Enough About the War Exclusion – Here Are Five More Coverage Traps for Cyber Claims
By David Chavez, Attorney, CRISC | 2.25.2020
Recent invocations of the “war exclusion” to avoid liability for a massive wild virus have captured the cyber insurance community’s attention. Another massive attack is no doubt around the corner, and it leads me to wonder what other conditions and exclusions should policyholders consider in preparation for the next “big one”?
The “Utility Failure” Exclusion
Claims resulting from a power failure, say when a computer virus hits a utility company, affecting its customer base, are subject to this exclusion. But some policies fail to define a “utility service” opening the door for a carrier to assert that an internet provider is a “utility” subject to the exclusion. What we once thought of as utilities (water, power, telecommunications) have changed as the world becomes more connected.
The question of whether or which parts of the internet environment constitute “utilities” is still undefined. The recent efforts to tag some internet providers as “utilities” may play a big part in determining whether this exclusion will apply. (By the way, if you’re looking for a great description of the structure of the telecommunications network, read Section 4.2 of this decision by the California PUC.)
The Breach of Contract Exclusion
Claims arising from a breach of contract are excluded, unless one or more common carve-backs apply, such as “claims arising in the absence of a contract”. But if a carrier asserts this exclusion, both sides will experience significant problems of proof at trial. And it gets even more complicated in a relationship with dueling indemnities and warranties.
The application of this exclusion to cyber claims is often pointless, as virtually every commercial entity that buys cyber insurance is running its network via contractual relationships – either with cloud providers, co-location companies, vendors or customers. Thus, insurers try to respond to ubiquitous contractual relationships by stating that the exclusion does not apply if liability would exist “in the absence of a contract”. But that carve-back does not help much for claims alleging security violations thanks to the economic loss doctrine.
The economic loss doctrine states that damages resulting from a breach of contract must be litigated according to the terms of the contract. Thus, a tort claim (say for negligence) should not be asserted for the same losses covered by the contract. In pre-trial motions, a credible lawyer would seek to have the tort claim dismissed, arguing that the contract governs the relationship between the parties. In a contract action, parties can rely on the (presumed) protections built into the contract such as limitations of liability and disclaimers of indirect damages. But consider, if the tort claim is dismissed, is there any “liability in the absence” of the contract? As a consequence, lawyers are torn between dismissing the tort claim to limit their client’s liability, or leaving the tort claim alone and maintaining coverage.
(Some carriers add “breach of contract” to their definition of wrongful act, or state that the exclusion does not apply to an “insured contract”, the definition of which can take many forms. Regardless, policyholders are advised to read the Breach of Contract exclusion in concert with their business practices to see how and if it could apply.)
The Prior Acts (and Prior Knowledge) Exclusion
These provisions apply to claims arising from security events about which the policyholder knew before procuring insurance. But what exactly is the insurable event? The failure of a computer system doesn’t just happen when the screen goes blank, and most policies can’t quite figure out how to deal with latent viruses and the realities of network vulnerabilities.
Latent viruses can sit idle for months or even years. Did the system fail when the virus was planted, or when it executed its evil code? What diligence must a policy holder exercise before and at the time of applying for insurance to make sure those pesky viruses have been eradicated? Similarly, how much vetting is done of vendors to find out what THEY know about the security of their systems? Policyholders must make sure that they report claims and circumstances as they occur and, at the end of the policy period, should make sure that all members of the control group understand if there are any circumstances that ought to be reported to the carrier.
The Computer System Maintenance Exclusion/Condition
Some carriers require the maintenance of security standards or simply exclude claims resulting from the insured’s failure to maintain such standards. But even the strictest security framework recognizes that the needs of a networked system must be fluid and may fluctuate as needs change.
Typically, these provisions require “at least the same level of security” as that represented in the insurance application. But there are two problems with this representation. First of all, the application only lists the security standards that the insurance carrier considers of import – after all, they wrote the application. “Security” may mean something far more nuanced that that set forth in the application. Second, and similarly, maintenance of security is ridiculously difficult to define. The application asks if files are encrypted, yes or no, but fails to allow for a nuanced response that recognizes not all files need to be encrypted. Or, the application asks if software patches are applied “on a regular basis”. During the course of the insurance relationship, the policyholder will have to make decisions regarding what patches to apply and when. What if an insured decides to not apply a patch, for legitimate business reasons?
The Fraud Exclusion and Contract Rescission
The fraud exclusion applies if an insured takes any action that is fraudulent, dishonest or intentionally misleading. But the exclusion can be quite broad and sometimes includes the acts of line employees or formeremployees. Even worse, if the fraud occurred in the insurance application, the carrier may choose to rescind the policy and walk away from the relationship.
The possibility of rescission should be, in my mind, a very real concern for policyholders. Cyber applications are notoriously insufficient. Either they ask the wrong questions, ask too many irrelevant questions or are difficult to interpret. Policyholders are left trying to discern the intent behind the question and how to respond in a manner that will satisfy the carrier. Fortunately, courts recognize that poorly drafted application questions will be construed strictly against a carrier, so their failure to ask an intelligible question will inure to the policyholder’s benefit. But courts also state that everyquestion on an insurance application is “material” to the underwriting of the insured, so a fraudulent or misleading answer, even one that is unrelated to the loss at issue, can void the policy and leave the policyholder with no coverage.
Dealing with exclusionary language
Don’t expect carriers to modify these exclusions if asked by a prospective policyholder. Instead, make sure that your insurance buyer and/or broker evaluates policy options with an eye to your business practices. Consider the precise types of risks that you face and compare those scenarios to your insurance coverage. If your company is a B2C company, PCI and PII will be vitally important to you. If your company is a B2B company, your greater risk may be an E & O claim, in which case, contractual liability will matter. And regardless of your size, spend some quality time on the application and consider your short-term plans each time you renew your cyber insurance. New products, new territories, and plans for growth, whether organic or by acquisition, will affect your network and you want to make sure that your policy will respond now, and in the near future.