Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/20/2014
07:30 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Why You Shouldn't Count On General Liability To Cover Cyber Risk

Travelers Insurance's legal spat with P.F. Chang's over who'll pay breach costs will likely illustrate why enterprises shouldn't think of their general liability policies as backstops for cyber risk.

As the legal troubles for P.F. Chang's restaurant chain kept piling up over the breach discovered this summer affecting 33 of its locations, its legal team made an insurance end-around play that many enterprises try after a breach. It filed a claim for coverage under its comprehensive general liability (CGL) policy. But a lawsuit filed earlier this month from its general liability insurer, Travelers Insurance, offers a good lesson to organizations on why this ploy rarely works.

Travelers asked the US District Court in Connecticut to clear it of any obligation to defend or indemnify the restaurant company during breach litigation. Its argument to the court: that not only is a breach like this not covered in its general policy definitions, but that even if it were, the restaurant company hadn't met a $250,000 basement floor limit up to which the firm needed to self-insure for covered events.

According to a number of legal and insurance experts, the case is about as open and shut as it gets for Travelers.

"The likelihood that PF Chang's would prevail seems quite slim," says Francoise Gilbert, an attorney with Palo Alto-based IT Law Group.

That's because this is hardly the first time that the cyber mettle of CGLs has been tested in court. Dating back to Sony Entertainment's case against its CGL insurer Zurich American in 2011, the rulings have been pretty clear that cyber incidents are rarely on the table for coverage under general liability policies.

"In general they find that there is no coverage. A court might rule that there is coverage if occurrence causes the loss of use of some physical computer component or data storage medium," Gilbert says. "On the other hand, a court might find that there is no coverage if there is no physical injury to tangible property resulting from the mere loss of data."  

On the off-chance that Travelers does not win its case, this will still likely do little for enterprises hoping to use CGLs as an umbrella for cyber risk fallout.

"If Travelers is not successful and their CGL policy is found to provide coverage, the result would most likely be the implementation of stricter exclusions on policies that do not want to pick up cyber exposure in any way," says Michael Carey, senior advisor for CyberInsure Solutions. "From a general perspective, unless the CGL policy expressly grants cyber coverage, the proof would need to show that there is implicit coverage through the lack of dedicated cyber exclusions, which would be a weaker position to have in court."

This, of course, is the whole reason companies like Travelers offer cyber liability insurance -- a.k.a. cyber insurance -- as an added type of coverage.

"The reality is that it's not the spirit of general liability coverage, it's not the intent of the coverage, and even P.F. Chang's knows that, because it is rumored that they have a distinct cyber policy," says Jake Kouns of Risk Based Security, who gets annoyed when cases like these are painted by the media as a knock against cyber liability policies when they're actually about disputes over general liability policies. "I just get slightly frustrated when people see something like that and they immediately jump to the conclusion that, 'Oh, this is a slimy industry, you can't trust cyber liability insurance.' "

Unfortunately, misconceptions by enterprise IT risk managers about the insurance industry are still prevalent, in spite of a rapidly maturing cyber insurance market. According to Carey, the assumption that a CGL will transfer breach risks to an insurance company is a prevalent one.

"This is a mistake many companies are making. Many business owners assume their current insurance, including CGL, covers cyber, but it often does not," says Carey, who offers a pretty simple rule of thumb: "If you are not sure your business is covered for cyber, it probably is not."

[Insurance policies customized for cyber attack protection are on the rise as businesses worry they could be the next Target. Read Cyberinsurance Resurges In The Wake Of Mega-Breaches.]

Gilbert agrees that many companies aren't aware that general liability doesn't cover cyber risks. She hopes that the Travelers case can help increase awareness about the difference between the two kinds of coverage so they can better manage different risks.

According to Kouns, whose company tracks breach and vulnerability information to sell to insurance underwriters and who has helped develop cyber risk policy products for a major insurer, not all cyber insurance policies are created equal. However, he says that well-chosen cyber insurance works very well, and that there are plenty of legitimate options on the market that do a good job transferring those risks that solid security practices cannot mitigate.

"Right now I will tell you that pricing for cyber liability insurance is stupid low -- unbelievably low," he says. "I can't imagine it will stay this low once losses continue to come in, but at this point I'm stunned by any company that doesn't have some sort of cyber liability in place today."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/21/2014 | 1:10:31 PM
Re: CGL Coverage
If this is the case involving CGL and its verbiage is somewhat dated then it would seem that the policies should be rearchitected. Especially, when the idea from an legal perspective is to help alleviate fiscal struggles in times of breach. It needs to evolve alongside cyber risk policies if it would like to compete in that vector.
SgS125
50%
50%
SgS125,
User Rank: Ninja
10/20/2014 | 3:59:52 PM
Re: CGL Coverage
Actually you would be wise to take advantage of the low rates.  You will in fact get more than you pay for until the experience catches up with the rates.  This would be a bargain right now, not a bad deal at all.  Just remember to read the entire policy.  I bet you read your auto and homeowners policy Right :)
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/20/2014 | 12:56:12 PM
Re: CGL Coverage
Actually, companies issuing cyber insurance stand to lose big time unless they increase their rates and call for increased level of proactive security and risk management by companies they insure. When big companies like Target and Home Depot, and even very large banks like JP Morgan get breached, the costs associated with addressing that breach get incredibly expensive.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/20/2014 | 12:47:03 PM
Re: CGL Coverage
CGL was invented a long time ago, and really is not intended to cover cyber risk. In fact, new CGL policies expressly exclude coverage for cyber security incidents. At the same time, cyber risk policies are evolving at a very rapid pace in order to keep up with the rapidly changing threat landscape and new vectors for attack, and require that organizations demonstrate a proactive role in their own cyber defense strategy prior to coverage. What once was a niche market, cyber risk coverage really has come into its own as a critical component of risk management.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/20/2014 | 12:08:43 PM
Re: CGL Coverage
"pricing for cyber liability insurance is stupid low" 

Another example that you get what you pay for.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/20/2014 | 11:09:06 AM
CGL Coverage
Not that I think any organization should be reliant on a CGL to bail them out but if a CGL does not encompass cyber threats, than what does it cover from an Information Security perspective?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7759
PUBLISHED: 2020-10-30
The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request: http://v...
CVE-2020-7760
PUBLISHED: 2020-10-30
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vu...
CVE-2020-27014
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the targ...
CVE-2020-27015
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privi...
CVE-2020-27885
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...