As Cybercrimes Continue, Lawsuits for Damages Will Grow
Due to different policy language, it is difficult to identify clear trends and patterns in the law.
- Alan Rutkin
- December 2021
I was recently part of a group of lawyers that was asked to identify the biggest issues now facing the insurance industry and its various vendors. Lawyers identified many issues that insurers must address. But cyber liability stood out as most significant. Why? Three reasons.
First, cyber is an area of liability that is still expanding. The U.S. was hit with 65,000 ransomware attacks last year. The Treasury Department, in a report dated Oct. 15, 2021, stated that ransomware payments in 2021 are on pace to double those made in 2020, with nearly $600 million believed to have been paid in the first six months of 2021.
The federal government, through the U.S. Cyber Command and the National Security Agency, has announced more aggressive efforts to fight ransomware. Congress is considering a bill to increase reporting requirements. But despite the many efforts to fight cybercrime, this problem will surely remain, if not increase, for some time.
With the incidents increasing, we will surely see the suits for damages increasing, with the parameters for responsibility—liability and damages—still evolving.
Second, the underwriting challenges are big. Because the underlying facts, liability, and damages are still evolving, underwriters are still figuring out where the biggest risks lie. Unlike fires, cars and many other risks, there is no long history of damage data. The loss factor is still new.
Cyber problems also differ from other risks in that a single cyber act could cause extended consequences. A fire typically affects one building, or perhaps a few surrounding buildings. A single cyber virus, on the other hand, could potentially affect millions of computers. This aspect of cyber risks makes loss projection and underwriting very difficult.
Third, the coverage litigation is in its infancy. There are only about 100 decisions in this area. That sounds like many, but it's really quite few. Courts have yet to reach a consensus on many key issues. The situation is complicated by variations in insurance policies. This coverage has not yet fallen into one specific mold. Commercial crime policies, for example, offer several endorsements that address cyber risks, but the precise language of these endorsements varies. Some policyholders have been looking beyond their commercial crime policies for recovery of cyber losses. So, we are seeing a patchwork of decisions.
That said, some common threads have emerged. I've mentioned the acronym “ACAI” in the past because many of the cases concern Act, Cause, Authorization, or Injury.
Act: Under crime policies, the issue may be whether there was an act within the policy terms —spoofing, phishing, hacking, etc. Under liability policies, the issue often is whether there was a publication, and if so, who did the publishing?
Cause: Many policies only cover “direct loss” from the use of a computer. But cybercrime often involves a series of steps to complete the criminal scheme. The issue here is, when is a loss direct?
Authorization: Coverage is often limited to cyber losses caused by unauthorized users. Courts typically enforce this restriction, even where the authorized person was deceived.
Injury: Even though the insurance industry tightened the language on this issue, we still see disputes on what injuries are covered.
The ACAI acronym is helpful. But with different policy language, it is difficult to identify clear trends in the law.
So, as cybercrime continues to evolve, the body of insurance coverage also will evolve. And insurers must stay on top of the developing trends.
Best’s Review contributor Alan Rutkin is a partner in the law firm Rivkin Radler LLP. He can be reached at firstname.lastname@example.org.