Tag Archives: cyber insurance

CCPA and Cyber Insurance

The law firm of Bryan Cave has done some interesting analysis.

On January 1, 2020, California became the first U.S. state to allow a breach victim to sue a company that was breached without having to prove they were damaged. The breach alone was proof of damage. The amount any one person can sue for is small – between $100 and $750, but when you multiply that by any reasonable number of victims – say 10,000 which by today’s standard is a small breach – and now you are talking money. In this example, between a million and 7.5 million dollars.

So what did Bryan Cave’s analysis show?

27 of the 84 breaches reported to the CA AG so far this year have resulted in litigation. There have been 34 actions filed referencing CCPA.

Of course a lot of this is garbage.

Some of the suits were filed for breaches that happened before CCPA went into effect. Some were filed before the 30 day cure period expired (although it is hard to cure a breach, the law says ya gotta let ’em try).

Some were filed for non-breach related CCPA violations. Note: the law does not allow for private rights of action in these cases.

Some of this could be attorneys practicing. Or testing the courts so see if they have read the law or want to create a law of their own. This part will pass.

Still 30% of the breaches reported to the AG have resulted in some form of legal action. This is up from 4-6 percent in previous years.

So what does this mean for a company with customers in California?

It means the economics of cyber security is changing and changing rather rapidly. This is, in my opinion, exactly what the framers of the ballot initiative (Alastair Mactaggart) that force AB 375 to be passed into law wanted.

Whether you agree with Alastair or not, you need to recognize that the economics of cybersecurity for companies that have customers in the world’s 5th or 6th largest economy has changed.

Likely it will continue to change.

Will insurance companies, understanding that their risk profile has changed, start demanding better security if you want insurance? Don’t know, but they understand math. Either better security, higher premiums or no insurance

Will banks start demanding better security for companies who want loans. Certainly bad security increases loan risk?

Will investors start demanding better security for companies that they invest in? Some already have.

So what does this mean for companies?

Consider the new economics. Then consider your security profile. Finally consider what would happen if you were breached?

Credit: Bryan Cave

Cyber Insurance For Mere Mortals

We have been trained by the insurance industry that you buy insurance and if you have an event, you make a claim and get paid.

For the most part, with your auto insurance or your homeowners insurance, that is the way it works.

Rarely, but sometimes, you discover that you don’t have the right coverage (like not having flood insurance in New Orleans or not having earthquake insurance in California).

Insurance companies carve out exceptions to coverage to limit their liability and they would say, to make insurance more affordable.

But when it comes to cyber insurance, it is kind of like walking through a mine field with no mine detectors or maps.

Witness this:

AIG is being sued by a customer in New York because the client was suckered in by a series of business email compromise attacks where the customer lost almost $6 million.

AIG’s defense is that their policy doesn’t cover dishonest, fraudulent or criminal acts.

Isn’t that what most cyber insurance is designed to cover – crime?

AIG did provide legal fee coverage when their client was sued by its own client for losing its money.  That was covered until they figured out that this was related to crime.  But getting their $6 million back – that is not covered.

They say the language of the policy is:

alleging, arising out of, based upon or attributable to a dishonest, fraudulent, criminal or malicious act, error or omission or any knowing or intentional violation of the law…

Since we don’t have a copy of the actual insurance policy, so we don’t know if this is really a cyber risk policy or something else.

In another case, Zurich Insurance is refusing to reimburse Mondelez for costs related to the NotPetya attack a few years ago.  Mondelez, the company that owns Oreos, Ritz, Tang and many other brands, lost over $100 million as a result of the attack.

In the Mondelez case, they are trying to use an “all-risk property insurance policy” because, they say, NotPetya resulted in the failure of the Insured’s electronic data processing equipment.

In this case, Zurich says that they won’t pay [probably ‘cuz a hundred million dollars is a lot of money] because there is an exclusion for hostile or warlike action … by any government or sovereign power … or agent or authority [thereof].

It appears – but I can’t be certain – that in both of these cases, the companies didn’t have legitimate cyber risk insurance but rather were trying to claim coverage under other policies that might have some possible overlap.

That being said, cyber risk policies in almost every state are non-standard form policies meaning that the state insurance department doesn’t approve the language of the policy.

Cyber risk policies are also considered “excess-lines” insurance in most states with a big warning about that in the front of the policy.  This means that you cannot file a complaint with the state insurance commissioner if you don’t like how the insurance company is operating.

So does this mean that cyber insurance is worthless?

Not in my opinion.

It does mean that you should not try to claim coverage if you don’t have a cyber risk policy, although, I guess, you can try.

Most insurance companies will not pay cyber claims under other policies.   Their actuarial data just doesn’t allow for that.

I am not sure what to do about AIG’s claim that their policy doesn’t cover fraudulent or criminal actions.  Isn’t that a major reason why you buy insurance.  That seems kind of like if you had auto insurance and your car was stolen, the insurance company says we don’t cover it if someone steals your car.  BUT, if, for example, all you bought was liability insurance, then you really don’t have the right coverage and they won’t pay for your stolen car.

When it comes to lack of coverage due to hostile or war-like actions, well that is pretty nebulous.  I would say almost all hacking is hostile.  Is it done by a government or government agent?  Maybe, but much hacking is done by governments.

I have worked with clients to get insurers to remove, restate or restrict that war-like nonsense.

What does all this say?  When you buy cyber risk insurance – and I think you should do that – you need to have an expert on your side.  One you doesn’t earn a commission from writing the policy.

You also need a broker who understands cyber risk insurance.  One question I always tell clients to ask their broker is how many millions of dollars of cyber risk insurance like the type we are looking for did you write last year.  Or how many policies did you write.  And do not let them include general liability that has a useless cyber rider. 

If they wrote 1,000 or 5,000 policies last year and wrote 20 cyber policies, how much of an expert do you think they are about those 20 policies.

Their world revolves around commissions.  If they made $1,000 in commission from cyber policies and $100,000 from other insurance, where do you think their attention is going to be.

Get the right policy from the right broker underwritten by the right insurer.

P.S., if you need help, contact us and we will connect you with some great brokers.

Source:  Cyberscoop



Why Cyber Insurance is Important to Small Businesses

While the breaches at Target, the IRS, Chipolte and others made the news during 2017, small business breaches were up over 40% between 2015 and 2016 and doesn’t show any signs of letting up.

Given that, here are some reasons why small businesses should have cyber risk insurance.

#1 – Small businesses do not have as sophisticated defenses as large businesses.  As a result, small businesses are an easier target for the bad guys.  Small businesses do not have a full time cyber security team and often outsource IT completely with no one really directing that outside vendor unless something breaks.

#2 – Small businesses collect large amounts of personal data from their customers.  While business owners may disagree with this, the reality says that there is a lot of data.  There is also a lot of internal sensitive data like company credit card and personnel information.  When customer or internal sensitive data is taken, general liability insurance will not cover either the expenses or the losses.  Small businesses also do not have the sophisticated applications that large businesses use to protect that sensitive data.

#3 – Often, after breaches come and go, what follows is lawsuits.  While lawsuits may ultimately be dismissed, the costs involved in defending your company are expensive and the lawsuits are distracting, so, in many cases, companies choose to settle.  Recently, Avmed settled for $3.1 million, Schnucks for $2.1 million and Vendini settled for $3 million.  While such a settlement would be petty cash to Target, it is a large check to write for a small business.  In addition to writing the settlement check, the company also has to pay for their defense and, in many cases, the other side’s offense.  That is a lot of money for small businesses.

#4 – The only things certain are death …. and cyber breaches … to paraphrase an old expression.  While the exact numbers are debatable, the source article for this post says that more than half of small and medium businesses are out of business within six months of a successful attack.  If a small business cannot recover from a ransomware attack, it could be toast.  Lets say that number is wrong and it is only 25% that fail after a cyber attack – that would be devastating to the owners and the employees.  And even if the company stays in business, its ability to operate may be seriously impacted as a result of the distraction, expenses, customer defections and legal costs.

Right now cyber insurance is reasonably priced. Not free, but usually affordable.  And, for companies that practice good cyber security practices, the rates are often lower than for companies that do not have an active cyber security program.

Could your company afford to write a million dollar check after a cyber breach?

In addition, the insurance companies offer preventative services for free and cyber incident response services from a variety of vendors at negotiated rates.


Information for this post came from NoPa$$iveIncome .

Insurers Say Cancer Center “On Its Own”

I wrote about 21st Century Oncology in March (see post here) when the FBI came knocking on their door.  The result?  2.2 million records compromised.  At that time they said that they likely did not have enough insurance to cover the costs of the breach.

Fast forward six months.

Law360 is reporting that Charter Oak Fire Insurance and Travelers Property Casualty Co. have asked a Florida court to rule that they have no duty to defend.

There are currently 17 class action suits pending.  If these insurance companies are found to have a duty to defend 21st Century Oncology, they will spend millions doing that.  Maybe tens of millions.

This incident was a cyber breach.  These insurance policies do not appear to be cyber policies.  Given that 21st Century has already said that they are concerned that they do not have enough insurance that they are likely at grasping at straws.

Part of the reason that these lawsuits have been filed is that the plaintiffs say that 21st Century should have notified them sooner.

The breach happened, they say, around Oct. 3, 2015.

The FBI  told them about the breach on Nov. 13th.

21st Century notified patients of the breach on Mar. 4, 2016, at the request, they say, of the FBI to delay notification.  I am not familiar with Florida law, but most states have an exemption from prompt notification when law enforcement requests it.  Assuming this is the case in Florida and assuming the FBI did ask for the delay, I don’t think this part of the case has much of a chance of succeeding.  However, I am not a lawyer and I certainly don’t pretend to be able to predict what juries will do.

I assume that the 17 pending class actions have a lot more claims in them that they will have to defend against.

The company’s 10-Q for the first quarter of 2016 said that they are “highly leveraged”, with over $1 billion of long term debt and are experiencing losses from operations.  Given the financial challenges that they will have to deal with over the next several years, this is not a great situation.  They have not revealed how much coverage they have.  I don’t think I would buy their stock right now.

For other companies, this is a great opportunity to look at the risks that they face and the coverages that they have and determine if they are aligned with each other.

Many companies have a $1 million or $3 million cyber liability policy.  For small companies, this is probably fine.  For a company with 800 physicians and 140 facilities, how much coverage is appropriate – In a highly regulated, highly targeted industry?  How much coverage could they buy at any price?

And, you can count on the fact that come renewal time, either they won’t be able to renew, the retained liability (deductibles) will be through the roof or the premium will be out of sight.  We already saw this with Anthem after their breach.

I suspect that their troubles are only beginning.

My recommendation is (a) plan now, (b) have enough coverage and (c) make cyber risk mitigation a priority.

Information for this post came from Law360 (registration required).

Failure To Follow Minimum Required Practices

I  have written several times about the fight between Cottage Health System and Columbia Casualty, a division of CNA Insurance.

In 2013 Cottage’s systems were breached and the private information of thousands of patients was publicly disclosed.  Their insurance company paid $4.125 million for costs related to the breach, including a class action lawsuit.

That is the end of the good news.  Last year Columbia filed suit against Cottage demanding their money back.  They cited a number of reasons.

First, they said that Cottage failed to follow  minimum required practices, which is a coverage exclusion in the policy.  Columbia said that Cottage’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application means that they don’t need to cover Cottage’s losses.

Translated from the original legalese, this means that Cottage claimed that they had implemented certain security policies and operational procedures when they completed their insurance application and in fact, they did not.  Or, they did have those policies and procedures, but they did not actively follow them.

Some of the things that Columbia said that Cottage claimed they did but did not include:

  • Replace factory default passwords
  • Regularly patch their systems
  • Exercise due diligence over its information security management vendor’s safeguards

Columbia says that even if the hospital did not intend to lie, the “misrepresentation or omission of material fact” is enough, under the terms of the policy, to cancel the policy.  So, they are saying, not only do they not want to pay, but they want to cancel the policy all together.

Let’s separate this into two conversations.

First, if Cottage Health really did not change default passwords, promptly patch their systems, or have an effective vendor management program, then they are (a) pretty typical and (b) lucky that it only cost them $4 million to recover.  Those are pretty basic things that everyone better be doing,

On the other hand, and this is much more important, it points to the complexity of cyber risk insurance.

How many people, especially in a relatively small business, would understand what failure to follow minimum required practices means.  As I understand, the term was not further defined in the policy.

Although the article in National Law Review says the lawsuit was recently filed, it was actually filed over a year ago.  Hopefully that does not point to a long editorial cycle on the web site’s part.  Last I  heard, the complaint has been withdrawn and the two parties are trying to work out a compromise out of court.

However this turns out, it is unlikely that Cottage will be receiving any more checks from Columbia as the costs of this breach may continue and in fact, they may have to find a new insurance company.

Trying to find a new insurance company after this “dispute” with their current insurance company has been plastered all over the news may not be easy.

The watch word here is BEWARE!  The world of cyber risk insurance is somewhat like the Wild Wild West.  It is definitely the world of buyer beware.

Information for this post came from National Law Review.


Not Getting The Right Cyber Insurance Cost PF Chang’s $2 Million

P.F. Chang’s restaurant chain suffered a cyber breach in which about 60,000 credit cards were stolen.  The breach only affected 33 of the company’s approximately 400 restaurants, so it could have been much worse, even though it lasted 8 months.

Still, the restaurant spent about $1.7 million recovering from the breach.  If the breach hit all of their locations at the same rate, that number might have been around $20 million.  This is still small compared to, say, Target.

Chang’s had purchased cyber breach insurance from the Federal Insurance unit of the insurance giant Chubb just in case of an event such as this, but as I have said in the past, cyber breach insurance is not a standard form policy and as a result, you don’t always get what you expect.  This is why we recommend conducting a cyber insurance assessment.

As the story moves forward, Bank of America, their credit card processor, fines P.F. Chang’s $1.9 million to cover the costs of reissuing cards and losses.  Notice that this number is greater than the rest of the expenses that P.F. Chang’s had from the breach.

P.F. Chang’s paid B of A and then asked Federal Insurance to reimburse them.  Federal said no and ultimately, Chang’s sued Federal.

This month a verdict in that suit came in and it validates my comment that you don’t always get what you expect.

There were some interesting twists and turns in the trial.

First, Chubb said that there was no coverage because Bank of America suffered the loss, not Chang’s, even though Chang’s was contractually required to reimburse B of A,

Then Chang’s said it should be covered under the privacy notification clause.  This seems a bit strange to me and the answer from the court was no.

Next Chang’s said it should be covered under the business interruption clause. This usually covers extra expenses you have to pay as a result of a covered event.  Again, the court said no.

Ultimately, it boiled down to the fact that Chang’s did not have PCI DSS coverage in their policy.  Whether they understood that at the time the policy was written or not is unclear.  Whether their broker understood that or not is unclear.  Whether Federal Insurance understood that and figured it was a great way to limit their liability in case of a breach is unclear.

What IS clear is that P.F. Chang’s gets to cover that check out of their pocket.

While they will not go broke over this, it is a great lesson for other people to make sure that they understand what they are getting, because $1.9 million to cover a breach of only 60,000 cards could sink a lot of companies and 60,000 cards is not a large breach.

This is only one example of how you can go wrong when it comes to buying cyber insurance.  The first step is to understand what coverage you need to have.  The second step is to make sure that your policy provides that coverage.  Outside help may be required in both cases.



Information for this post came from National Law Review and Lockton’s Blog.