Authored by industry thought leader and expert, Joe Bermudez
The Summer of 2018 has been touted by commentators as having a dramatic impact on the early development of cyber coverage. While we acknowledge that many would like a reconsideration of cyber coverage denials, issued before the Summer Cyber Trilogy, none of the decisions support such a dramatic response. Rather in each instance, the decisions rendered in Interactive Communications Int’l, Inc. v. Great American Ins. Co., 731 Fed.Appx. 929 (11th Cir. May 10, 2018); Medidata Solutions, Inc. v. Federal Ins. Co., 729 Fed.Appx. 117 (2nd Cir. July 6, 2018); and American Tooling Center, Inc. v. Travelers Cas. and Sur. Co. of America, 895 F.3d 455 (6th Cir. 2018) confirmed that claim circumstances and policy wording are absolutely essential to cyber coverage analysis. Rather than a revolution, the Summer Cyber Trilogy provides critical takeaways as cyber coverage continues to evolve.
Déjà vu! An insurance product is brought to market and greeted with the notion that the new policy covers everything and anything, just like a general liability or all-risk property policy. Disregard the wording, insuring agreement, exclusions, and conditions, if a loss took place and a computer is in the general vicinity, it must be a covered cyber claim. However, the courts have properly disagreed. Just as we witnessed in early disputes over D&O and product contamination policies: the courts have handed multiple early victories to cyber insurers. Why? Because the vacuum of case law and lack of understanding about cyber policies’ coverages generated ill-advised lawsuits.
As the courts understand by reviewing cyber wordings in the context of coverage disputes, unlike general liability, cyber covers a very specific risk. No doubt, an extraordinarily technical risk. Nevertheless, a specific risk involving a specific loss. And, while it is true that cyber risks are very different from other underwritten risks, some threats are currently unknown and the evolutionary pace of threats is quite extraordinary, cyber is not intended to cover every incident that incidentally touches a computer system.
In each instance, the Incomm, Medidata, and ATC courts critically analyzed and adeptly utilized the respective claim circumstances to render a decision and to skillfully, yet accurately distinguish earlier decisions. These Courts adroitly utilized the policy wordings to analyze novel, evolving claim circumstances to render coverage decisions, which are spot on. For example, in Medidata and ATC, the respective Courts precisely focused on the “direct loss” despite each set of claim circumstances involving complex, multi-layer, and multiple step processes. Critically, both Courts also accurately concentrated on the modus operandi utilized to manipulate the respective “computer system”. Judicious analysis of the factual circumstances and cyber policy wording is essential to a proper coverage determination.
The Summer Cyber Trilogy confirmed that the computer system must be an essential element of the modus operandi utilized to achieve the security breach/failure (data breach/failure, extortion threat, etc.) in order to satisfy an initial cyber coverage trigger. Very few companies in developed nations conduct business without a computer. As they are very much an essential part of almost every business, a computer system merely being involved in a cyber incident will not necessarily trigger cyber coverage. The best example: the claim circumstances involved in Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 25 N.Y.3d 675 (N.Y. Ct. App. 2015). In that instance, the “computer system”, was no different than a random piece of paper, desk, or other office paraphernalia, and it was not essential to the modus operandi utilized to achieve the fraud.
Incomm involved a 2000 policy wording; Medidata a 2009 wording; and ATC a 2004 wording. Moreover, none of the policies were standalone cyber policies. Unlike general liability standard-form policies, which have evolved on pace with glaciers (before climate change), cyber wordings are all very different and must evolve to address the unique, quickly-changing cyber threat environment. Ever think about why the defined term “social engineering” is not found in any of the above listed policy wordings? Social engineering threats either didn’t exist or were unknown to underwriters and brokers at the time. Comparing such policies is like comparing an Oldsmobile to a Tesla.
Some colleagues have expressed displeasure with Medidata and ATC, criticizing each Court’s respective failures to properly understand the “software” utilized in each instance. Such criticism is missing an essential element of new coverages, the insureds’ reasonable expectations. Who buys cyber insurance for a company? The knowledgeable IT tech, who understands what the term “social engineering” means? Or, the CFO, treasurer, controller, or risk manager, who doesn’t have a Facebook or Twitter account, let alone a subscription (heaven forbid a digital one) to Software Today?
For the people who buy insurance for companies that are focused on products and services, which merely utilize computer systems in the same way they utilize a pen, the type of software used in a security breach is something they did not and will not consider when buying a cyber policy. (And, are cyber policies sold on this basis? No.) The “computer system” to the actual buyers is merely office paraphernalia. And, yes, while some C-Suites have a CIO, 97% of the companies that buy or should be buying cyber insurance, do not. For a proper cyber coverage determination, the manipulation and utilization of the computer system and whether the loss was direct are essential, not the type of software.
The Summer Cyber Trilogy of cases was not revolutionary but evolutionary. The Trilogy did not turn previous coverage determinations on their heads and require immediate retraction. Rather, the decisions provided essential takeaways about addressing cyber coverage issues going forward.