Almost four months have passed since the World Health Organization declared COVID‑19 a global pandemic on March 11, 2020. Continued social distancing and other precautionary measures have driven many organizations to expand work-from-home protocols for the foreseeable future or even permanently—in turn prompting many organizations to review their cyber insurance policies in addition to the rest of their insurance portfolios. While cyber risk policies are not widely standardized, there are several common traps that are found in many cyber risk policies, and early awareness of them can be the difference between a covered claim and a hard-fought coverage battle. While these traps are not specific to COVID-19 concerns, they may become increasingly important as organizational cyber exposures increase. Three of the more salient pitfalls are discussed in this post.
Risk 1: Potentially Lowered Rescission Standards
Insurers rely on information in policy applications to assess risk, decide whether to offer coverage, and set premiums. Insurers have long argued for rescission of an insurance policy when the policyholder omitted a material risk in response to an application question. Because insurers typically seek rescission after they become aware of a loss or claim, many states impose a high legal standard for insurers to seek rescission. Importantly, many states require that the alleged misrepresentation in the application have a material impact on the insurer’s acceptance of the risk at issue in the claim. Put simply, under the law in many jurisdictions, insurers cannot use an unrelated error in the application to attempt to rescind coverage for a subsequent incident.
Many cyber insurance policies, however, include language that attempts to incorporate broader rescission-like standards into the plain language of the policy rather than relying on common-law remedies. Often this wording purports to exclude coverage if the policyholder made any misrepresentation in the application. Similar exclusions have been present in cyber risk policies for years, but recently insurers have moved this language from the exclusions section to the representations or conditions section. Regardless of where this exclusionary language is found in the policy, however, insurers have argued that any higher rescission standards imposed by local law should not apply because the insurer is relying on the policy’s terms, rather than the common law right to rescind the policy. While this issue has not been decided by a court in the cyber insurance context, policyholders should seek to avoid this coverage pitfall by negotiating this language out of their policies if possible.
This issue is not present equally in all insurance policies. Some policy forms do not include these restrictions. Others include language that closely mirrors common law recission standards and requires that a senior member of the policyholder’s organization (1) had knowledge of the alleged misrepresentation; (2) knew or should have known that the alleged misrepresentation was actually false or misleading; and (3) that the alleged misrepresentation materially impacted the insurer’s decision to accept the risk and place the policy. Policyholders should negotiate for more favorable language such as this if the insurer is unwilling to remove a broader rescission provision altogether.
Risk 2: “War” Exclusions
Many cyber incidents can be directly or indirectly linked to state actors. Look no further than the recent assault on Australia’s cyber systems as an example. Insurers have used nominal ties to state actors as a pretext to deny coverage under the “war exclusion” found in almost all insurance policies. In one recently filed high-profile coverage case, an insurer is arguing that the policyholder is not entitled to coverage for loss from the NotPetya ransomware attack because the exploit behind the ransomware was linked to Russian operatives by U.S. and UK government officials. This case, Mondelez International Inc. v. Zurich American Insurance Co., remains pending in an Illinois state court as of June 2020. While war has long been an excluded risk, the difference in the cyber context is that the perpetrator of the attack may be completely unknown and cyber attacks may not fall within excluded “war” as defined in the policies.
While state actors are responsible for the development and initial deployment of many cyber exploits, once those exploits are deployed, they can be—and are—co-opted and deployed by cyber criminals. Because the ransomware is “attributed” to certain state actors by governments and cyber specialists, insurers argue that a claim arising out of that ransomware is subject to the war exclusion even without direct evidence that it was deployed against that policyholder by the state actor that developed the exploit in a war as defined.
Policyholders should protect themselves by seeking to limit the scope of the war exclusion to claims that are the direct result of an action taken by a state actor in a war as defined.
Risk 3: The “Betterment” Issue
Insurers will tell you that the purpose of an insurance policy is to place insureds in the same position that they would have been in if the loss had not occurred (minus the deductible or waiting period). This lofty goal is only sometimes met, and often it can be twisted beyond recognition when it comes to the replacement of computer hardware following a cyber event. Assuming your organization’s cyber insurance policy pays for replacement of computer systems following a cyber incident, there is likely language that mandates that the replacement systems be of a “similar quality” to the prior systems. Typically, this is not an issue.
However, where a policyholder’s existing systems are outdated, some insurers have relied on this language to insist that the insured source the same or similar obsolete systems even though it was more efficient to buy cheaper, newer equipment. In some situations, the policy may contain language that will only cover the supposed “betterment” if the upgrade is necessary to address a security concern. While this coverage extension is beneficial, insurers sometimes use it as a hammer to insist that there is no other situation where they are required to provide a “betterment.” For this reason, prudent policyholders should seek to have this “similar quality” requirement removed or specific coverage added for betterment when it reduces the amount of the loss.
A properly constructed cyber insurance policy can provide important coverage following a cyber incident, but even if your organization has a cyber policy in place, common traps can limit or eliminate coverage. Consult with your insurance broker and qualified coverage counsel to ensure that your cyber policy does not have these issues.