The burgeoning multi-billion dollar cyber insurance market is expected to continue its 25%+ annual growth over the next few years. Despite this dramatic growth, the market is plagued with uncertainty over the meaning of key policy terms and scope of coverage. The lack of both uniformity in cyber policy language and judicial guidance interpreting policy language prevent companies from confidently assessing their loss exposure in the event of a major data breach.
While the law governing cyber policies will remain in flux for years to come, recent precedent already poses formidable challenges to insureds seeking coverage for data breach losses. Companies in the market for cyber insurance would be well-served to heed lessons from those companies denied coverage due to certain wording in their policies.
Recently, many insureds were surprised when courts upheld insurers’ denials of coverage for data breach losses for the following reasons:
- The insured failed to follow certain cyber security practices (e.g. regularly applying security patches).
- The “publication” of the personal information required to trigger coverage was done by hackers, not the insured.
- The alleged breach separately constituted a violation of a state privacy statute.
- The underlying lawsuit against the insured alleged intentional misuse of personal information as opposed to mere negligence.
- The email contributing to the fraudulent transfer was found to be only one of many acts in the scheme and not the root cause for the loss.
These rulings will continue to shape the way cyber insurance policies are both worded and interpreted. As cyber policies continue to get tested in the courts, the evolving legal landscape will provide important insights to organizations both when negotiating the purchase of a cyber policy as well as in assessing the strength of its overall cybersecurity program.