At the 2017 NetDiligence® Cyber Risk & Privacy Liability Forum in Santa Monica, CA, a panel discussed how your cyber insurance policy could be triggered without a data breach.
The panel included:
- Laurie Kamaiko – Partner, Sedgwick LLP
- Evan Fenaroli – Underwritng Manager, Philadelphia Insurance Companies
- Chris Keegan – Senior Managing Director, Beecher Carlson
- Dave Molitano – Senior Vice President, W.R. Berkley Corporation
- Richard Mather – Vice President Claims Group, Allied World Insurance Company
By definition, a breachless cyber claim is one that triggers a cyber liability without breach of the insured’s systems or devices. Some carriers take the position that without a breach there can be no liability under a cyber policy. However, some have been able to establish coverage due to “Breech of Duty of Security” under any statute or regulation that triggered regulatory reporting requirements. Examples include violation of HIPPA or other regulations, violation of FTC rules, and distributing software with a vulnerability. False advertising can fall under part of certain cyber policies if the false advertising involves something pertaining to cyber security.
An example of a breachless cyber claim was an airline that suffered a system shutdown because a power loss. Another example was an airline that suffered a software glitch that resulted in significant system disruption. Because these claims involved their systems the cyber policy could be breached.
Denial of service attacks could also be considered a breachless claim as they do not actually enter the target’s system.
Other types of breachless claims that could trigger a cyber policy include:
- Fund transfer/spoofing – If the erroneous fund transfer was triggered by social engineering using a fraudulent email or text.
- Media liability – Risk of sharing information electronically that violates copywright and trademark laws. Examples include sharing photos or videos illegally. Some have argued disparaging commentary on social media could trigger a cyber policy but others argue this is not the intent of the policy. The media liability is a very common trigger on a cyber policy and these can be very large claims.
- Wrongful collection – This is excluded on some policies but you are seeing this covered on more policies.
- Use of unlicensed software – Depending on the pleadings in a lawsuit this could trigger a cyber policy. Especially since the duty to defend is broader than the duty to indemnify.
- Interruption of suppliers
- Pure statutory violations – States have laws around collection and use of biometric data from individuals. If these laws are not followed it could trigger a statutory violation and a lawsuit.
Gaps in Coverage
Are there exposures that should be covered under a typical cyber policy that is not currently? Possibly yes. If risks are identified that can be tied to the cyber policy then carriers could give clients a choice for additional coverage in exchange for additional premiums.
From a carrier’s perspective, carriers will only provide coverage for something that they feel can be adequately underwritten. Can the exposure be defined and quantified? Can the risk be mitigated? If not it is not insurable.
Cyber is an evolving risk. Because of this, the coverage is constantly expanding to meet the needs of insureds as new exposures are identified.
Types of Damages
The most common form of damages for breachless claims are regulatory fines and penalties. These can be very substantial. Defense costs are also a common type of damages. There could also be regulatory compliance costs, property damage, bodily injury, network interruption, and liability to clients, customers and vendors.