Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/20/2014
07:30 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Why You Shouldn't Count On General Liability To Cover Cyber Risk

Travelers Insurance's legal spat with P.F. Chang's over who'll pay breach costs will likely illustrate why enterprises shouldn't think of their general liability policies as backstops for cyber risk.

As the legal troubles for P.F. Chang's restaurant chain kept piling up over the breach discovered this summer affecting 33 of its locations, its legal team made an insurance end-around play that many enterprises try after a breach. It filed a claim for coverage under its comprehensive general liability (CGL) policy. But a lawsuit filed earlier this month from its general liability insurer, Travelers Insurance, offers a good lesson to organizations on why this ploy rarely works.

Travelers asked the US District Court in Connecticut to clear it of any obligation to defend or indemnify the restaurant company during breach litigation. Its argument to the court: that not only is a breach like this not covered in its general policy definitions, but that even if it were, the restaurant company hadn't met a $250,000 basement floor limit up to which the firm needed to self-insure for covered events.

According to a number of legal and insurance experts, the case is about as open and shut as it gets for Travelers.

"The likelihood that PF Chang's would prevail seems quite slim," says Francoise Gilbert, an attorney with Palo Alto-based IT Law Group.

That's because this is hardly the first time that the cyber mettle of CGLs has been tested in court. Dating back to Sony Entertainment's case against its CGL insurer Zurich American in 2011, the rulings have been pretty clear that cyber incidents are rarely on the table for coverage under general liability policies.

"In general they find that there is no coverage. A court might rule that there is coverage if occurrence causes the loss of use of some physical computer component or data storage medium," Gilbert says. "On the other hand, a court might find that there is no coverage if there is no physical injury to tangible property resulting from the mere loss of data."  

On the off-chance that Travelers does not win its case, this will still likely do little for enterprises hoping to use CGLs as an umbrella for cyber risk fallout.

"If Travelers is not successful and their CGL policy is found to provide coverage, the result would most likely be the implementation of stricter exclusions on policies that do not want to pick up cyber exposure in any way," says Michael Carey, senior advisor for CyberInsure Solutions. "From a general perspective, unless the CGL policy expressly grants cyber coverage, the proof would need to show that there is implicit coverage through the lack of dedicated cyber exclusions, which would be a weaker position to have in court."

This, of course, is the whole reason companies like Travelers offer cyber liability insurance -- a.k.a. cyber insurance -- as an added type of coverage.

"The reality is that it's not the spirit of general liability coverage, it's not the intent of the coverage, and even P.F. Chang's knows that, because it is rumored that they have a distinct cyber policy," says Jake Kouns of Risk Based Security, who gets annoyed when cases like these are painted by the media as a knock against cyber liability policies when they're actually about disputes over general liability policies. "I just get slightly frustrated when people see something like that and they immediately jump to the conclusion that, 'Oh, this is a slimy industry, you can't trust cyber liability insurance.' "

Unfortunately, misconceptions by enterprise IT risk managers about the insurance industry are still prevalent, in spite of a rapidly maturing cyber insurance market. According to Carey, the assumption that a CGL will transfer breach risks to an insurance company is a prevalent one.

"This is a mistake many companies are making. Many business owners assume their current insurance, including CGL, covers cyber, but it often does not," says Carey, who offers a pretty simple rule of thumb: "If you are not sure your business is covered for cyber, it probably is not."

[Insurance policies customized for cyber attack protection are on the rise as businesses worry they could be the next Target. Read Cyberinsurance Resurges In The Wake Of Mega-Breaches.]

Gilbert agrees that many companies aren't aware that general liability doesn't cover cyber risks. She hopes that the Travelers case can help increase awareness about the difference between the two kinds of coverage so they can better manage different risks.

According to Kouns, whose company tracks breach and vulnerability information to sell to insurance underwriters and who has helped develop cyber risk policy products for a major insurer, not all cyber insurance policies are created equal. However, he says that well-chosen cyber insurance works very well, and that there are plenty of legitimate options on the market that do a good job transferring those risks that solid security practices cannot mitigate.

"Right now I will tell you that pricing for cyber liability insurance is stupid low -- unbelievably low," he says. "I can't imagine it will stay this low once losses continue to come in, but at this point I'm stunned by any company that doesn't have some sort of cyber liability in place today."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/21/2014 | 1:10:31 PM
Re: CGL Coverage
If this is the case involving CGL and its verbiage is somewhat dated then it would seem that the policies should be rearchitected. Especially, when the idea from an legal perspective is to help alleviate fiscal struggles in times of breach. It needs to evolve alongside cyber risk policies if it would like to compete in that vector.
SgS125
50%
50%
SgS125,
User Rank: Ninja
10/20/2014 | 3:59:52 PM
Re: CGL Coverage
Actually you would be wise to take advantage of the low rates.  You will in fact get more than you pay for until the experience catches up with the rates.  This would be a bargain right now, not a bad deal at all.  Just remember to read the entire policy.  I bet you read your auto and homeowners policy Right :)
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/20/2014 | 12:56:12 PM
Re: CGL Coverage
Actually, companies issuing cyber insurance stand to lose big time unless they increase their rates and call for increased level of proactive security and risk management by companies they insure. When big companies like Target and Home Depot, and even very large banks like JP Morgan get breached, the costs associated with addressing that breach get incredibly expensive.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/20/2014 | 12:47:03 PM
Re: CGL Coverage
CGL was invented a long time ago, and really is not intended to cover cyber risk. In fact, new CGL policies expressly exclude coverage for cyber security incidents. At the same time, cyber risk policies are evolving at a very rapid pace in order to keep up with the rapidly changing threat landscape and new vectors for attack, and require that organizations demonstrate a proactive role in their own cyber defense strategy prior to coverage. What once was a niche market, cyber risk coverage really has come into its own as a critical component of risk management.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/20/2014 | 12:08:43 PM
Re: CGL Coverage
"pricing for cyber liability insurance is stupid low" 

Another example that you get what you pay for.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/20/2014 | 11:09:06 AM
CGL Coverage
Not that I think any organization should be reliant on a CGL to bail them out but if a CGL does not encompass cyber threats, than what does it cover from an Information Security perspective?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15394
PUBLISHED: 2020-09-25
The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.
CVE-2020-15521
PUBLISHED: 2020-09-25
Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) .
CVE-2020-26103
PUBLISHED: 2020-09-25
In cPanel before 88.0.3, an insecure site password is used for Mailman on a templated VM (SEC-551).
CVE-2020-26104
PUBLISHED: 2020-09-25
In cPanel before 88.0.3, an insecure SRS secret is used on a templated VM (SEC-552).
CVE-2020-26105
PUBLISHED: 2020-09-25
In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554).