Read time: 7 minutes
2022 was another year that demonstrated the prominent dangers associated with cyber risks. Key contributors to the rise in cyberattacks include, among others, the constant increase in businesses’ digital footprints, the continuing prevalence of remote working practices and the instability in the geopolitical forum – as underscored by pro-Russian hacker groups, such as “Killnet,” which attacked U.S. civilian and military aviation targets in October 2022.
As cyber risks proliferate worldwide, adequate cyber insurance and other risk mitigation mechanisms increase in priority. Fortune magazine reported that the global cyber insurance market is projected to grow from $12.83 billion in 2022 to $63.62 billion in 2029. It is expected that cyber insurance premiums will increase commensurately with the increased market demand for cyber insurance. For example, premiums for cyber coverage increased by an average of 28% in the first quarter of 2022 compared with the fourth quarter of 2021, according to the U.S.-based Council of Insurance Agents & Brokers, an association for commercial insurance and employee benefits intermediaries.
It is anticipated that new cyber insurers will enter the market, as we have already seen with the March 2023 launch of Intangic MGA, a managing general agent based in London that offers cyber parametric coverage.
Policyholders should pay close attention to courts’ evolving interpretation of cyber insurance policies and to the developing changes in the insurance market, in general, with respect to cyber coverage.
Below is a brief look at several standout legal developments in cyber insurance over the past year.
United States
One of the most closely followed cases is Merck Co. Inc. et al. v. ACE American Insurance Co. et al., Case No. UNN-L-2682-18 (N.J. Sup. Ct.) where a New Jersey state court held that the insurers could not invoke the policy’s war exclusions to avoid coverage of the policyholder’s more than $1.4 billion loss due to NotPetya, a cyberattack that took place in 2017. The court held that, although the insurers were aware of the increasing risk of cyberattacks, they “did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyberattacks.” On May 1, 2023, a New Jersey appeals court affirmed the trial court’s decision, holding that “the plain language of the exclusion did not include a cyberattack on a non-military company that provided accounting software for commercial purposes to non-military consumers, regardless of whether the attack was instigated by a private actor or a ‘government or sovereign power.’” Merck v. ACE demonstrates a win for policyholders with respect to an exclusion that will only become more significant and hotly debated in the wake of the Russia-Ukraine crisis and as geopolitical tensions continue to increase. However, policyholders should realize that insurers are beginning to change their policy language to limit their liability for cyber risks, especially those stemming from state-sponsored actions.
The Third Circuit case Clemens v. ExecuPharm Inc., 48 F.4th 146 (3d Cir. 2022), represents a win for policyholders on the significant issue of whether increased risk of data breaches can pose sufficient risk of “imminent harm” to confer class action standing in federal court. Clemens was a putative class action, brought on behalf of ExecuPharm employees whose personally identifiable information (PII) was compromised in a phishing attack. Relying on certain factual distinctions (e.g., the hackers’ criminal intentions were clear; sensitive data was stolen and was widely disseminated for criminal use), the court held that the putative class experienced sufficient “imminent harm” to satisfy Article III standing. Clemens provides a welcome example of a court recognizing that employers’ duty to protect their employees’ PII has “significantly broadened” in an “increasingly digitalized world.” The decision also provides a helpful blueprint for policyholders seeking to understand the factors that can demonstrate the imminence of losses caused by cyberattacks.
Travelers Property Casualty Company of America v. International Control Services, Case No. 2:22-cv-02145-CSB-EIL (C.D. Ill.), is another notable decision from this past year and represents an important lesson about the significance of policyholders’ responses in the application process. In Travelers, the insurer sought to rescind International Control Services, Inc.’s (ICS) cyber policy on the ground that the policyholder had misrepresented in the application process its use of multifactor authentication (MFA). Travelers contended that it would not have issued the policy to ICS had it known that MFA was not being used according to ICS’s representations. Traveler’s attempt to have the court rescind a cyber policy due to an insured’s alleged failure to use MFA is the first of its kind. Travelers reminds policyholders to be accurate in their insurance applications, and may reveal some defenses to invoke in case application elements do turn out to be inaccurate.
- Policyholders should pay attention to courts’ evolving interpretation of cyber insurance policies.
- Insurers try to use war exclusion to block coverage, with mixed results.
- Narrow court reading of term “direct loss” leaves post-incident expenses uncovered.
- Lloyd’s moves to exclude cyber coverage if incident was state-directed.