The cyber market has evolved incredibly in a few short years. It’s been barely more than twenty years since the internet became a ubiquitous presence in the lives of most Americans. As cyberspace has grown, the risks attendant on cyberspace has grown as well. To meet the challenges of combining scope and risk, legislators and courts have had to move quickly to regulate this area and protect individuals from loss. At the same time, insurance companies have had to tailor policies to protect companies from the risks of doing business online.
Commercial general liability policies provide insurance on a per occurrence basis. What constitutes an occurrence, though, is an area of significant debate. This is an issue that constantly arises in construction cases, especially construction defect. The commercial general liability standard language defines an occurrence as an “accident . . .”. Yet courts have divided on whether faulty workmanship in the course of construction constitutes an “accident” and therefore an “occurrence” triggering coverage under a commercial general liability policy.
The clash between the stringent privacy requirements of HIPAA and the known vulnerability of most cyber systems creates a host of anxieties for most modern medical care providers. The Health Insurance Portability and Accountability Act requires that medical providers and insurers take reasonable precautions to ensure that the medical information of their patients remains private. At the same time, it is increasingly apparent that almost all cyber information systems have at least a few vulnerabilities, even if only through their users, and few systems can withstand a dedicated, concentrated cyber assault.
Wire transfer fraud claims resulting from cyber attacks have increased dramatically over recent years, and companies are losing millions of dollars in these attacks. As is common when a new business risk develops, organizations look to their insurance policies to help cover their losses. As we have shared in previous examples, the coverage is not always adequate.
The extent of coverage for a company that has been a victimized may be sparse, and the costs of any breach are ongoing. Consequences of a fraudulent wire transfer depend not just on the specific wording in the policies a business has purchased, but as seen in the following instances, also being upheld differently in different states.
When people think of Directors and Officers Liability Insurance, they often think of massive, publicly traded multinational corporations and shareholder derivative lawsuits that allege damages in the billions of dollars. This can lead smaller, private companies to assume that such coverage does not provide them with significant benefits. Yet these policies can cover a number of different types of losses that impact small companies. All businesses should consider whether directors and officers liability coverage might help them better manage their risks.
In claims handling and litigation, a little creativity with definitions can help advance a case forward. Occasionally, though, that creativity gets pushed a little too far. Fireman’s Fund recently won a declaratory judgment ruling they did not owe coverage to a luxury apartment building. The case hinged on the interpretation of a relatively simple word in the insurance policy - “vehicle.”
Social engineering scams continue to see reported increases in the number of claims filed and the damages suffered. These scams, also known as “The President’s Letter”, involve clever impersonation over email to trick employees into wiring money to the wrong bank account. A recent forecast estimated that damages suffered due to social engineering attacks would surpass $9 billion in 2018. With losses that high, businesses need to review their procedures and exposures as it relates to protecting themselves from social engineering scams.
Insurance lawsuits often turn on the definitions of words. This confusion results in extensive litigation over words that seem to have commonly understood meanings – words like loss or occurrence for example. With millions of dollars on the line, the exact definition of a single term within a policy can make or break a business. This highlights the need for companies to understand to the best of their ability what their insurance coverage provides and what it does, keeping a particular eye on what exclusions may apply.
Contracts in some industries, especially construction, often require an additional insured endorsement as part of the contract’s insurance requirements. This normally takes the form of the general contractor requiring a subcontract to list the general contractor as an additional insured on their general liability policy, as well as others. Because of these requirements, many general liability policies offer a blanket additional insured endorsement for any entity required to be added as an additional insured by a written contract. The language used in these contracts and endorsements can have far-reaching consequences and failing to understand them can cost companies millions of dollars.
Many businesses remain hesitant to purchase cyber insurance policies. Studies show fewer than a third of a businesses within the United States have specific coverage for their cyber risks. Yet losses resulting from those risks can easily reach catastrophic levels. This has left underinsured companies searching for unique recovery theories under their traditional insurance policies when suffering the types of losses that cyber insurance would cover.