On one hand, insurers see cyber insurance as a growth market and have started offering many different types of cyber insurance coverage. On the other hand, insurers are worried that losses could quickly multiply and therefore have been taking steps to limit their exposure to cyber risks. For example, cyber risks have been excluded from most general insurance policies. Companies must now purchase either standalone cyber insurance or a cyber insurance rider to their general liability policies.

Coverage under these cyber insurance policies are not standardized, meaning different policies cover or exclude different kinds of events. Because the track record of cyber insurance policies is quite short, many issues of interpretation have not yet been definitively settled. As a consequence, breaches often result in disputes between the insured and their insurer regarding whether an incident is covered by a particular policy. This problem is made harder to address in advance by the fact that hackers are continually evolving new ways to penetrate networks and monetize the information they find, which means that many types of attacks had been unknown at the time the policy that might cover them was drafted.Ashley Paquin, Associate, Nutter

The perils of insurance policies are perfectly illustrated by a recent lawsuit. The National Bank of Blacksburg in Virginia recently filed a lawsuit against its insurer relating to two data cyber security incidents that happened in 2016 and 2017. The two data breaches (apparently by the same set of hackers) allowed the hackers to access the bank’s systems and remove critical security measures from customer accounts. The 2017 data breach also allowed the hackers to change customer balances. Once these accounts were altered, the hackers withdrew money in customer accounts from ATM machines. The fraudulent ATM transactions could not have occurred without the hacking, as the hackers disabled the daily withdrawal limits and obscured the evidence of the fraud, controls that otherwise would have significantly limited the amount of money that could be stolen.

When the bank learned about the attack, it sought to recover the $2.5 million in losses from its insurer an amount that was well within the bank’s $8 million policy limit. The insurer did not pay the claim. Instead, it offered only $50,000, on the grounds that the cyber insurance policy excluded losses resulting from the use of credit, debit, or other cards to obtain funds. Since these cards were used as a part of the criminal scheme, the insurer reasoned that the bank’s separate Debit Card Rider applied, but that coverage was capped at $50,000, an amount that would likely have been below the bank’s withdrawal limits – the withdrawal limits that the hackers had disabled. Inevitably, the bank has now sued the insurance company. The courts will decide whether the hacking and ATM card fraud is a cyber-attack or loss resulting from debit card use.

Regardless of how the National Bank of Blacksburg case turns out, all consumers of cyber insurance should learn an important lesson: carefully verify whether cyber insurance covers the types of risks that your company may face and ensure that any limits on recovery are consistent with possible damages. Although some insurance coverage is better than none, insurance is very much defined by the fine print.