Cyber Threats: Get Ready and Get Tough
Insurers must clarify cyber policy wording, specifically causation coverage, going forward.
- Alan Rutkin
- August 2021
This column was written following several major cyberattacks. Within a short time, hackers breached a meat processor, a pipeline, a transit system, an insurer and others. Insurers should see this on at least three levels: Incidents are increasing; operating standards are intensifying; and coverage questions are evolving.
First, the frequency and cost of attacks seem likely to continue to climb. Ransom payments—on average and in total—are up. And reported data is likely incomplete because some victims fail to report.
There is no reason to expect the trend to change soon. People call for responses from the federal government and tougher security systems. Some debate whether cryptocurrency should be banned, as it is often used for ransom payments.
Even big problems are often controlled, if not cured. But I see no imminent solution.
This brings us to the second dimension: Companies are asked to toughen their defenses.
In June, the White House sent a direct warning on cybersecurity: “All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location.” Companies were told that cyber defenses must “match the threat.”
New York, my home, established cybersecurity requirements for financial services companies. In law firms, we regularly get cybersecurity questionnaires from clients. This, too, will continue. Potential victims will be asked—perhaps forced—to harden their defenses.
Recent government steps may not solve this problem. But they certainly confirm the problem's severity. Hacking is not Y2K. Cybersecurity is a clear and present danger.
Like many of life's problems, this all comes back to insurance. New York's insurance regulator reported that increased costs are creating pressure to raise rates and tighten underwriting standards for cyber insurance.
The report noted a cyber underwriting problem that many other risks do not face: systemic risks. A fire at a warehouse is a unique loss. A cyberincident, however, can be systemic. One cyberincident could affect many policyholders.
Back in 2015, an insurer denied a claim from Cottage Health System based on an exclusion for “failure to follow minimum required practices.” The case settled and it remains unusual, if not unique. But we are likely to see more issues concerning standards.
Finally, insurers must consider coverage issues.
The most disturbing issue is the “silent risk.” Some courts have found cyber coverage under policies that did not explicitly grant cyber coverage. Underwriters and coverage counsel should work together to close identifiable vulnerabilities in policy language.
The other disturbing issue is that courts have been inconsistent in applying coverage concepts to common fact patterns.
“Causation” is a point often disputed. Cyber policies will often limit coverage to losses “directly caused” by computers. But causation is all about linkage: How close must the cause be to the effect to be considered “directly caused?”
Almost everything in life is computer-connected. But when is something computer-caused?
Law professors may be able to reconcile courts' different approaches to causation.
Regular humans—particularly humans in the industry—will likely see the courts' approaches as inconsistencies. And inconsistencies create uncertainties.
Other issues also are unresolved. Courts have disagreed about the meaning of hacking and the level of required computer intrusion.
Cybercrimes, along with the related coverage issues, are among the biggest challenges now facing insurers.
Best’s Review contributor Alan Rutkin is a partner in the law firm Rivkin Radler LLP. He can be reached at email@example.com.