Several new cases show the evolution of case law that demonstrates what both cyber insurers and policyholders alike can expect from the courts.
Cyber insurance isn’t entirely new; policies have been out for well over a decade. But with the rise in cyberattacks over the last few years, more claims are being made, causing some policyholders to be denied over policy specifics and exclusions. A number of high-profile lawsuits have made their way to the news – such as the $100M lawsuit over the infamous 2016 NotPetya attacks – demonstrating this uncharted territory is needing the help of the courts to better define who’s responsible: the policyholder or the insurer.
A number of recent court cases involving cyber insurance provide insight into both what protections insurers are expecting of their policyholders and what it takes for the insurer to be required to pay up.
According to the article:
- Comprehensive General Liability (CGL) policies (which generally cover injuries caused by the publication of personal information) have generally been rejected by the courts to be enforceable in cases of data breach.
- Crime/Fidelity policies (which protects against a wide range of losses related to fraud, embezzlement and theft by others) have received mixed results, including two 2018 appellate court decisions finding that social engineering schemes constituted fraud.
- Cyber policies (which generally provide first- and third-party coverage for network security and data privacy events) do not yet have a significant enough amount of case law to show a clear direction in case law.
While most organizations probably aren’t thinking about cyberattacks going all the way to a court of law, it’s important to understand where the courts stand on the issue, so you have a better understanding of exactly what to expect when putting in a claim.