Over the past few years, ransomware attacks have increased in frequency and demand size. And, increasingly, those attacks have targeted businesses and critical infrastructure organizations from across the globe. This trend is likely to continue. The Cybersecurity & Infrastructure Security Agency noted that cybersecurity authorities in the United States, Australia and the United Kingdom assess that “if the ransomware criminal business model continues to yield financial returns for ransomware actors, ransomware incidents will become more frequent. Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model.”
As cybercrimes and data breaches continue to cause significant damage to companies of all types, policyholders are looking to their various insurance policies for coverage to help weather the storm and recoup losses. A recent decision by the U.S. Court of Appeals for the Fifth Circuit highlights the need for companies to review all of their policies for potential cyber-related coverage, including their CGL policies.
Winning a championship ring is everything. Just ask the Los Angeles Dodgers, who won 11 National League West titles between their 1988 and 2020 World Series Championships and would likely have traded several of those division titles for more World Series championships. But, of course, not all rings are equal. Neither are sports collectibles.
The Biden administration has hit the ground running with executive orders, regulatory and legislative priorities, and cabinet-level and other top posts being announced on a daily basis. Our public policy colleagues have been closely tracking many of the policy priorities of the new administration and highlighting important regulatory and legislative developments that businesses can expect coming down the pipeline.
A few months into the COVID-19 pandemic, the insurance focus (understandably) has been on business interruption and event cancellation coverage. Various other coverages are in play as well, given the types of COVID-19-related claims and lawsuits being filed (and that will be filed in the future) against corporate policyholders, from bodily injury due to exposure to the virus, to breach of contract, to securities violations, to misrepresentations and consumer protection violations, just to name a few. However, cyber risks are also highly salient for companies in this “new normal,” and companies must consider the role their insurance plays in preparing for and responding to those risks.
Have $57 million (or more) to spare? You’re going to need it if you run afoul of the EU’s General Data Protection Regulation (GDPR) without cyber insurance.
In late January 2019, the French data protection authority, CNIL, imposed a fine of €50 million—or roughly $57 million—on Google for violations of the GDPR. The fine is the largest imposed to date under the GDPR, since it came into effect in May 2018. The Google fine highlights a couple of things: the GDPR has teeth, and regulators in the EU won’t hesitate to enforce the regulation. Possibly more frightening to companies subject to the GDPR is that the fine was not imposed because of any data breach or disclosure of sensitive information but, rather, on account of Google’s ordinary data privacy practices.
On insurance coverage issues, sometimes the boat seems to be listing in the wrong direction. For example, insurers have long tilted the decks to avoid coverage for “spoofing” attacks and similar kinds of email fraud by throwing their weight behind arguments that such transactions do not involve a “direct loss” from the use of company computers to implement a fraudulent scheme, which they claim their policies require. But in the first half of July, not one, but two federal appellate decisions—Medidata Solutions Inc. v. Federal Insurance Co. and American Tooling Center, Inc. v. Travelers Casualty & Surety Co.—rocked the insurers’ boats.
One thing is for certain: cyberattacks have become the norm, not the exception. Not even the NSA is capable of completely warding off security breaches. Major banking and retail institutions, as well as the government, are not surprisingly the most likely targets because of the amount of sensitive and private data they control. Still, other companies outside these sectors must heed the warnings and not become the next cyber victim. Protecting against cyber vulnerability is not merely a domestic issue. Rather, multinational companies are prime targets, and are currently undergoing institutional changes to navigate the EU General Data Protection Regulation (GDPR) that goes into effect May 2018.
Cyber insurance continues to be one of the hottest topics in the insurance industry. In the last several years it has evolved from a little-known specialty product to a standard purchase for some corporate risk departments. By now, most companies generally are aware that cyber attacks present substantial risks. Many unfortunately have first-hand experience as victims of an attack. But many companies still do not necessarily view cyber insurance as a “must-have” type of insurance, like general liability or property insurance. Some companies may believe their potential cyber exposure is minimal or simply think that cyber coverage is cost prohibitive. A recent D.C. Circuit decision is a sobering reminder that cyber insurance should at least be considered in connection with a company’s risk management plan, and is probably a “must-have” for companies that maintain records containing a substantial amount of personal information.
On May 12, 2017, a massive ransomware cyber-attack infected over 100,000 computers in more than 150 countries. This malware, a Trojan virus known as “WannaCry,” encrypts files, and then threatens to destroy them, unless the victim pays a ransom. Colleagues Jamie Bobotek and Peri Mahaley opined about this recent attack and stress the necessity to take the time now to review and confirm your cyber-privacy insurance in a Pillsbury client alert.