News reports abound of cyber attacks and cyber security breaches. The damage resulting from such breaches can include loss or disclosure of confidential customer and employee data and mission critical intellectual property, destruction of business property, reputational injury, regulatory actions, fines and investigations, class action litigation, and loss of business, enterprise value, and market capitalization.
A comprehensive response to this growing threat must include a review of the degree to which the risks of cyber attack or breach are covered by insurance.1 Particular attention should be paid to the following three contexts in which we have seen significant gaps in coverage of late:
- Cyber Exclusions in Directors’ & Officers’ Liability Insurance;
- War and Terrorism Exclusions in Cyber Insurance; and
- Coverage of Physical Loss Resulting from Cyber Attacks.
Cyber Exclusions in Directors’ and Officers’ Liability (D&O) Insurance
A cyber incident involving a company may have significant implications for its directors and officers. This is particularly true where the company has publicly-traded equity or debt securities, as such a cyber incident can adversely affect the holders of the company’s securities, or where the company occupies a prominent or sensitive position from a governmental or regulatory perspective. For example, the degree to which a company’s directors and management have complied with their fiduciary duties, taken appropriate precautions against cyber-related risks, and adequately disclosed such risks and related precautions may well be called into question in shareholder or creditor litigation or during a regulatory inquiry or investigation.
In seeking to mitigate the impact of cyber-related claims against a company’s directors and officers (for example, where the company’s share price drops following the disclosure of a cyber-related incident, and shareholder derivative claims are brought), one might first turn to the company’s D&O insurance policy. However, we have seen several instances of existing policies (and proposed renewals of D&O insurance policies) containing exclusions of coverage for cyber-related matters, including for “cyber security breach” and “data breach”. The existence of such exclusions could2 eliminate D&O insurance coverage for a particular cyber incident, thus leaving the company with only its cyber insurance coverage limits (if and to the extent it has them) to address the costs and liabilities suffered by the company directly, as well as the costs and liabilities incurred in the defense and settlement of any related shareholder complaint.
We encourage you to review carefully with your insurance and legal advisors the terms of your existing D&O insurance policy to ascertain whether the foregoing exclusion applies to your coverage.
War and Terrorism Exclusions in Cyber Insurance
Insurance policies routinely exclude coverage for losses resulting from acts of war or terrorism. Recent cyber-related incidents, particularly those involving or allegedly involving governmental or quasi-governmental actors or terrorist groups, raise questions of whether such incidents would fall within the scope of such exclusions. The globe-spanning nature and armchair execution of cyber threats, together with reports that certain cyber attacks have been conducted by or on behalf of governmental actors, distinguish the risks covered by cyber insurance from risks covered by other forms of insurance. A company purchasing cyber insurance expects coverage in the event of a cyber incident, irrespective of the identity of the perpetrator (including persons acting for or on behalf of other countries) and the reason for the cyber incident (including perpetrating acts of “cyber terror”).
Cyber risks and cyber insurance are still evolving. In evaluating or purchasing cyber coverage, special attention must be given to exclusions for “terrorism”, “war”,3 “government action”,4 and other terms having similar import. The presence of these types of precise formulations of such exclusions could eliminate coverage for a cyber incident, merely by virtue of who perpetrated the act, for what reason the act was perpetrated, and/or how the act or a person, group, or country allegedly involved in the act is characterized by a politician, governmental agency, or regulator. We urge you to keep this in mind and discuss with your insurance and legal advisors when assessing protection afforded by existing cyber insurance coverage or in negotiating new or renewal coverage.5
Coverage of Physical Loss Resulting from Cyber Attacks
Exclusions for cyber-related matters are found in many commercial general liability (CGL) insurance policies today, and such exclusions are being routinely included in CGL insurance renewals. Depending upon the formulation of such exclusions, the remainder of the policy language and the ongoing development of case law in this arena, coverage for losses from bodily injury, physical damage, pollution, or similar matters may not be available if arising from a cyber-related incident. Similarly, typical cyber insurance policies often expressly exclude coverage for such losses.6 Examples of such losses could include damage to persons or property (including pollution) resulting from a cyber-based attack on oil, gas, electrical, and other infrastructure control systems,7 personal injury resulting from a cyber-based shut-down of healthcare or emergency responder systems, and destruction of computer hardware (including servers) and other assets through a cyber-based attack.
As a result, unless its insurance program has been carefully constructed and modified as necessary as developments in the cyber arena emerge, a company may find itself without any insurance coverage for potentially material liability arising from cyber-related incidents, merely by virtue of the type of damage caused by such incident. One recent commentator noted, “[a]lthough the upstream, midstream and downstream energy markets are well-insured, many of these insurance policies contain exclusions for damages arising out of cyber attacks, malevolent viruses or malware. The end result is an ocean of insurance coverage, but barely a drop that would cover catastrophic damages arising from a cyber attack.”8
In this age of cyber crime and cyber terrorism (and continued evolution of cyber insurance and cyber- related exceptions from non-cyber insurance policies), insureds would be well-advised to review with their insurance and legal advisors their property and casualty and cyber insurance policies to see whether and how they would respond to physical loss in the face of any of a number of potential cyber-related incidents.