Read time: 7 minutes
2022 was another year that demonstrated the prominent dangers associated with cyber risks. Key contributors to the rise in cyberattacks include, among others, the constant increase in businesses’ digital footprints, the continuing prevalence of remote working practices and the instability in the geopolitical forum – as underscored by pro-Russian hacker groups, such as “Killnet,” which attacked U.S. civilian and military aviation targets in October 2022.
Following an attack
As cyber risks proliferate worldwide, adequate cyber insurance and other risk mitigation mechanisms increase in priority. Fortune magazine reported that the global cyber insurance market is projected to grow from $12.83 billion in 2022 to $63.62 billion in 2029. It is expected that cyber insurance premiums will increase commensurately with the increased market demand for cyber insurance. For example, premiums for cyber coverage increased by an average of 28% in the first quarter of 2022 compared with the fourth quarter of 2021, according to the U.S.-based Council of Insurance Agents & Brokers, an association for commercial insurance and employee benefits intermediaries.
It is anticipated that new cyber insurers will enter the market, as we have already seen with the March 2023 launch of Intangic MGA, a managing general agent based in London that offers cyber parametric coverage.
Policyholders should pay close attention to courts’ evolving interpretation of cyber insurance policies and to the developing changes in the insurance market, in general, with respect to cyber coverage.
Below is a brief look at several standout legal developments in cyber insurance over the past year.
United States
One of the most closely followed cases is Merck Co. Inc. et al. v. ACE American Insurance Co. et al., Case No. UNN-L-2682-18 (N.J. Sup. Ct.) where a New Jersey state court held that the insurers could not invoke the policy’s war exclusions to avoid coverage of the policyholder’s more than $1.4 billion loss due to NotPetya, a cyberattack that took place in 2017. The court held that, although the insurers were aware of the increasing risk of cyberattacks, they “did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyberattacks.” On May 1, 2023, a New Jersey appeals court affirmed the trial court’s decision, holding that “the plain language of the exclusion did not include a cyberattack on a non-military company that provided accounting software for commercial purposes to non-military consumers, regardless of whether the attack was instigated by a private actor or a ‘government or sovereign power.’” Merck v. ACE demonstrates a win for policyholders with respect to an exclusion that will only become more significant and hotly debated in the wake of the Russia-Ukraine crisis and as geopolitical tensions continue to increase. However, policyholders should realize that insurers are beginning to change their policy language to limit their liability for cyber risks, especially those stemming from state-sponsored actions.
The Third Circuit case Clemens v. ExecuPharm Inc., 48 F.4th 146 (3d Cir. 2022), represents a win for policyholders on the significant issue of whether increased risk of data breaches can pose sufficient risk of “imminent harm” to confer class action standing in federal court. Clemens was a putative class action, brought on behalf of ExecuPharm employees whose personally identifiable information (PII) was compromised in a phishing attack. Relying on certain factual distinctions (e.g., the hackers’ criminal intentions were clear; sensitive data was stolen and was widely disseminated for criminal use), the court held that the putative class experienced sufficient “imminent harm” to satisfy Article III standing. Clemens provides a welcome example of a court recognizing that employers’ duty to protect their employees’ PII has “significantly broadened” in an “increasingly digitalized world.” The decision also provides a helpful blueprint for policyholders seeking to understand the factors that can demonstrate the imminence of losses caused by cyberattacks.
Travelers Property Casualty Company of America v. International Control Services, Case No. 2:22-cv-02145-CSB-EIL (C.D. Ill.), is another notable decision from this past year and represents an important lesson about the significance of policyholders’ responses in the application process. In Travelers, the insurer sought to rescind International Control Services, Inc.’s (ICS) cyber policy on the ground that the policyholder had misrepresented in the application process its use of multifactor authentication (MFA). Travelers contended that it would not have issued the policy to ICS had it known that MFA was not being used according to ICS’s representations. Traveler’s attempt to have the court rescind a cyber policy due to an insured’s alleged failure to use MFA is the first of its kind. Travelers reminds policyholders to be accurate in their insurance applications, and may reveal some defenses to invoke in case application elements do turn out to be inaccurate.
Australia
Inchcape Australia v. Chubb, [2022] FCA 883, is the first judicial decision in Australia to analyze the impact of clauses in a cyber insurance policy that predicate coverage on “direct financial loss”; that is, damages that result “directly” from cyber incidents. In Inchcape, the policyholder automotive company sought declaratory relief in connection with a ransomware attack for which it incurred financial losses while investigating the incident, repairing and/or replacing hardware and software, and engaging additional staff to process its orders manually. In determining the scope of coverage, the federal court provided a narrow reading of the policy’s insuring agreements that required “direct financial loss” resulting “directly” from the insured event(s). The court held that the policyholder’s financial losses incurred in connection with its efforts to investigate the incident and to restore its operations did not constitute “direct financial loss resulting directly from” the insured events. The court reasoned that the policy’s requirement of “directness” indicated that losses caused by an intervening step that may not occur in every instance of cyber incidents, such as the policyholder’s attempt to investigate and address the attack, should not be covered.
Inchcape is a reminder that when assessing the scope of its coverage, every policyholder should consider the different types of losses it could incur from the various types of cyber events. Policyholders should also consider whether their policies include multiple “directness” requirements while assessing their coverage, in light of the precedent set by Inchcape.
United Kingdom
From the UK perspective, one particularly significant development involved Lloyd’s of London’s announcement in August 2022 that it will require all cyber insurers writing business through the Lloyd’s market (on a “go-forward” basis) to rewrite all standalone cyber insurance policies to exclude cyberattacks involving state actors. The change took effect on 31 March 2023.
Lloyd’s stated that its four “model” war risk exclusions for cyber war and state-backed cyberattacks that the Lloyd’s Market Association (LMA) had published in November 2021 (subsequently replaced in January 2023) meet this requirement and that its underwriters are able to decide which clause they wish to use. One of the more significant changes in this regard is that the insurers no longer have the burden of proving that a cyberattack is state-sponsored. Conversely, the insured has to establish that it is not.
In January 2023, the LMA published replacements of the “model” war risk exclusions with four clauses categorized as version “A” and a further four clauses categorized as version “B.” The “A” versions are said to meet the requirements of the Lloyd’s announcement of August 2022. However, since the “B” versions do not address attribution of a cyberattack to a state, these clauses are not compliant. If a Lloyd’s insurer decides to use the “B” versions, prior agreement from Lloyd’s is required, which would involve the insurer either (i) evidencing that a mechanism for addressing attribution has been agreed with its insured(s) or (ii) explaining why reference to attribution is not required. We expect to see future disputes relating to the scope and language of the war exclusion, in particular relating to whether certain cyberattacks are “state-backed” or “state-sponsored.”
Policyholders should be aware of these developments in the London market when reviewing their policies, particularly as the geopolitical scene becomes increasingly unstable.
Conclusion
These examples highlight a few of the more notable developments with respect to cyber insurance. Observers expect the market to develop and evolve around the interpretation and applicability of the war exclusion. Policyholders should stay vigilant and informed about the continuing evolutions now shaping cyber insurance coverage.