Ramifications from the CDK cyber event continue to evolve. While the ultimate impact on auto dealerships remains uncertain, the CDK outage has already caused and likely will continue to cause significant financial damage. Dealerships and other dependent businesses may have insurance coverage for the losses incurred. However, it is critical that these businesses take steps now to protect their rights and maximize potential insurance recovery.
First, companies that have been or may be at risk of being impacted by the CDK cyber event should reach out to their broker or insurance coverage counsel as soon as possible to identify insurance policies that potentially may respond. They may have coverage through a cyber policy, a property policy, a business owners policy, or other insurance policies depending on the company’s program (which could be individualized to a dealership or part of an insurance program provided on a group basis). Among other things, companies may have coverage for the business interruption caused by the CDK cyber event. Even though a company, as the policyholder, may not have directly suffered a cyber-attack, insurance may cover losses caused by an attack on a business partner or vendor. This type of coverage is referred to as “contingent business interruption” and may be included in a cyber policy or otherwise part of a larger insurance program.
Companies may also have coverage for crisis communications and extra expenses incurred because of the CDK outage. In addition, some policies provide coverage for the costs incurred in preparing an insurance claim itself, such as the fees for a forensic accounting firm to quantify financial losses, which likely will be required to submit an insurance claim. Of course, it is always prudent to consult experienced coverage counsel at the outset to ensure all available losses are captured in the claim.
Critically, all insurance policies contain notice requirements, and often the deadlines are short. Providing timely notice is key. Companies should review and provide timely notice under all potentially applicable policies.
To the extent a company collects legally protected data in the course of its business (such as personally identifiable information, or “PII”), and has transmitted that data to CDK, the company may also face liability claims and lawsuits alleging, among other things, negligence or other breaches of duty and violations of privacy and data breach notification laws. Insurance coverage may also be available both to defend companies against such claims and to pay any resulting settlement or judgment. Policy language differs, however, so businesses should review their coverage carefully in advance of any such claims and be ready to notify all responsive insurers should they receive such a demand from an opportunistic plaintiff. Moreover, most insurance policies require that policyholders obtain the insurer’s consent to engage defense counsel or incur defense costs. Companies should promptly engage with their insurance carriers to obtain any necessary consent.
In addition, as you evaluate your coverage and navigate the claim process, please consider the following:
- Have any breach counsel or defense counsel or other outside counsel been retained to assist in mitigating the impact of the incident?
- Have any incident response vendors been retained to address the incident and the impacts on the business?
- Have point person(s) been established at each dealership or for the group to track every expense and loss incurred as a result of the incident and to communicate with any applicable insurers?
- Have you received any ransom demands or other communications from threat actors claiming to have your customers’ data or threatening other harm?
All these issues impact a company’s ultimate loss and may be recoverable through insurance as long as the company accurately identifies coverage, gives timely notice and seeks required consent to engage counsel and professionals, tracks losses, and prepares claims with the guidance of the right professional.
Reed Smith regularly counsels business clients who are dealing with cyber events of their own or the ramifications of cyber events of others that cause loss. Should you have any questions on these issues or if you would like to discuss your individual options, please feel free to contact us.
Client Alert 2024-147