Many of you probably saw the news this past week that Target has filed a lawsuit against one of its insurers over losses the company sustained in connection with the company’s 2014 data breach. The Target lawsuit is the latest in a series of high profile insurance battles in which companies are seeking to recoup losses resulting from cybersecurity incidents. However, as my friend, colleague, and Cyber insurance maven Mickey Estey pointed out to me, in its lawsuit Target is in fact not seeking to recover its claimed losses under a cyber insurance policy; rather, in its latest lawsuit, Target is seeking to recover for certain of its losses under its general liability policy. The Target lawsuit is only the latest in a series of high-profile insurance disputes in which companies that have sustained losses from a cybersecurity event are seeking coverage under a variety of different types of policies.
As discussed below, these high profile disputes involving other kinds of coverages have created confusion about the extent and availability of coverage under purpose-built cyber insurance policies. And on a more general level, these disputes pose a serious challenge to the insurance industry, as policyholders seek to establish coverage under policies that arguably were not built with cyber-related kinds of losses in mind.
The Target Lawsuit
In December 2013, Target discovered that a hacker had installed malicious software on its compute network. The software enabled the hacker to gain access to customer payment card data and other personal information. As a result of this attack, Target sustained a variety of different kinds of losses. Among these losses were the costs the company incurred in connection with the replacement of customers’ physical payment cards. The banks that had issued the customers’ cards were, following the Target attack, obliged to cancel and reissue the cards. The banks sued Target for their reissuance costs. Target entered settlements with the banks in connection with these card issuance lawsuits.
Target sought to have the costs it incurred in settling with the banks covered by its GL policy. Its GL carrier denied coverage for the claim. On November 15, 2019, Target sued the GL carrier. A copy of Target’s complaint can be found here. In its complaint, Target alleges that the GL policy insures coverage for losses because of physical property damage, defined to include “loss of the use of tangible property that is not physically injured.” Target contends that its losses in connection with the bank’s credit card replacement claims represent “precisely” this kind of loss, as the company was, it claims, “held liable for the loss of use of plastic payment cards that were not physically injured.”
The key point I wish to emphasize here is that the Target lawsuit has not been filed against its cyber insurance carrier and the company is not in this lawsuit suing for under a cyber insurance policy for its cyber-incident related loss. Rather, the company is trying to establish under a portion of the losses it sustained are covered under its GL policy.
In relation to this point that the Target lawsuit involves a GL policy and not a cyber policy, it is also important to note that at the time of the incident, Target did have cyber insurance. I am told by reliable sources that in fact Target had a $90 million cyber insurance program in place, and that Target’s cyber insurance program was in fact exhausted by payment of losses the company sustained as a result of the data breach.
The point here is that in its latest lawsuit, Target is not seeking to establish insurance coverage for its payment card-related replacement costs stemming from the breach under a purpose-built cyber insurance policy; rather, it is seeking to establish coverage for the losses under another insurance policy in its insurance program. As I discuss further below, this distinction between the kind of insurance that is at the heart of the insurance dispute is key but is all too often overlooked in the mainstream media’s discussion of this and other cyber loss-related insurance disputes.
The Mondelez Lawsuit
When I read about the Target lawsuit and noted that the dispute involved a fight over coverage under the company’s GL policy, I immediately thought of the high-profile lawsuit that is pending in state court in Illinois between the food company Mondelez and Zurich Insurance. Readers may recall that Mondelez was one of the companies whose IT systems were hit with the NotPetya virus in 2017. The company sustained significant losses from the virus and it sought to have Zurich cover the losses. Zurich denied coverage for the losses in reliance on its policy’s War Exclusion. In October 2018, Mondelez sued Zurich seeking to coverage for the losses. The case is still pending. A copy of Mondelez’s complaint can be found here.
The Mondelez lawsuit has received widespread coverage in the mainstream media. Much of the media coverage has focused on what the case may mean for policyholders seeking to get insurance coverage for cyber-related losses. For example, the New York Times’s April 15, 2019 article about the lawsuit is entitled “Big Companies Thought Insurance Covered a Cyberattack. They May be Wrong.”
Almost none of the media reports note a critical detail about the Mondelez lawsuit, which is that in its lawsuit Mondelez is not seeking to establish its entitlement to coverage under a purpose-built cyber insurance policy; rather, Mondelez is seeking to establish coverage under its property insurance policy. Whether or not the war exclusion operates to preclude coverage for the company’s losses is an interesting question that is beyond the scope of this blog post. (For a discussion of the War Exclusion issues in the Mondelez lawsuit, please refer to an earlier guest post on this blog, here.) But for purposes of this discussion the key is that the policy in dispute is a property insurance policy, not a purpose-built cyber insurance policy.
In its somewhat breathless coverage of the Mondelez lawsuit, the mainstream media has continuously overlooked the fact that the lawsuit involves a property policy with a conventional property policy War Exclusion and instead suggested the dispute involves a cyber insurance policy. Indeed, in many instances, so has the insurance industry-focused media. (For example, here’s one headline: “Mondelez v. Zurich Shows Cyber Market Uncertainties.” Here’s another headline: “Zurich, Mondelez Case to Test Cyber Insurance.” Here’s another headline: “What Mondelez v. Zurich May Reveal About Cyber Insurance in the Age of Digital Conflict.”)
It is critically important that the policy at issue in the Mondelez lawsuit is a property insurance policy and not a cyber insurance policy. For starters, the wording of the property insurance War Exclusion at issue in the lawsuit is broader than that typically found in most cyber insurance policies. (The exclusion at issue in the Mondelez case applies if a hostile act played any role in the loss.) Even more important, cyber insurers generally have not taken the position that the property insurer involved in the suit has taken, despite many opportunities to do so. In addition, cyber insurers will modify the war exclusions in their policies to make it clear that the exclusion does not apply to cyber terrorism.
Having overlooked the fact that the lawsuit involves a property policy and not a cyber policy, many media reports have made the leap that somehow the lawsuit represents some sort of a litmus test over cyber insurance coverage. It is nothing of the sort.
Instead, the Mondelez lawsuit, and the recent Target lawsuit, both represent efforts to see whether policyholders can establish cover for their cyber-related losses elsewhere in their insurance program.
Thinking About “Silent Cyber”
This possibility that insurance coverage for cyber-related losses might be found in various insurance coverages in a policyholders insurance program is what many insurance industry commentators have called “silent cyber,” which is usually described in contrast to “affirmative cyber.”
What is called “affirmative cyber” is the coverage available for cybersecurity related incidents in purpose-built policies. “Silent cyber” is the possibility that insurance coverage for cyber related losses may be found in other insurance policies, policies that the insurers would argue were not built with the possibility of coverage for cybersecurity related losses in mind.
Target’s effort to establish coverage under its GL policy and Mondelez’s efforts to establish coverage under its property insurance policy are far from the only examples of policyholders’ efforts to establish insurance coverage under other insurance policies for cybersecurity-related losses. Regular readers of this blog will be familiar with other examples of these kinds of efforts. For example, just a few days ago, I wrote about an insurance dispute in which the policyholder was seeking to establish insurance coverage for payment instruction fraud losses under its professional liability insurance policy.
Readers will also be familiar with cases in which, as a result of third-party lawsuits, companies experienced cyber-incident related claims for which they undoubtedly would or will seek coverage under their D&O insurance policies. A recent example of these kinds of claims is the securities class action lawsuit filed earlier this year against FedEx. As discussed here, Fed Ex’s European operations had also suffered operational setbacks as a result of the NotPetya virus. Shortly after the incident, the company had claimed that its operations were not significantly disrupted and that it was fully operational. However, some time later the company disclosed that it continued to suffer operational challenges as a result of the incident; following this news, the company’s share price declined and a securities class action lawsuit followed. This is an example of the way cyber-related incidents can result in losses under D&O insurance policies, another example of “silent cyber” as the costs stemming from cyber incidents filter into other policy coverages.
The extent to which the “silent cyber” phenomenon results in policyholder obtaining insurance coverage for cyber incident-related losses under the other policies in their insurance program remains to be seen. It certainly is understandable that companies sustaining losses from cyber-related incidents will seek to establish coverage any place they can. From my perspective, more power to them.
There is one important confounding effect from these various efforts to establish the existence of insurance coverage for cyber-related losses under other policies, and that is the confusion that these efforts can create about the extent and scope of coverage available under purpose-built cyber insurance policies.
As a result of widespread and really inexcusable confusion in the mainstream media – and even in the insurance industry-focused media – about what kinds of insurance coverage are involved in various high-profile disputes about cyber-related losses, there is an evolving – and largely misplaced – misconception that cyber insurance doesn’t pay. Almost always, media reports spreading this misconception comprehensively fail to note that the examples cited in support of this do not involved cyber insurance policies.
As discussed in a recent post on an AON blog about “silent cyber” (here), the various kinds of policies involved in these disputes (like for example Target’s GL policy or Mondelez’s property insurance policy, or even, for example, kidnap and ransom policies) arguably were not designed to explicitly address cyber-related losses. Many of these kinds of policies, and others, typically do not affirmatively either grant or deny coverage for these kinds of losses. Policyholders may seek to try to find coverage for cyber-related losses under these coverages – and as I said above, more power to them – but in many instances cyber losses are going to be at best an awkward fit under those coverages.
For their part, the insurers are all too aware of these developments. Increasingly, carriers are incorporating terms and conditions calculated to try ensure that coverage for cyber-related losses does not filter into their various policies that, at least from the insurer’s perspective, were not built to provide coverage for cyber-security related incidents.
Policyholders sustaining cybersecurity-related losses undoubtedly will seek to continue to establish coverage for their losses wherever they think they can – as they should. If policyholders have purchased insurance that they contend provides coverage in whole or in part for their cyber losses, then by all means, they should continue to pursue the coverage.
By the same token, insurance buyers concerned about the possibility of future losses would be best advised to seek and obtain purpose-built cyber insurance coverage. The policies that are available in the market today provide broad coverage that will respond to a wide variety of circumstances. Indeed, cyber insurance increasingly is and should be viewed as an indispensable part of a complete insurance program for every organization.
In the meantime, observers watching the various high-profile insurance coverage disputes involving cyber-related losses would do well to read media reports with a high degree of caution. The key question to keep in mind is whether the insurance involved is or is not purpose-built cyber related insurance. Breathless media reports about these various cases representing some kind of a referendum about cyber insurance – when cyber insurance is not even involved — do a disservice to everyone.
Financial Lines Conference in Hamburg: On January 21 and 22, 2019, I will be participating as an International Keynote speaker at the EuroForum Haftpflicht 2020 conference to be held in Hamburg, Germany. The conference will address a wide-variety of D&O and other financial lines topics, as detailed in the conference brochure, which can be found here. Readers of The D&O Diary are eligible for a €200 discount. To take advantage of the discount, visit the conference registration page here, and enter the VIP-code 77D02530R01.