Attacks/Breaches

10/20/2014
07:30 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Why You Shouldn't Count On General Liability To Cover Cyber Risk

Travelers Insurance's legal spat with P.F. Chang's over who'll pay breach costs will likely illustrate why enterprises shouldn't think of their general liability policies as backstops for cyber risk.

As the legal troubles for P.F. Chang's restaurant chain kept piling up over the breach discovered this summer affecting 33 of its locations, its legal team made an insurance end-around play that many enterprises try after a breach. It filed a claim for coverage under its comprehensive general liability (CGL) policy. But a lawsuit filed earlier this month from its general liability insurer, Travelers Insurance, offers a good lesson to organizations on why this ploy rarely works.

Travelers asked the US District Court in Connecticut to clear it of any obligation to defend or indemnify the restaurant company during breach litigation. Its argument to the court: that not only is a breach like this not covered in its general policy definitions, but that even if it were, the restaurant company hadn't met a $250,000 basement floor limit up to which the firm needed to self-insure for covered events.

According to a number of legal and insurance experts, the case is about as open and shut as it gets for Travelers.

"The likelihood that PF Chang's would prevail seems quite slim," says Francoise Gilbert, an attorney with Palo Alto-based IT Law Group.

That's because this is hardly the first time that the cyber mettle of CGLs has been tested in court. Dating back to Sony Entertainment's case against its CGL insurer Zurich American in 2011, the rulings have been pretty clear that cyber incidents are rarely on the table for coverage under general liability policies.

"In general they find that there is no coverage. A court might rule that there is coverage if occurrence causes the loss of use of some physical computer component or data storage medium," Gilbert says. "On the other hand, a court might find that there is no coverage if there is no physical injury to tangible property resulting from the mere loss of data."  

On the off-chance that Travelers does not win its case, this will still likely do little for enterprises hoping to use CGLs as an umbrella for cyber risk fallout.

"If Travelers is not successful and their CGL policy is found to provide coverage, the result would most likely be the implementation of stricter exclusions on policies that do not want to pick up cyber exposure in any way," says Michael Carey, senior advisor for CyberInsure Solutions. "From a general perspective, unless the CGL policy expressly grants cyber coverage, the proof would need to show that there is implicit coverage through the lack of dedicated cyber exclusions, which would be a weaker position to have in court."

This, of course, is the whole reason companies like Travelers offer cyber liability insurance -- a.k.a. cyber insurance -- as an added type of coverage.

"The reality is that it's not the spirit of general liability coverage, it's not the intent of the coverage, and even P.F. Chang's knows that, because it is rumored that they have a distinct cyber policy," says Jake Kouns of Risk Based Security, who gets annoyed when cases like these are painted by the media as a knock against cyber liability policies when they're actually about disputes over general liability policies. "I just get slightly frustrated when people see something like that and they immediately jump to the conclusion that, 'Oh, this is a slimy industry, you can't trust cyber liability insurance.' "

Unfortunately, misconceptions by enterprise IT risk managers about the insurance industry are still prevalent, in spite of a rapidly maturing cyber insurance market. According to Carey, the assumption that a CGL will transfer breach risks to an insurance company is a prevalent one.

"This is a mistake many companies are making. Many business owners assume their current insurance, including CGL, covers cyber, but it often does not," says Carey, who offers a pretty simple rule of thumb: "If you are not sure your business is covered for cyber, it probably is not."

[Insurance policies customized for cyber attack protection are on the rise as businesses worry they could be the next Target. Read Cyberinsurance Resurges In The Wake Of Mega-Breaches.]

Gilbert agrees that many companies aren't aware that general liability doesn't cover cyber risks. She hopes that the Travelers case can help increase awareness about the difference between the two kinds of coverage so they can better manage different risks.

According to Kouns, whose company tracks breach and vulnerability information to sell to insurance underwriters and who has helped develop cyber risk policy products for a major insurer, not all cyber insurance policies are created equal. However, he says that well-chosen cyber insurance works very well, and that there are plenty of legitimate options on the market that do a good job transferring those risks that solid security practices cannot mitigate.

"Right now I will tell you that pricing for cyber liability insurance is stupid low -- unbelievably low," he says. "I can't imagine it will stay this low once losses continue to come in, but at this point I'm stunned by any company that doesn't have some sort of cyber liability in place today."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/21/2014 | 1:10:31 PM
Re: CGL Coverage
If this is the case involving CGL and its verbiage is somewhat dated then it would seem that the policies should be rearchitected. Especially, when the idea from an legal perspective is to help alleviate fiscal struggles in times of breach. It needs to evolve alongside cyber risk policies if it would like to compete in that vector.
SgS125
50%
50%
SgS125,
User Rank: Ninja
10/20/2014 | 3:59:52 PM
Re: CGL Coverage
Actually you would be wise to take advantage of the low rates.  You will in fact get more than you pay for until the experience catches up with the rates.  This would be a bargain right now, not a bad deal at all.  Just remember to read the entire policy.  I bet you read your auto and homeowners policy Right :)
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/20/2014 | 12:56:12 PM
Re: CGL Coverage
Actually, companies issuing cyber insurance stand to lose big time unless they increase their rates and call for increased level of proactive security and risk management by companies they insure. When big companies like Target and Home Depot, and even very large banks like JP Morgan get breached, the costs associated with addressing that breach get incredibly expensive.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/20/2014 | 12:47:03 PM
Re: CGL Coverage
CGL was invented a long time ago, and really is not intended to cover cyber risk. In fact, new CGL policies expressly exclude coverage for cyber security incidents. At the same time, cyber risk policies are evolving at a very rapid pace in order to keep up with the rapidly changing threat landscape and new vectors for attack, and require that organizations demonstrate a proactive role in their own cyber defense strategy prior to coverage. What once was a niche market, cyber risk coverage really has come into its own as a critical component of risk management.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/20/2014 | 12:08:43 PM
Re: CGL Coverage
"pricing for cyber liability insurance is stupid low" 

Another example that you get what you pay for.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/20/2014 | 11:09:06 AM
CGL Coverage
Not that I think any organization should be reliant on a CGL to bail them out but if a CGL does not encompass cyber threats, than what does it cover from an Information Security perspective?
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.