cyber liability insurance

As I have noted in prior posts, a recurring challenge many organizations face these days is the threat of “payment instruction fraud,” also sometimes called “social engineering fraud” or “payment impersonation fraud.” In these schemes scammers use official-seeming email communications to induce company employees to transfer company funds to the imposters’ account. Among the many issues arising when these kinds of scams occur is the question of insurance coverage for the loss. Some victims may expect that their cyber liability insurance will cover their loss.

However, as Lauri Floresca of Woodruff-Sawyer points out in her December 5, 2019 post on her firm’s blog entitled “Payment Impersonation Fraud: Why is This Common Cyber Problem Not a Valid Cyber Claim” (here), these  claims rarely involve the kind of cyber security breach required to trigger cyber insurance coverage. Accordingly, there are other steps well-advised companies may want to take to try to protect themselves from these kinds of losses.
Continue Reading Payment Instruction Fraud and Cyber Insurance Coverage

cyber risksWe live in a world in which rapidly shifting technologies and communications modalities have changed the way we interact and conduct business. These new media and means of interaction have introduced innumerable benefits and efficiencies. Unfortunately, these new alternatives have down sides; among other things, they mean new risks and even liability exposures for both individuals and companies that use them. We are all well aware of what can happen to a company that experiences a major data breach. But the new technologies and communications approaches also introduce a host of other potential business liability risks and exposures.

In the new 2015 edition of their interesting and readable book Cyber Risks, Social Media and Insurance: A Guide to Risk Assessment and Management (here), Carrie Cope, Dirk E. Ehlers and Keith W. Mandell take a comprehensive look at the new technologies and communications approaches, review the changed liability environment that these new alternatives present, analyze the current state of the insurance marketplace for these various exposures, and make some projections about what may lie ahead.
Continue Reading Book Review: Cyber Risks, Social Media and Insurance

Stark Photo
John Reed Stark
David Fontaine

It is well understood by now that cyber security is a concern for every organization and that it is an issue on which every company’s board should be focused. But what specifically should boards of directors be worried about and what questions should they be asking? In the following guest post, John Reed Stark and David R. Fontaine take a look at the ten cybersecurity concerns on which every board of directors should be focused. John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm.  David Fontaine is Executive Vice President, Chief Legal & Administrative Officer and Corporate Secretary of Altegrity, a privately held company that among other entities, owns Kroll’s data breach response services. The authors’ complete biographies appear at the end of the post. This article was previously published on, an online global cybersecurity and incident response report, and a division of Docket Media.

I would like to thank the authors’ for their willingness to publish their article on this site. I welcome guest posts from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. The authors’ guest post follows.


Every board now knows its company will fall victim to a cyber-attack, and even worse, that the board will need to clean up the mess and superintend the fallout.

Yet cyber-attacks can be extraordinarily complicated and, once identified, demand a host of costly responses. These include digital forensic preservation and investigation, notification of a broad range of third parties and other constituencies,[1] fulfillment of state and federal compliance obligations, potential litigation, engagement with law enforcement, the provision of credit monitoring, crisis management, a communications plan – and the list goes on.

And besides the more predictable workflow, a company is exposed to other even more intangible costs as well, including temporary or even permanent reputational and brand damage;[2] loss of productivity; extended management drag; and a negative impact on employee morale and overall business performance.

So what is the role of a board of directors amid all of this complex and bet-the-company workflow? Corporate directors clearly have a fiduciary duty to understand and oversee cybersecurity, but there is no need for board members (many of whom have limited IT experience) to panic.

Below we compile a list of ten cybersecurity considerations that provide a solid bedrock  of inquiry for corporate directors who want to take their cybersecurity oversight and supervision responsibilities seriously.[3]  This “cybersecurity top ten list” provides the requisite strategical framework for boards of directors to engage in an intelligent, thoughtful and appropriate supervision of a company’s cybersecurity risks.
Continue Reading Guest Post: Ten Cybersecurity Concerns for Every Board of Directors

bob-bregmanThe exclusions are an important part of any liability insurance policy, but this is particularly true of cyber liability insurance polices. In the following guest post, Robert Bregman, CPCU, MLIS, RPLU, Senior Research Analyst, International Risk Management Institute, Inc., takes a look at the ten of the most common exclusions found in cyber liability and privacy insurance policies. This guest post is an excerpt taken from a longer article entitled “Cyber and Privacy Insurance Coverage” that appeared in the July 2015 edition of The Risk Report, and is copyrighted by IRMI. Learn more about The Risk Report here.


I would like to thank Bob for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you would like to submit a guest post. Here is Bob’s article.



As is the case with virtually every type of management liability insurance, the true extent of coverage that any given policy provides is a function of its exclusionary language. Accordingly, this article will analyze both the differences and similarities between 10 of the most common exclusions found within cyber and privacy policies. Its goal is to assist the reader in negotiating exclusionary wording that maximizes the scope of coverage a policy will provide in the event of a claim.
Continue Reading Guest Post: Cyber & Privacy Policy Exclusions: Analyzing Differences, Negotiating Modifications

Anderson_Roberta (1)Cyber liability insurance is a relatively new product and case law interpreting the policies is only now just developing. However, even at this relatively early stage, there have been some important coverage decisions, and more are coming, as more coverage disputes arise. In the following guest post, Roberta Anderson takes a look at the steps companies can take to decrease the likelihood of a coverage denial and of litigation. Roberta is an Insurance Coverage partner in the Pittsburgh office of K&L Gates LLP and co-founder of the firm’s global Cybersecurity, Privacy and Data Protection practice group. A version of this article previously appeared on Law 360.


I would like to thank Roberta for her willingness to publish her article on my site. I welcome guest posts from responsible authors on topics of interest to readers of this blog. Please contact me directly if you would like to publish a guest post. Here is Roberta’s article.


Many insurance coverage disputes can be, should be, and are settled without the need for litigation and its attendant costs and distractions.  However, some disputes cannot be settled, and organizations are compelled to resort to courts or other tribunals in order to obtain the coverage they paid for, or, with increasing frequency, they are pulled into proceedings by insurers seeking to preemptively avoid coverage.  As illustrated by CNA’s recently filed coverage action against its insured in Columbia Casualty Company v. Cottage Health System,[i] in which CNA[ii] seeks to avoid coverage for a data breach class action lawsuit and related regulatory investigation,[iii] cyber insurance coverage litigation is coming.  And in the wake of a data breach or other privacy, cybersecurity, or data protection-related incident, organizations regrettably should anticipate that their cyber insurer may deny coverage for a resulting claim against the policy.

Before a claim arises, organizations are encouraged to proactively negotiate and place the best possible coverage in order to decrease the likelihood of a coverage denial and litigation.  In contrast to many other types of commercial insurance policies, cyber insurance policies are extremely negotiable and the insurers’ off-the-shelf forms typically can be significantly negotiated and improved for no increase in premium.  A well-drafted policy will reduce the likelihood that an insurer will be able to successfully avoid or limit insurance coverage in the event of a claim.

Even where a solid insurance policy is in place, however, and there is a good claim for coverage under the policy language and applicable law, insurers can and do deny coverage.  In these and other instances, litigation presents the only method of obtaining or maximizing coverage for a claim.
Continue Reading Guest Post: Five Tips for Success in Cyber Insurance Litigation

weiAs I have frequently noted on this site (refer, for example, here), cyber security issues increasingly are a board level concern, and indeed, recent shareholder litigation has shown that investors intend to hold board members accountable when data breaches cause problems for their companies.  In the following guest article, which was previously published

Cyber security and related privacy issues increasingly dominate the headlines. And for good reason: according to statistics cited in a recent Wall Street Journal article, cyber attacks –ranging from malicious software to denial of service attacks – increased 42% in 2012. The trend has only accelerated in 2013. As the possibility and potential scope of