Given the relative newness of cyber insurance policies, comparatively little case law exists interpreting these policies in the context of claims. Courts have sometimes struggled with how to interpret unique policy provisions in the context of variations of computer fraud. While some courts have taken highly technical approaches to the language contained in the policy, other courts have taken a more relaxed approach based on the understanding of the parties. A recent case out of the Eleventh Circuit Court of Appeals highlights these issues. Principle Solutions Group, LLC v. Ironhorse Indemnity, Inc. tackled a claim dispute between an insured business and an insurance company involving a cyber claim.
Companies without cyber insurance can find themselves in difficult situations. As more and more vital business functions migrate to electronic systems, companies without cyber insurance have to try and find coverage for any damage to their systems through traditional insurance policies. That approach can work depending on the specifics of a policy and a claim, but it might lead to additional legal costs fighting with the insurance company.
Ransomware attacks have increased in frequency over the past few years. They now rank as the second most frequent type of claim against cyber insurance policies. Experts estimate that a new business is hit with a ransomware attack every fourteen seconds. For 2019, early information is showing that the frequency of ransomware attacks may be decreasing. This seemingly positive trend comes with two significant drawbacks however.
In the event of a cybersecurity breach, any company with a cyber insurance policy should contact their carrier as soon as possible. One of the first steps the cyber insurance carrier will take is to hire a forensics company to investigate the breach. Digital forensics is one of the more expensive aspects of most cyber claims, with costs typically ranging from $20,000 to $50,000.
There are recognized patterns of higher risk. For example, Hurricanes and earthquakes do catastrophic damage to a specific geographic area. These natural disasters pose unique risks to insurance companies as a result of that history. If an insurance company insures at lot of this type of risk, it can face massive losses and have its financial stability threatened. For this reason, insurance companies try to avoid insuring too many homes or businesses (for this example) in an at risk area for hurricane or earthquake damage. While this helps keep insurance companies financially sound, it can make coverage harder to obtain for those who need it most.
The problem of Social Engineering techniques called Phishing, Whaling, Spear Phishing, Pharming, or Impersonation Fraud has become significant and widespread in recent years. The insurance industry has made efforts to keep these risks in mind for cyber liability policies. Sometimes there is language added that will protect a company, but sometimes communication is added to a basic policy that would not protect a business against these specific risks.
When businesses think of ways that poor cyber security can lose them money, they often think of hackers breaching their systems. It’s easy to picture this as a pitched battle between the cyber criminals storming the castle walls, and the defenders seeking to repel them. Unfortunately, some cyber incidents and privacy breaches occur not through the concerted efforts of the bad guys; instead they happen due to simple mistakes and negligence by a company’s own employees.
Ransomware continues to be a popular tool among hackers and cyber criminals. By locking users out of their own systems, these cyber criminals can extort significant payments from companies who risk losing way more money due to the interruption to their business. Traditionally, the number one target of ransomware attacks has been the healthcare industry due to the incredibly time-sensitive nature of their business. Recently however, hackers have focused their attacks on industrial businesses which is bad news for product manufacturers and physical plants.
How much would it cost your business to shut down for a week? How much would it cost your business to shut down for a month? Employees unable to get work done, unable to complete sales orders or deliver products to your customers? For some businesses, the answer to that question can be in the millions.
The Dark Overlord hack stands at the intersection of a number of prominent issues in the modern world: terrorism, cyber warfare, confidentiality and privacy. On New Year’s Eve, 2018, a group of hackers calling themselves Dark Overlord stated they had hacked confidential legal files related to the insurance litigation that followed the 9/11 attacks. The hackers demanded a ransom from the law firm from whom the information was stolen. Apparently, the ransom was paid but the law firm breached the terms of the ransom by reporting the breach to law enforcement. Now the hackers have threatened to sell the information online through the dark web.