Insurance Coverage for Cyberattacks and Denial-of-Service Incidents.
If your business suffered the same sort of cyberattacks alleged to have taken place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend, would your insurance cover losses that your company faced?[1] Not worried, because the alleged attacks were only against government sites? Unfortunately, the cyberattacks were more widespread, and allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.”[2]
Denial of Service Attacks
The cyberattacks described were denial-of-service incidents. Personnel from “CERT® Program,” which “is part of the federally funded Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania,” have explained:
Denial-of-service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:
- consumption of scarce, limited, or non-renewable resources
- destruction or alteration of configuration information
- physical destruction or alteration of network components.[3]
Some attacks are comparable to “tak[ing] an ax to a piece of hardware,” and are known as “so-called permanent denial-of-service (PDOS) attack[s].”[4] If a system suffers such an attack, which also has been called “pure hardware sabotage,” it “requires replacement or reinstallation of hardware.”[5]
What Insurance Coverage Might Apply?
If your company faces a denial-of-service cyberattack and suffers losses as a result, but your company has not purchased a specialized suite of policies marketed as cyber security policies, coverage nonetheless may be available under other insurance policies. Consider whether first party all risk or property coverage may apply. First party all risk policies tend to provide coverage for the policyholder’s losses due to property damage. If the denial-of-service cyberattack caused physical damage to your company’s servers or hard drives, your company’s first party all risk insurer should not have a credible argument that there was no property damage. Even if the damage is limited to data and software, however, it may be argued that the loss is covered under your company’s first party all risk policy, as some courts have found that damage to data and software consists of property damage.[6]
First party policies may also provide coverage for extra expense, business interruption, and contingent business interruption losses due to a cyberattack. (Contingent business interruption losses may include those arising out of a third party’s cyber security-based business interruption.)[7]
Look also to other first party coverages, such as crime and fidelity policies, to determine whether there may be coverage for losses due to a cyberattack. In particular, crime policies may have endorsements, such as computer fraud endorsements, that may cover losses from a denial of service cyberattack.
If, after a cyberattack, third parties seek to hold your company responsible for their alleged losses, consider whether your company’s liability policies would provide coverage. More importantly, consider your company’s commercial general liability (CGL) insurance policy (if your company does not have a specialized cyber liability policy).
The first coverage provided in a standard-form CGL insurance policy covers liability for property damage. Similar to the analysis above for first party all risk policies, if there was damage to servers or hard drives, insurers should not be heard to argue that there was no property damage. Courts are divided as to whether damage to data or software alone consists of property damage under insurance policies, with some courts recognizing that “the computer data in question ‘was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed’” and that such lost data was covered under a CGL policy.[8] Be aware, however, that the insurance industry has revised many CGL policies to include definitions giving insurers stronger arguments that damage to data and software will not be considered property damage. But also note that your company’s CGL policy may have endorsements that provide coverage specifically for damage to data and software.[9] Consider further whether a claim would fall within the property damage coverage for loss of use of tangible property—loss of use of servers and hard drives because of the cyberattack.
Consider Cyber Security Specialty Policies
Looking beyond the coverages and endorsements discussed above, your company should consider the recent cyberattacks as an opportunity to reevaluate the need for specialized coverages for cyber security losses. Insurance companies continue to introduce new specialized products for cyber security risks, marketing the new policies as including data compromise, cyber liability, network risk, and/or computer data coverage. The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the “Internet Liability and Network Protection Policy,” and insurance companies may base their coverages on this basic insuring agreement, or they may provide their own company-worded policy form. Cyber security and data breach policies, certain forms of which may be known as Network Risk, Cyber-Liability, Privacy and Security, or Media Liability insurance, are relatively new to the marketplace and are ever-changing. An experienced broker may be able to advise what coverages are available, and an attorney with experience in advising policyholders about insurance coverage issues may be able to advise as to the potential strengths and weaknesses of the various policy terms offered.
[Note 1: This post also appears on Lexis’ Insurance Law Center, with thanks to my friend Karen Yotis.]
[Note 2: This post is featured in Blawg Review #221, thanks to H. Scott Leviant of The Complex Litigator.]
[1] U.S. Government Sites Among Those Hit by Cyberattack, CNN, http://www.cnn.com/2009/TECH/07/08/government.hacking/index.html(July 8, 2009).
[2] Siobhan Gorman & Evan Ramstad, Cyber Blitz Hits U.S., Korea, Wall St. J., http://online.wsj.com/article/SB124701806176209691.html (July 9, 2009).
[3] Denial of Service Attacks, CERT, http://www.cert.org/tech_tips/denial_of_service.html (last visited July 9, 2009); About CERT, CERT, http://www.cert.org/meet_cert/ (last visited July 10, 2009).
[4] Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201088 (May 19, 2008).
[5] Id.
[6] See, e.g., Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003) (first party property coverage for data damaged because of hacker attack or computer virus); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299, at *6 (D. Ariz. Apr. 18, 2000) (construing “physical damage” beyond “harm of computer circuitry” to encompass “loss of access, loss of use, and loss of functionality”).
[7] Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 837 (W.D. Tenn. 2006) (finding coverage under business interruption policy for computer corruption); see also Scott N. Godes, Ensuring Contingent Business Interruption Coverage, Law360, (Apr. 8, 2009) http://insurance.law360.com/articles/94765 (discussing coverage under first party policies resulting from third party interruptions).
[8] See, e.g., Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.3d 1264, 1266 (N.M. Ct. App. 2002).
[9] See, e.g., Claire Wilkinson, Is Your Company Prepared for a Data Breach?, Ins. Info. Inst., at 20 (Mar. 2006) http://www.iii.org/assets/docs/pdf/informationsecurity.pdf (discussing the Insurance Services Office, Inc.’s endorsement for “electronic data liability”).
Disclaimer:
This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2009.
Corporate Insurance Blog 
Pingback: TWoTW for July 12, 2009
In addition to insurance protections, risk management best practice guidelines dictate exploring SAFETY Act eligibility for entities protecting themselves or others against cyber or network related terrorism.
Today, hacking into a system is no longer limited to bored teenage techies. It is a tool used by organized crime, unfriendly nations, radicals, extremists and terrorist groups. Today’s potential cyber risks and exposures are far more severe than just compromised personal information. Vulnerabilities in information systems threaten the entire country’s physical and financial safety and security.
Cyber terrorism falls into three basic categories. The first would be hacking into a system in order to cause physical harm to people or property. Some examples would include opening a dam, shutting down a power grid or causing highly dangerous situations at refineries or chemical plants. The second type of cyber related terrorism would be using a system to intentionally cause massive financial harm such as to the NYSE or a financial institution’s network. Third, setting up money-laundering schemes used to finance other terrorist activities. Any of these would create massive liability exposures for any party deemed responsible.
As a part of their recent Board meeting, the Internet Security Alliance (ISA) released “The Cyber Security Social Contract: Policy Recommendations for the Obama Administration and the 111th Congress”. This 45-page document provides detailed recommendations for the new administration. One of the four top suggestions made to the President Elect is providing “Better positive based incentives … To accomplish this, we can look at historical examples of positive incentive programs, such as the SAFETY Act …. .” Another of the four suggestions presented to Mr. Obama is the need to “Have a robust insurance market”.
Regardless of the cost, post September 11th, there is not enough, and likely will never be enough, terrorism related insurance available globally to assure any organization’s financial survival following a serious event. On the other hand, the good news is that approval under the SAFETY Act automatically grants immunity, liability caps, affirmative defenses and other incentives for entities providing or using approved anti-terrorism products, technologies, facilities, software, procedures and/or services. The very nature of network and IT security protection makes the developer, provider or user an ideal candidate for the sweeping protections available under the SAFETY Act.
SAFETY Act approval drastically reduces the enterprise threatening liability exposures faced if a cyber terrorism event somehow involves an entity’s products, systems, networks, hardware, software, advice, services or facilities. In addition, entities that sell or provide anti-terrorism / e-terrorism goods or services to others will enjoy a significant marketing advantage and higher demand for their SAFETY Act approved products and services.
To qualify for SAFETY Act protection, the protections, technologies or procedures utilized do not have to be dedicated exclusively to preventing e-terrorism. They do need to have an anti-terrorism element. Network protection technologies, software, hardware, procedures and strategies are ideal examples of simultaneously guarding against both terrorism and non-terrorism threats.
DHS approval under the SAFETY Act automatically grants unprecedented liability protection and immunity from lawsuits stemming from a terrorist event including cyber terrorism. The Act protects against allegations that a SAFETY Act Designated product, technology, service, procedure, software, advice or facility failed, was misused, inadequate or otherwise and did not identify, prevent, respond to or respond appropriately or otherwise help mitigate a terrorist act. SAFETY Act’s broad protections will apply to suits resulting from, or alleging, bodily injury, property damage and/or other harm, including financial harm.
Another exciting feature, although not the SAFETY Act’s intended purpose, is the significant marketing edge and higher demand that SAFETY Act approval creates for entities that provide products and services to others.
Read more about the SAFETY Act on our site http://www.SAFETYACTCONSULTANTS.com or at the DHS’ site at http://www.SAFETYACT.gov
Pingback: Twitted by ScottGodes
Pingback: What You Need In a Business Insurance Policy | 1 Stop Fast Cash
Pingback: Insurance Coverage for Cyberattacks and Denial-of-Service … | ServicesRegion.Com
Pingback: General Business Liability Insurance - Protection Every Business Needs | Online Business News, Ideas, Strategy
This is scary stuff – thanks for posting!
Pingback: Corporate Insurance Blog featured in Blawg Review #224. « Corporate Insurance Blog
Pingback: TWoTW for July 12, 2009 « NET(net), Inc.
Pingback: Insurance Coverage for Cyberattacks and Denial-of-Service Incidents | Conferences, Events and Publications