Cyber Insurance Trends: Claim Payment Issues
With insurers paying millions of dollars annually for claims on cyber policies, cyber insurance has demonstrated its worth to companies with data privacy and network security risks. As with every line of coverage, however, there are potential pitfalls that insureds might face, but can avoid. Two recent lawsuits highlight some of the potential issues as cyber coverage continues to develop.
First, in late 2013, Cottage Health System suffered a data breach that compromised 32,500 records. After initially paying a claim, the company’s insurer, CNA Insurance subsidiary Columbia Casualty, sued to recover a paid claim alleging that Cottage Health failed to follow “minimum required practices” identified in its insurance application.
The carrier’s case was dismissed by the court without prejudice on procedural grounds. But it serves to remind insureds that they must provide information to insurers that accurately reflects their data security practices. Additionally, “minimum required practices” clauses are not common in today’s cyber market.
More recently, a federal court found that restaurant chain P.F. Chang’s could not recover payment card industry (PCI) fines, penalties, and assessments incurred under a master service agreement with its credit card processor. Specifically, the court ruled that an exclusion for contractual damages barred recovery.
Importantly, P.F. Chang’s insurer — Federal Insurance, a division of Chubb Group of Insurance — paid $1.7 million in other costs that resulted from the data breach, which affected 60,000 customers. Moreover, insureds should be aware that many carriers currently provide terms that expressly cover PCI fines and penalties, and will carve back the contractual exclusion to avoid any conflict. This coverage may be sub-limited, however, and organizations are advised to consider the potential impact of these costs when determining overall limits.
Cyber insurance is a rapidly changing market. Insureds should work with their brokers to ensure that policy terms follow recent challenges to and developments in coverage. Fundamentally, however, it remains a buyer’s market and companies should be confident that cyber policies deliver real risk transfer and value.