The NotPetya and WannaCry events have resulted in certain high profile legal actions where coverage has been denied by insurers. Separately, Target recently filed suit against its general liability insurer to settle the costs of repaying card issuers for their 2014 cyber breach. Recent media coverage has criticized insurers for not paying cyber claims and these cases only serve to further compound the media impression that cyber policies do not pay, according to Guy Carpenter colleagues Siobhan O’Brien, International Cyber Center of Excellence Leader, and Erica Davis, North America Cyber Center of Excellence Leader. Importantly, none of these cases involves a cyber policy denying cover, but clients seeking “silent cyber” coverage under traditional policies.
Case law involving silent cyber claims have the potential to expand (re)insurer exposures significantly. In a recent Maryland federal court case, National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, the insured (National Ink) sued its insurance provider (State Auto) over their insurer’s decision to deny its property damage claim following a ransomware attack. State Auto argued that because National Ink only lost data, “an intangible asset,” and the computers National Ink was seeking to replace were not inoperable, the cyberattack damage did not meet the criteria of a “direct physical loss.”
Judge Stephanie Gallagher ruled in favor of the insured, noting that the policy in question expressly lists data as an example of covered property, and contains the phrase “including software” in its heading describing covered property. Though National Ink’s computers still functioned after the attack, the Judge found that the overall damage to the efficiency of the computer system also constituted physical loss or damage. Despite this, it is important to clarify that Maryland courts “have not expressly decided whether data or software can be susceptible to physical loss or damage.” With the increasing prevalence of ransomware and coverage being sought under non-cyber policies including property, kidnap and ransom and crime, we will no doubt see a rise in legal disputes around coverage and further clarification of intent of coverage under these policies in the future.
What does the future hold?
The NotPetya and WannaCry events of 2017 highlighted the potential catastrophic impact of silent cyber within non-cyber lines of business. To address this challenge, (re)insurers require an effective means of qualifying and quantifying the risk of silent cyber across their whole portfolios.
To help, Guy Carpenter has established a relationship with RiskGenius, an insurtech firm that utilizes artificial intelligence to evaluate potential silent cyber exposure at an individual policy level. This provides clients with a means of assessing their silent cyber exposure at scale, whilst generating much deeper risk insight that will support a greater understanding of silent cyber at an industry level. Regulators, Lloyd’s and (re)insurers will all continue to clarify their respective intentions and appetites for cyber in standalone policies and inclusion of cyber in traditional lines. This should give clients greater clarity of the intent of coverage under their insurance contracts, though there will be some tough negotiations in situations where clients believe they are potentially losing coverage.
The ongoing litigation demonstrates the importance of attaining clarity on the coverage, and the costs to both sides if this issue is not resolved. Standalone cyber insurance grew to USD 6.4 billion in 2019 (1) and is expected to continue to grow to USD 20 billion by the year 2025 in part driven by this eradication of cyber under other policies and the business community’s increasing awareness of the risks of cyber. These market movements reinforce the need for the (re)insurance industry to develop new cyber products so we can respond with innovative risk transfer options as cyber exposures continue to expand.
- A.M. Best