The Cyber Insurance Broker Conundrum

Transcription

1 CLM 2017 Annual Conference March 29-31, 2017 Nashville, TN The Cyber Insurance Broker Conundrum The Cyber Insurance Broker Conundrum I. Introduction P.F. Chang s is reeling after an U.S. District Court ruled that its insurer is not obligated under its cyber policy to reimburse P.F. Chang s for $1,900,000 for assessments levied by MasterCard following a massive data breach. 1 Bitpay was deceived by a hacker into transferring $1,850,000 to the hackers account. Imagine the shock of Bitpay when its cyber insurance carrier denied the claim. 2 Why didn t the insurance agent or broker selling these insurance policies point out the critical policy deficiencies and the importance of the application representations? Ignorance or lack of due diligence is the most probable explanation. Insurance brokers are unnecessarily exposing themselves to risks because they are selling cyber insurance endorsements and policies without fully understanding them or their client's cyber risk profile. With the avalanche of cyber breach claims, companies are pressuring their brokers to procure comprehensive cyber coverage. Companies are assuming that the purchase of a cyber policy provides complete financial protection. They assume wrong as do their brokers. When the cyber insurer rightfully denies coverage, insureds are looking to their insurance brokers to make 1 P.F. Chang's China Bistro, Inc. v. Fed. Ins. Co., No. CV PHX-SMM, 2016 WL (D. Ariz. May 31, 2016). 2 Ms. Smith, Cyber insurance rejects claim after BitPay lost $1.8 million in phishing attack, NETWORK WORLD, In 2014, the CFO of a Bitcoin payment company, Bitpay, had his credentials stolen. The hacker used the stolen credentials to study the CFO s s, and then sent fake s, disguised as the CFO, to the CEO of the company requesting three different Bitcoin payments. The CEO made the three transfers valued at $1,850,000 (5,000 Bitcoin) to the hacker s designated Bitcoin wallet. The insurance company claimed the policy language only applies to fraudulent Bitcoin transfers where an unauthorized user fraudulently causes a transfer of money to an outside person or place, but because the CEO was authorized, this clause did not apply.

2 them financially whole and are in turn triggering a new wave of litigation: errors and omission claims against insurance broker. II. Duties Imposed on Cyber Insurance Brokers and Agents It is well established that tort liability and a duty of care can be imposed by statute and common law. For insurance brokers and agents jurisdictions have uniformly adopted a general duty to act with reasonable care, skill and due diligence in procuring requested insurance. This general duty has been described as the duty to procure proper insurance for the client. Most jurisdictions have imposed some form of duty to advise. When the duty to advise is imposed, the broker is held responsible for failing to offer the insurance coverage for which the insured should have been advised. For example, in Southwest Auto Painting & Body Repair v. Binsfield, 904 P2d 1268 (Ariz. Ct App 1995) the broker fell below the standard of care for failing to advise to procure employee dishonesty and theft coverage which resulted in the client s uninsured loss. In the cyber insurance context, the duty to advise places a heightened burden on the insurance agent or broker to have a complete, working knowledge of the intricacies of the different cyber insurance policies available. Every client will require a unique analysis for a cyber policy or cyber coverage that will best suit their needs, e.g. a retail company that processes credit card information will require a very different policy than a healthcare provider who owns protected health information. Different industries will need more coverage in some areas, like forensics, notification, public relations, etc., but may require very little coverage for other areas, such as PCI fines and penalties. This is further complicated by insurance carriers own lack of knowledge in regard to underwriting cyber risks as well as reluctance to tailor policy language (manuscript policies versus standardized policy language) to meet a particular client s needs. Policy triggers for coverage are further blurred by policy definitions incorporated into the policy that leave room for ambiguities to arise. The summation of these issues coupled with the agent or broker s lack of understanding their customer s true cyber needs creates a perfect storm for the influx of new litigation being brought by dissatisfied customers against both broker/agents as well as carriers. III. Challenges Facing Cyber Insurance Brokers Each advance in technology brings with it multiple new related risks and exposures. The speed at which cyber risk has evolved, and continues to evolve, has left everyone in a state of frustrated confusion. Courts, legislators, regulators, insurance carriers, insurance brokers and the business world are all struggling to keep up! Insurance brokers are on the front lines when it comes to helping businesses transfer and manager cyber risk. As a result, brokers are in a

3 highly precarious position with respect to liability exposure arising in connection with the counseling and placement of cyber insurance products. One of the primary challenges facing insurance brokers is the rapid evolution of the exposures and the insurance product. The cyber insurance market is still in a state of relative infancy and is developing with rapid inconsistency. There are over 50 carriers offering standalone cyber insurance products and almost all carriers offer some level of cyber insurance via endorsements to traditional products. These stand-alone cyber insurance policies are lengthy and complex and can be heavily endorsed. Most policies contain multiple insuring agreements a combination of third-party liability coverage and first-party direct coverage. Unfortunately, because this is still a new product, the market has not yet reached a level of standardization in coverage scope, defined terms or, even, terminology. As a result, comparing coverage offered by one carrier to that offered by another carrier, in a meaningful way, is nearly impossible! Another significant challenge brokers face with respect to cyber insurance placement relates to the adequacy of limits. Companies often rely heavily on their insurance broker to advise them as to how much insurance they should purchase. When answering this question in connection with traditional lines of insurance, the broker has significant historical and industry/peer-group data upon which they can rely. This does not (yet) exist when it comes to cyber insurance products. To further complicate things, many cyber insurance products contain multiple different limits, with sub-limits and even sub-limits within sub-limits. To add insult to injury, cyber risk does not (yet) fit squarely within any one insurance product not even a stand-alone cyber insurance policy. As a result, insurance brokers must also consider and advise their clients about how a stand-alone cyber insurance policy will interact with the company s other traditional insurance policies. Evaluating the overlap and interaction is an incredibly challenging and time consuming process and requires an in depth knowledge of insurance products and coverage across multiple lines of business property, employment, errors and omissions, directors and officers liability, commercial crime, kidnap and ransom etc. Unfortunately, the challenges facing brokers are not likely to disappear anytime soon. In fact, they will likely multiply; at least until the cyber insurance market has some history behind it and finds some semblance of standardization. IV. Liabilities/Exposures of Cyber Brokers Claims against brokers and agents are just as inevitable as the cyber breaches themselves in this dynamic insurance space. There are five distinct categories of claims against brokers that are most likely to evolve: (1) failure to procure coverage for regulatory actions, fines, and penalties; (2) failure to inform the insured of sub-limits; (3) failure to procure coverage for Payment Card Industry assessments; (4) failure to discuss ramifications of insured s failure to comply with the warranties and representations in the application; and (5)

4 general failure on the to understand the insured s business and what coverages are needed for damages arising from a cyber breach. Coverage for Regulatory Actions/Fines/Penalties: The importance of regulatory coverage is best illustrated in Federal Trade Commission v. Wyndham Hotels. 3 That case began because the Federal Trade Commission ( FTC ) filed a lawsuit against certain corporate entities affiliated with Wyndham Hotels, claiming that Wyndham Hotels failed to provide reasonable security measures for its customers information, such as credit card numbers, and allowed the unauthorized access of such data on multiple occasions. The FTC alleged that this failure violated the FTC s Acts prohibition on unfair and deceptive trade practices. The Third Circuit court agreed with the FTC, and found that the FTC has authority to regulate cyber security. Ultimately, Wyndham had little choice but to settle with the FTC. Many cyber insurance policies will not provide coverage for regulatory proceedings. Coverage for fines and penalties arising out of regulatory proceedings is not frequently found in traditional insurance products. Generally speaking, coverage for fines and penalties is considered to be against public policy and thus uninsurable as a matter of law. Most standalone cyber insurance policies affirmatively provide coverage for the defense of regulatory actions arising from a data or security breach, as well as resulting fines and penalties to the extent such are insurable under the law. Many stand alone cyber insurance policies affirmatively provide coverage for the defense of regulatory actions arising from a data or security breach, as well as resulting fines and penalties to the extent such are insurable under the law. The scope of coverage that exists within the various policies out there varies greatly. Some policies contain very broad coverage, while others have a very narrow definition of regulatory proceeding It is therefore incumbent up on the cyber insurance broker to procure a policy includes broadest form of coverage for the types of regulatory proceedings that may be triggered as a result of the insured s operations. 4 Cyber Insurance Sub-Limits. Cyber insurance policies are unique in that many contain multiple sub-limits that are not typically found in traditional insurance policies. Due to the sheer number of sub-limits and that oftentimes sub-limits within sub-limits of stand alone policies the insured can be easily confused. Greater confusion can occur where cyber coverage is conferred via an endorsement that does not have a separate declaration page outlining the limits available for the endorsed coverage. Given industry knowledge that unsophisticated insureds do not carefully review 3 F.T.C. v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 608 (D.N.J. 2014). 4 John Jo & Alicia Gilleskie, Cybersecurity Insurance One Size Does Not Fit All, SMITH ANDERSON,

5 the policies, the brokers duty to act with reasonable care may very well require the broker to not only understand the sub-limits but also properly counsel the insured on the financial implications of the sub-limits. A broker learned this lesson a hard way in a highly publicized case involving the Louisiana s historic Hotel Monteleone. In that case, Hotel Monteleone purchased a cyber insurance policy through Eustis Insurance Co. ( Eustis ), an insurance broker for Ascent Underwriting. 5 In 2013, the Hotel Monteleone was the victim of a cyber-attack, which resulted in PCI liabilities in excess of $200,000. After the incident, the hotel sought out and purchased a cyber policy in order to protect itself against similar future losses. Hotel Monteleone alleged that Eustis was tasked with finding it a cybersecurity policy that would have reasonably covered future fraud and reimbursement charges following the 2013 attack. The hotel was advised the policy would cover against similar losses in the future, and contained general limits of $3 million. Approximately one year later, Hotel Monteleone was again the victim of a cyber-attack. When the hotel made a claim for their losses, the hotel learned to their detriment that the policy contained a sub-limit of $200,000 for PCI Fines, Penalties, and Assessments. The hotel was denied coverage for the very type of insurance they sought out after the first loss, and in turn sued Eustis Insurance. The case ultimately settled for an undisclosed amount. Payment Card Industry Fines, Penalties, and Assessments: Every business that processes credit card transactions must sign a Merchant Services Agreement, with either the bank or processor. 6 Within that agreement the business is contractually agreeing to comply with the PCI-DSS (Payment Card Industry Data Security Standards). Credit card breaches are often discovered after the business s merchant bank or card brand finds multiple fraudulent charges that were used at one common point. Should the business be the common point, the business itself will be contractually bound to conduct a forensic investigation to determine the scope of the breach, and if the business was PCI-DSS compliant at the time. These forensic costs can be extreme. Additionally, the payment card brands will be looking to recoup their operational expenses, such as for card re-issuance, notification, or counterfeit fraud recoveries incurred in connection with the breach. Also, any non-compliance with the PCI-DSS will result in fines, based on the breach and size of the business. Some insurers offer coverage for PCI fines and penalties only via a sub-limit. Other insurers have expanded the coverage to include fraud assessments, card reissuance costs, or forensic investigation costs, either with full policy limits or via a sub-limit. 5 New Hotel Monteleone, LLC v. Eustis Insurance, et. el, Copy of Complaint, available at B.ashx. 6 PCI Costs Covers: What Insureds Really Need, BIGGS INSURANCE SERVICES,

6 An example of failing to procure coverage for PCI fines involves P.F. Chang s ( Chang s ) which had a cyber insurance policy through Federal Insurance Co. ( Chubb ). 7 After Chang s purchased the cyber insurance policy from Chubb, Chang s experienced a breach in which hackers stole 60,000 credit cards. Chubb marketed the policy purchased by Chang s as an insurance solution that addresses the full breadth of cyber risks including direct loss, legal liability and consequential loss resulting from cyber security breaches. When Chang s sought $2 million in reimbursement for credit card related costs, Chubb denied the coverage. Chubb claimed, among other things, that Chang s had no reasonable expectation of coverage. Chang s then filed suit against Chubb. The court granted summary judgment in favor of Chubb because Chang s had previously made a separate contractual agreement with the credit card processing company to pay those costs associated with the breach. The case is currently being appealed by Chang s. The policy that was sold to Chang s was sold to cover the full breadth of cyber risks, and yet, $2,000,000 (and not to mention the subsequent legal fees) was not covered because of insufficient PCI fines coverage. Warranties and Representations: Cyber insurance policies are similar to other traditional policies in that an insured that typically agrees to comply with certain specified warranties and representations. These can often be generalized warranties and representations, full of legalese and boilerplate language. Cyber policy warranties and representations often require insureds to warrant they are maintaining proper administrative and technical security controls. These warranty statements can be highly technical in nature. As a result, the insured neither understands the warranties themselves nor the implications of signing the warranties. In Cottage Health Systems ( Cottage ) v. Columbia Cas. Ins., Cottage accidentally posted 32,500 patient records online without any security precautions. 8 Cottage had prepared for an event like this by previously purchasing an insurance policy from Columbia. A class action had been filed against Cottage, and Columbia paid to settle it for more $4,000,000. However, within that policy Cottage had answered affirmatively to a series of risk control assessment questions, which included implementing and maintaining certain protocols to help prevent breaches. Columbia filed a complaint for a declaratory judgment and reimbursement against Cottage because an exclusion within the policy provided that Columbia would not be liable if a loss was the result of failing to implement and maintain the protocols. Columbia alleged that Cottage provided false answers, and so Columbia should not have been responsible for the settlement costs. (The court dismissed the complaint based on an alternative dispute clause in the policy.) This coverage dispute might have been avoided had Cottage been advised of what was in the representations and warranties, and then simply followed them. 7 P.F. Chang's China Bistro, Inc. v. Fed. Ins. Co., No. CV PHX-SMM, 2016 WL (D. Ariz. May 31, 2016). 8 Columbia Casualty Company v. Cottage Health System, C.D.Cal. No. CV (filed May 7, 2015).

7 V. Implications for Insurance Carriers The implications for insurance carriers is already playing out. Cyber breaches are resulting in coverage battles between insurers and insureds. The most widely followed coverage battle was the Zurich American Insurance Co. v. Sony Corp. of America, et al., 2011 WL (N.Y.Sup.) case. Sony sought coverage under its Zurich s Comprehensive General Liability policy for theft of customer personal information by online hackers. Zurich filed a declaratory relief action requesting a ruling that the data breach did not qualify as bodily injury or property damage. Sony countered that the breach fell within the purview of the personal and advertising injury provision of the policy. The New York Supreme Court rejected Sony s position and found that coverage was not afforded. The case ultimately settled so the back story will never be known, i.e. whether the broker advised Sony that the cyber coverage was afforded under Comprehensive General Liability policy. Notwithstanding, one of the lessons to be learned is that coverage battles over cyber breaches are inevitable if agents and brokers fail to understand cyber threats, company vulnerabilities, and insurance coverages available that will best cover the business should the business need cyber coverage. There are also bad faith implications for insurance carriers. Cyber breaches require immediate action by the insured to minimize business interruption and reputational harm. Many cyber insurance carriers have negotiated vendor contracts for the emergency response and require by contract that insureds either use those vendors or obtain prior approval of nonapproved vendors for coverage to be afforded. Given the time constraints involved neither of these options is often practical for insureds. In other words, whether or not a broker properly educates the insured about these contractual requirements, the insured for a variety of reasons may hire its own preferred breach counsel and vendors. Should a carrier then deny coverage for the insured s failure to seek pre-approval or use its preferred vendors, this could trigger a bad faith claim. This is especially if the claims professionals failed to properly conduct a claim investigation before denying coverage. Insurance carriers are further exposed to bad faith claims when the insured begrudgingly agrees to use the insurance mandated vendors and those vendors fail to perform to the insured s expectations. The potential bad faith will turn on whether carrier failed to properly vet the vendors or assigned a vendor that actually makes the situation worse for the insured. VI. Conclusion: The learning curve is steep because technology is rapidly changing, hackers are becoming more sophisticated and the laws are constantly evolving. There is no question that brokers are in a conundrum. No policy is a one-size fits all in the cyber insurance world. At a minimum cyber insurance brokers should be asking the right questions to ensure the business covered for potential losses from a cyber breach. Rigorous training and education is the best way for agents and brokers to prepare themselves. As Benjamin Franklin once said, An investment in knowledge pays the best interest.