CYBER CLARITY NOT AT ALL CLEAR

Carrier efforts to draw the lines can’t erase the gray areas

 “Cyber” entails an augmentation of ourselves, the use

of computer technology and information networks to

extend what we can do and how we can do it.

By Joseph S. Harrington

Here’s a head-scratcher.

For a few years now, insurers, led by Lloyd’s of London, have been striving to eliminate “silent” coverage for cyber losses from commercial property and liability policies. In pursuit of “coverage clarity,” coverage for cyber losses is to be provided only through “affirmative” coverage grants in dedicated cyber policies and endorsements.

Of late, however, a wrinkle has arisen: What kind of claim is it when managers of a cyber-security company are sued for a loss?

In May 2022, directors and officers of a leading technology company with a focus on financial services were sued by a shareholder over the lost value of its investment. Among other things, the suit (Esposito vs. Block, Inc.) alleges that the firm had inadequate cybersecurity controls, that its systems were vulnerable to breaches, that it did not disclose a data breach in a timely and adequate manner, and that company statements were therefore false and misleading.

More recently, investors in another technology firm, Okta, brought a class action against the company after a former employee improperly downloaded customer data. The suit alleges the following:

“(1) that the Company lacked adequate protocols restricting access to customer sensitive information; (2) … as a result, a former employee was able to download … full customer names and brokerage account numbers … ; (3) … the Company was reasonably likely to suffer significant damage, including reputational harm; (4) … [thus the] defendant’s positive statements about the company’s business, operations, and prospects were materially misleading …”

Given the line of work these firms are in, how are such allegations not claims of management failings subject to coverage under directors and officers (D&O) liability policies? How can courts segregate the “cyber” liability from managerial and professional liability? (The two cases were referenced in a recent web seminar titled “Silent Cyber Continues to Strike Back,” sponsored by the Professional Liability Underwriting Society (PLUS). A recording of the event is available on the PLUS website, www.plusweb.org. (PLUS membership is required to listen to the recording but is available free of charge.)

Not so unusual

What’s true of cybersecurity firms is to some extent true of almost any other type of business—and individuals as well. “Cyber” exposure is not like some hazardous substance or dangerous tool that one can easily identify and exclude from property or liability coverage. “Cyber” entails an augmentation of ourselves, the use of computer technology and information networks to extend what we can do and how we can do it.

Today, most of us think and act through cyber means, making it almost impossible in some cases to distinguish between a “cyber” and a “non-cyber” act, omission, event, or occurrence. If you fail to maintain the necessary systems capacity, protocols, and security to do a job, then you’re not doing the job properly.

Lloyd’s acknowledges the difficulty, even as it promotes the use of model clauses designed to make sure any cyber coverage is provided explicitly and affirmatively.

“Seeking to affirm coverage can be fraught with difficulty,” writes David Powell, head of technical underwriting for Lloyd’s Market Association, in a September 28, 2021, blog post. “If you use defined terms, there is a potential risk that an unforeseen event might fall outside a definition. If you try to describe coverage very broadly but without defining terms, the meaning becomes inexact and the insurer risks the wording being interpreted against [it].”

First-party questions

The challenge of isolating cyber coverage extends to first-party property losses as well as liability claims. As one example, in EMOI Services, LLC v. Owners Insurance Company, an Ohio appeals court ruled that malicious coding implanted by a hacker constituted “direct physical loss of or damage” to infected media, thus triggering property coverage under an endorsement to a businessowners policy.

While Lloyd’s leads the effort to exclude cyber coverage from non-cyber policies, it is also campaigning to exclude coverage under cyber policies for losses caused by warlike acts and/or supported by a state sponsor. By March 2023, Lloyd’s syndicates writing cyber coverage are expected to attach one of four model war-state actor exclusions to cyber policies.

Whether that effort will work out as planned has yet to be determined.

Early in 2022, the New Jersey Superior Court essentially voided a war acts exclusion used by an insurer to deny coverage for the pharmaceutical company Merck for extensive losses it incurred from the notPetya cyberattack in 2017. While it was acknowledged that notPetya was unleashed as a hostile act with knowledge of the Russian government, the court found that the war exclusion did not apply in the absence of violent action by armed forces.

Insurers hoped for a better outcome in an Illinois case testing the application of a war exclusion to losses arising from notPetya, but the case, Mondelez Intl. Inc. v. Zurich Am. Ins. Co., was settled in October 2022.

“It is ironic that an approach intended to bring clarity sometimes causes confusion,” Powell writes. That confusion may be inherent and ineradicable in our cyber age.

The author

Joseph S. Harrington, CPCU, is an independent business writer specializing in property and casualty insurance coverages and operations. For 21 years, Joe was the communications director for the American Association of Insurance Services (AAIS), a P-C advisory organization. Prior to that, Joe worked in journalism and as a reporter and editor in financial services.