Risk Management
The complexities of cyber risk coverage
Policy terms and conditions vary widely and can result in gaps
By Donald S. Malecki, CPCU
Perhaps they are unscientific, but surveys conducted by various people on the subject of cyber-risk appear to have a consensus: The majority of businesses today do not maintain the proper insurance to cover those risks.
This is not surprising. One reason may be the same reason many businesses do not purchase specialized coverages, such as products recall, or copyright/trademark infringement coverages.
The very large businesses that can afford to purchase insurance do not because they believe that the risk management techniques in place are sufficient to reduce the chances of loss.
Smaller businesses, on the other hand, that actually could use some coverage for damage to software systems and business interruption and extra expense, along with crime-related, and liability (errors or omissions) coverages addressing cyber-risk, either cannot afford the coverage or do not know what they need.
In both categories—large and small businesses—there are likely to be gaps that can cause financial hardships. Part of these costs will likely be for what has to be incurred to hire competent legal counsel to maintain that their existing property/casualty insurance portfolios are sufficient to cover cyber-risk claims or losses.
Computer fraud coverage deficiencies
The problem with relying on traditional employer- or nonemployer-related crime coverage, as well as liability coverage, is that the property must be tangible in nature for coverage to apply. Many of the cyber-risks, on the other hand, deal with intangible property. Even if a computer fraud policy is purchased, there is still no guarantee that coverage will necessarily apply.
A court case that comes to mind with reference to a computer fraud policy is Royal American Group, Inc. v. ITT Hartford, et al., 1994 WL 14888 (OH App. 9 Dist.). Royal American was engaged in the business of providing customers with access to its long distance telephone network for a fee.
Royal American's long distance network was based on contracts with AT&T, U.S. Sprint, and Cable & Wireless, which permitted the Royal American to access these companies' individual long distance networks for use by the Royal American's customers. Connection was possible by using a "1-800" telephone number and a security code, which was stored in the Royal American's computer.
Apparently, an unknown individual using another computer accessed Royal American's computer and stole the security code. With the use of this code, unauthorized access resulted in more than $37,000 in unauthorized long distance charges to Royal American's computerized accounts of the other carriers.
During this period, Royal American had a CGL policy with ITT Hartford, which included specific coverage for computer fraud. This computer fraud coverage applied to "loss of, and loss from damage to, covered property," consisting of money, securities, and property other than money and securities.
Both parties agreed that the loss did not meet the definition for "money" and "property other than money or securities." The issue, therefore, was whether the loss resulting from unauthorized long distance charges could be included under the category of "securities," as defined in the general crime provisions.
There, the term "securities" was defined to mean "negotiable and nonnegotiable instruments or contracts representing either 'money' or other property and includes a. tokens, tickets, revenue and other stamps . . . in current use, and evidences of debt issued in connection with credit or charge cards . . . but does not include 'money'."
The trial court found that the insured's contracts to use the long distance networks of the other carriers were "contracts representing . . . other property," as defined under "securities" and that the damage resulting from these contracts was clearly covered property.
On appeal, the trial court's decision for coverage was reversed. The higher court stated that, even assuming for purposes of argument that the insured's contracts with the long distance carriers constituted securities under the policy, coverage was provided only for "loss of, and loss from damage to," covered property.
In explaining its rationale for overturning the trial court's decision, the appeals court stated that Royal American did not offer any evidence showing how the unauthorized long distance charges resulted in a loss of or damage to its rights under the contracts. Thus, Royal American's contractual liability for the unauthorized long distance charges was deemed not to be covered property under the insurer's policy.
One of the good things about court cases is that people can learn from the problems of others. In that vein, one of the questions that needs to be kept in mind is what it is that needs to be covered and whether the policy in question will fulfill that need.
It is a good point to remember also that traditional crime-related, property and liability policies apply to "tangible" property and that is not something that should be required when coverage is being sought for cyber-risk exposures.
Reference to a policy covering "loss of and loss from damage to" covered property has to be viewed with some caution because it may not apply in time of need. Another, more recent case in point is Vonage Holdings Corp. v. Hartford Fire Insurance Co., Civ. No. 11-6187 (U.S. Dist. Ct. N.J. 2012).
Vonage was a telecommunications company that provided voice and messaging services over broadband Internet networks. In late 2009, it discovered that one or more computer hackers, located outside of its premises, used a computer to fraudulently access Vonage's servers for purposes of transferring the use of those servers to themselves.
This allowed the hacker or hackers to route telephone calls to Cuba through one of Vonage's telecommunications carrier partners, Primus Telecommunications, Inc. (Primus). Primus billed Vonage for these unauthorized telephone calls.
During the time that the hacker or hackers transferred use of Vonage's servers, Vonage had "lost the ability to use the full capacity of its Gateway Servers, which were capable of handling approximately 2,000 simultaneous calls." As a result, Vonage claimed that this resulted in a loss of over $1 million and this was covered by its policy.
The insuring agreement of this policy stated in part: "We will pay for loss of and loss from damage to 'money', 'securities' and 'other property' following and directly related to the use of any computer to fraudulently cause a transfer of that property from inside the 'premises' or 'banking premises'."
Under the terms of this policy, "other property" was defined as "any tangible property other than 'money' or 'securities' that has intrinsic value." The term "premises," was defined to mean "the interior of that portion of any building which you occupy in conducting your business."
Vonage described its gateway server as "a tangible piece of computer equipment, which connected telecommunications networks with cables, fibers and other electronic devices and apparatus, and has intrinsic value to the core call processing aspects of Vonage's business."
These servers, moreover, allowed for the routing of telephone calls to Vonage's public switched telephone network partners for the termination of off-network calls. They were located at Vonage's leased business premises in New York.
Not unexpectedly, one of the reasons the insurer denied coverage was based on its success in the earlier mentioned Royal American Group, Inc. v. ITT Hartford case. In relying on this case, the insurer argued that contractual liability for the unauthorized long distance charges was not covered property under the computer fraud policy at issue in this case.
The insurer in the Vonage case also contended that the insured did not properly plead that it suffered a "loss of" its property or "loss from damage" to its property. According to the court, however, the lost ability of Vonage to use the full capacity of its servers satisfied the pleading, insofar as that argument was concerned.
Nonetheless, as matters turned out, no one won its argument. It was the court's decision that it required more information concerning what the parties intended when the contract was formed.
Minefield of opportunities
The fact that many businesses have not as yet purchased some kind of cyber-risk insurance against their property, liability and crime exposures means opportunities for producers in a relatively undeveloped area.
Producers, however, need to be very careful on the forms of protection to be sold. The products, in other words, simply cannot be taken off the shelf and offered without knowing something about the risks confronting businesses.
What complicates matters is that the policies of some insurers offer a variety of coverages from which the insured can choose. It is like choosing the named perils or causes of loss when an insured decides not to purchase an open perils policy. No one knows for sure whether a loss will be covered until after something happens.
Even when all of the coverages offered are purchased, there still is no guarantee that all of an insured's exposures will be covered. Producers have to keep in mind that, while the intent of insureds is to obtain coverage in time of need, the intent of some insurers is to keep from paying anything at all costs.
The idea, for example, that a cyber-risk policy covering computer fraud is limited to "loss of" or "loss from damage to" covered property appears to fall short of the mark. What one needs to keep in mind is that there is a difference between "loss of" and "loss of use." See, for example, the case of Advanced Network, Inc. v. Peerless Insurance Company, No. DO55632 (Ct. App. 4th Cir. 2010), where theft of money was held not to be covered under a CGL policy because it was considered to be "loss of" and not "loss of use" of tangible property not physically injured.
Parenthetically, not all claims involving theft of property are covered by a CGL policy. When the right facts are present, however, it has been possible for an employer to obtain coverage for theft at the hands of one of its employees. When coverage applies, it is considered to be loss of use of tangible property not physically injured. In the above case, however, the insurer threw a curve ball and won its argument against coverage.
It is probably a good idea for producers to stay away from policies where the insuring agreements are too narrow, such as in the two preceding cases, since they will cause more problems which insureds and producers alike would rather avoid.
What also may be a good idea is for producers to further their education and understanding of this fertile area of future production by taking classes or attending seminars whenever possible. With plenty of opportunity to broaden one's knowledge will come the rewards of better earning capacity and happy insureds.
|