Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/20/2014
07:30 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Why You Shouldn't Count On General Liability To Cover Cyber Risk

Travelers Insurance's legal spat with P.F. Chang's over who'll pay breach costs will likely illustrate why enterprises shouldn't think of their general liability policies as backstops for cyber risk.

As the legal troubles for P.F. Chang's restaurant chain kept piling up over the breach discovered this summer affecting 33 of its locations, its legal team made an insurance end-around play that many enterprises try after a breach. It filed a claim for coverage under its comprehensive general liability (CGL) policy. But a lawsuit filed earlier this month from its general liability insurer, Travelers Insurance, offers a good lesson to organizations on why this ploy rarely works.

Travelers asked the US District Court in Connecticut to clear it of any obligation to defend or indemnify the restaurant company during breach litigation. Its argument to the court: that not only is a breach like this not covered in its general policy definitions, but that even if it were, the restaurant company hadn't met a $250,000 basement floor limit up to which the firm needed to self-insure for covered events.

According to a number of legal and insurance experts, the case is about as open and shut as it gets for Travelers.

"The likelihood that PF Chang's would prevail seems quite slim," says Francoise Gilbert, an attorney with Palo Alto-based IT Law Group.

That's because this is hardly the first time that the cyber mettle of CGLs has been tested in court. Dating back to Sony Entertainment's case against its CGL insurer Zurich American in 2011, the rulings have been pretty clear that cyber incidents are rarely on the table for coverage under general liability policies.

"In general they find that there is no coverage. A court might rule that there is coverage if occurrence causes the loss of use of some physical computer component or data storage medium," Gilbert says. "On the other hand, a court might find that there is no coverage if there is no physical injury to tangible property resulting from the mere loss of data."  

On the off-chance that Travelers does not win its case, this will still likely do little for enterprises hoping to use CGLs as an umbrella for cyber risk fallout.

"If Travelers is not successful and their CGL policy is found to provide coverage, the result would most likely be the implementation of stricter exclusions on policies that do not want to pick up cyber exposure in any way," says Michael Carey, senior advisor for CyberInsure Solutions. "From a general perspective, unless the CGL policy expressly grants cyber coverage, the proof would need to show that there is implicit coverage through the lack of dedicated cyber exclusions, which would be a weaker position to have in court."

This, of course, is the whole reason companies like Travelers offer cyber liability insurance -- a.k.a. cyber insurance -- as an added type of coverage.

"The reality is that it's not the spirit of general liability coverage, it's not the intent of the coverage, and even P.F. Chang's knows that, because it is rumored that they have a distinct cyber policy," says Jake Kouns of Risk Based Security, who gets annoyed when cases like these are painted by the media as a knock against cyber liability policies when they're actually about disputes over general liability policies. "I just get slightly frustrated when people see something like that and they immediately jump to the conclusion that, 'Oh, this is a slimy industry, you can't trust cyber liability insurance.' "

Unfortunately, misconceptions by enterprise IT risk managers about the insurance industry are still prevalent, in spite of a rapidly maturing cyber insurance market. According to Carey, the assumption that a CGL will transfer breach risks to an insurance company is a prevalent one.

"This is a mistake many companies are making. Many business owners assume their current insurance, including CGL, covers cyber, but it often does not," says Carey, who offers a pretty simple rule of thumb: "If you are not sure your business is covered for cyber, it probably is not."

[Insurance policies customized for cyber attack protection are on the rise as businesses worry they could be the next Target. Read Cyberinsurance Resurges In The Wake Of Mega-Breaches.]

Gilbert agrees that many companies aren't aware that general liability doesn't cover cyber risks. She hopes that the Travelers case can help increase awareness about the difference between the two kinds of coverage so they can better manage different risks.

According to Kouns, whose company tracks breach and vulnerability information to sell to insurance underwriters and who has helped develop cyber risk policy products for a major insurer, not all cyber insurance policies are created equal. However, he says that well-chosen cyber insurance works very well, and that there are plenty of legitimate options on the market that do a good job transferring those risks that solid security practices cannot mitigate.

"Right now I will tell you that pricing for cyber liability insurance is stupid low -- unbelievably low," he says. "I can't imagine it will stay this low once losses continue to come in, but at this point I'm stunned by any company that doesn't have some sort of cyber liability in place today."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/20/2014 | 11:09:06 AM
CGL Coverage
Not that I think any organization should be reliant on a CGL to bail them out but if a CGL does not encompass cyber threats, than what does it cover from an Information Security perspective?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/20/2014 | 12:08:43 PM
Re: CGL Coverage
"pricing for cyber liability insurance is stupid low" 

Another example that you get what you pay for.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/20/2014 | 12:56:12 PM
Re: CGL Coverage
Actually, companies issuing cyber insurance stand to lose big time unless they increase their rates and call for increased level of proactive security and risk management by companies they insure. When big companies like Target and Home Depot, and even very large banks like JP Morgan get breached, the costs associated with addressing that breach get incredibly expensive.
SgS125
50%
50%
SgS125,
User Rank: Ninja
10/20/2014 | 3:59:52 PM
Re: CGL Coverage
Actually you would be wise to take advantage of the low rates.  You will in fact get more than you pay for until the experience catches up with the rates.  This would be a bargain right now, not a bad deal at all.  Just remember to read the entire policy.  I bet you read your auto and homeowners policy Right :)
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/20/2014 | 12:47:03 PM
Re: CGL Coverage
CGL was invented a long time ago, and really is not intended to cover cyber risk. In fact, new CGL policies expressly exclude coverage for cyber security incidents. At the same time, cyber risk policies are evolving at a very rapid pace in order to keep up with the rapidly changing threat landscape and new vectors for attack, and require that organizations demonstrate a proactive role in their own cyber defense strategy prior to coverage. What once was a niche market, cyber risk coverage really has come into its own as a critical component of risk management.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/21/2014 | 1:10:31 PM
Re: CGL Coverage
If this is the case involving CGL and its verbiage is somewhat dated then it would seem that the policies should be rearchitected. Especially, when the idea from an legal perspective is to help alleviate fiscal struggles in times of breach. It needs to evolve alongside cyber risk policies if it would like to compete in that vector.
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21275
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
CVE-2021-21272
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting