An article by Daniel B. Garrie and Yoav M. Griver

ZEK law firm – Zeichner Ellman & Krause LLP, USA

 ——————————————————————————

 It seems every month we are hearing about another multi-million dollar cybersecurity breach. We have seen eBay, Target and Home Depot take huge hits, with Target having lost over $252 million and its CEO because of a particularly messy breach back in 2013. Among the most recent high-profile victims are U.S. health insurance provider Anthem and Sony Pictures, who are conservatively estimating to have suffered over $100 million and $35 million in losses, respectively

In response to escalating cyber threats, more and more companies are seeking to obtain cyber-specific insurance policies. As this new form of insurance evolves, it is critical to grasp the nature of the protection needed, in order to obtain appropriate cyber coverage and avoid costly pitfalls

Companies are realizing that standard commercial general liability (“CGL”) policies generally do not insure against cyber attacks, and insurers are becoming increasingly willing to litigate CGL cyber coverage issues – see footnote #1 below

For instance, in the aftermath of Sony’s PlayStation Network data breach in 2011, Sony’s insurer, Zurich American Insurance Company, commenced a lawsuit seeking a declaratory judgment that it was not obligated to insure Sony for losses relating to its cyber-attacks.  The court agreed, and Zurich was not required to indemnify Sony under its CGL policy- see footnote #2 below

The onslaught of cyber-attacks has compelled insurance companies to write specific cybersecurity insurance policies with specific limitations and coverages. Thanks to these cyber policies, Target, Home Depot and Sony Pictures were able to receive significant insurance reimbursements to mitigate the substantial costs they incurred post breach.  For example, Target’s net losses, went from $252 million to $105 million, after subtracting their cyber security insurance reimbursement and tax deductions

The current cyber pricing is evolving rapidly today.  The uncertainty reflected in cyber insurance premium and coverage is partially caused by the information asymmetry between insurer and insured.  An insurer typically does not have the resources to monitor an insured’s cybersecurity actions beyond collecting information via forms and initial inquiries.  In addition, companies are reluctant to make public their experiences with cybersecurity breaches.  While technologies are being developed to help insurers become more informed about cyber risks, these solutions are just starting to enter the marketplace – see footnote #3 below

Irrespective of these issues, companies are increasingly facing more risk with each major breach.  For example, Target now faces class action lawsuits brought on behalf of consumers and financial institutions alleging, inter alia, that Target was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data – see footnote #4 below

The case has survived Target’s motion to dismiss and may be an important step towards addressing the moral hazard and inefficiency of the current cyber insurance market

The Target litigation should serve as a wakeup call to small or big companies, public of private, that it is time to obtain cybersecurity insurance that helps determine where damages are likely to fall

At this point, virtually all of the major insurers offer cyber insurance, which comes in many forms. The various types of cyber policies offered include coverage for expenses related to breach investigation, remediation, and legal fees, as well as damages to various third parties such as consumers or cloud service providers

Most major insurers also offer special cyber products to cater to a company’s specific cyber needs

The key thing to remember is that if you are going to seek cyber insurance it is critical that you consult with qualified and knowledgeable legal counsel and other experts, to help make sure you obtain the right policy; to make sure you and your organization are effectively managing cybersecurity risk; and to avoid being left unprotected when dealing with complex and expensive cybersecurity breaches

  ——————————————————————————

The authors are partners based in the New York office of Zeichner Ellman & Krause, LLP (“ZEK”).  The opinions expressed herein are the authors’ alone, and do not necessarily reflect the views of the ZEK law firm, its clients, or affiliates

This article is for general information purposes and is not intended to be, and should not be taken as, legal advice. ZEK maintains a U.S. foreign attorney’s office in Tel Aviv operating as Zeichner Ellman & Krause PC

 ——————————————————————————

Footnotes

Footnote #1- See Angela Yu, Let’s Get Physical: Loss of Use of Tangible Property as Coverage in Cyber Insurance, 40 Rutgers Computer & Tech. L.J. 229- 2014

Footnote #2- See Zurich Am. Ins. Co. v. Sony Corp. of Am., Index No. 651982/2011 – Sup. Ct. N.Y. Cty. February 21, 2014

Footnote #3- See Mike Lennon, New FireEye Services Help Insurance Industry Manage Exposure to Cyber Threats, Aug. 7, 2014, link

Footnote #4- See In re: Target Corp. Customer Data Security Breach Litig., MDL. No. 14-2522 (PAM/JJK), Dist. Minn., Mem. and Order, Dec. 2, 2014