On October 27, 2011, CNN.com posted:
A massive cyberattack that led to a vulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week.
The Krebs On Security blog posted:
Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure.
This is in line with comments from others, including this quote from Digital Forensic Investigator News, that “2011 has quickly become the year of the cyber attack.“ Would your insurance policies cover those events? Beyond the denial of service attacks that made news headlines, a shocking “80 percent of respondents” in a survey of “200 IT security execs” “have faced large scale denial of service attacks,” according to a ZDNet story.[1] These attacks and threats do not appear to be on a downward trend. They continue to be in the news after cyberattacks allegedly took place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend.[2] The alleged attacks were not only against government sites; they allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.”[3] The more recent ZDNet survey shows that a quarter of respondents faced denial of service attacks on a weekly or even daily basis, with cyberextortion threats being made as well.[4]
Denial of Service Attacks
The cyberattacks that have stolen recent headlines were denial of service incidents. Personnel from “CERT® Program,” which “is part of the federally funded Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania,” have explained:
Denial of service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:
- consumption of scarce, limited, or non-renewable resources
- destruction or alteration of configuration information
- physical destruction or alteration of network components.[5]
Some attacks are comparable to “tak[ing] an ax to a piece of hardware” and are known as “so-called permanent denial-of-service (PDOS) attack[s].”[6] If a system suffers such an attack, which also has been called “pure hardware sabotage,” it “requires replacement or reinstallation of hardware.”[7]
What Insurance Coverage Might Apply?
The first place to look for insurance coverage for a denial of service attack is a cybersecurity policy. The market for cybersecurity policies has been called the Wild West of insurance marketplaces. Cyber security and data breach policies, certain forms of which may be known as Network Risk, Cyber-Liability, Privacy and Security, or Media Liability insurance, are relatively new to the marketplace and are ever-changing. The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the “Internet Liability and Network Protection Policy,” and insurance companies may base their coverages on this basic insuring agreement, or they may provide their own company-worded policy form. Because of the variety of coverages being offered, a careful review of the policy form before a claim hits is critical to understand whether the cyberpolicy will provide coverage, and, if it will, how much coverage is available for the event. If your company does make a claim under a cyberpolicy, engaging experienced coverage counsel who is familiar with coverage for cybersecurity claims will help get the claim covered properly and fight an insurance company’s attempt to deny the claim or otherwise improperly try to limit coverage that is due under the policy.
If your company faces a denial of service cyberattack and suffers losses as a result, but your company has not purchased a specialized suite of policies marketed as cyber security policies, coverage nonetheless may be available under other insurance policies. In addition, other insurance policies may provide coverage that overlaps with a cyberinsurance policy. Consider whether first party all risk or property coverage may apply. First party all risk policies typically provide coverage for the policyholder’s losses due to property damage. If the denial of service cyberattack caused physical damage to your company’s servers or hard drives, your company’s first party all risk insurer should not have a credible argument that there was no property damage. Even if the damage is limited to data and software, however, it may be argued that the loss is covered under your company’s first party all risk policy, as some courts have found that damage to data and software consists of property damage.[8]
First party policies may also provide coverage for extra expense, business interruption, and contingent business interruption losses due to a cyberattack. (Contingent business interruption losses may include losses that the policyholder faces arising out of a cyber security-based business interruption of another party, such as a cloud provider, network host, or others.)[9]
Look also to other first party coverages, such as crime and fidelity policies, to determine whether there may be coverage for losses due to a cyberattack. In particular, crime policies may have endorsements, such as computer fraud endorsements, that may cover losses from a denial of service cyberattack.[10]
If, after a cyberattack, third parties seek to hold your company responsible for their alleged losses, consider whether your company’s liability policies would provide coverage. More importantly, consider your company’s commercial general liability (CGL) insurance policy, if your company does not have a specialized cyber liability policy. If your company did buy a cyberinsurance policy, there is coverage under a CGL policy (and others) that may overlap the coverage in a cyberinsurance policy, providing your company with additional limits of insurance coverage available for the claim.
The first coverage provided in a standard-form CGL insurance policy covers liability for property damage. Similar to the analysis above for first party all risk policies, if there was damage to servers or hard drives, insurers should not be heard to argue that there was no property damage. Courts are divided as to whether damage to data or software alone consists of property damage under insurance policies, with some courts recognizing that “the computer data in question ‘was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed’” and that such lost data was covered under a CGL policy.[11] Be aware, however, that the insurance industry has revised many CGL policies to include definitions giving insurers stronger arguments that damage to data and software will not be considered property damage. But also note that your company’s CGL policy may have endorsements that provide coverage specifically for damage to data and software.[12] Consider further whether a claim would fall within the property damage coverage for loss of use of tangible property—loss of use of servers and hard drives because of the cyberattack; loss of use of computers arising out of alleged software and data-based causes has been held sufficient to trigger a CGL policy’s property damage coverage.[13]
Keep in mind that if there is a claim for property damage under a CGL policy, there may be coverage for obligations that your company has under indemnity agreements. Standard form CGL policies provide coverage for indemnity agreements.[14]
Depending on the types of claims asserted, other liability policies may be triggered as well. For example, directors and officers liability policies may provide coverage for investigation costs,[15] and errors and omissions policies also may cover, if the cybersecurity claims may be considered to be within the definition of “wrongful act.”[16] The takeaway for companies suffering from a cyberattack is that a careful review of all policies held by the insured is warranted to make certain that the most comprehensive coverage may be pursued.
[1] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).
[2] U.S. Government Sites Among Those Hit by Cyberattack, CNN, http://www.cnn.com/2009/TECH/07/08/government.hacking/index.html (July 8, 2009).
[3] Siobhan Gorman & Evan Ramstad, Cyber Blitz Hits U.S., Korea, Wall St. J., http://online.wsj.com/article/SB124701806176209691.html (July 9, 2009).
[4] Larry Dignan, Cyberattacks on Critical Infrastructure Intensify, ZDNet, http://m.zdnet.com/blog/btl/cyberattacks-on-critical-infrastructure-intensify/47455 (Apr. 19, 2011).
[5] Denial of Service Attacks, CERT, http://www.cert.org/tech_tips/denial_of_service.html (last visited July 9, 2009); About CERT, CERT, http://www.cert.org/meet_cert/ (last visited July 10, 2009).
[6] Kelly Jackson Higgins, Permanent Denial-of-Service Attack Sabotages Hardware, Security Dark Reading, http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201088 (May 19, 2008).
[7] Id.
[8] See, e.g., Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003) (first party property coverage for data damaged because of hacker attack or computer virus); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299, at *6 (D. Ariz. Apr. 18, 2000) (construing “physical damage” beyond “harm of computer circuitry” to encompass “loss of access, loss of use, and loss of functionality”).
[9] Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 837-39 (W.D. Tenn. 2006) (finding coverage under business interruption policy for computer corruption); see also Scott N. Godes, Ensuring Contingent Business Interruption Coverage, Law360 (Apr. 8, 2009), http://insurance.law360.com/articles/94765 (discussing coverage under first party policies resulting from third party interruptions).
[10] For example, in Retail Ventures, Inc. v. National Union Fire Insurance Co., No. 06-443, slip op. (S.D. Ohio Mar. 30, 2009), the court held that a crime policy provided coverage for a data breach and hacking attack.
[11] See, e.g., Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.3d 1264, 1266 (N.M. Ct. App. 2002).
[12] See, e.g., Claire Wilkinson, Is Your Company Prepared for a Data Breach?, Ins. Info. Inst., at 20 (Mar. 2006), http://www.iii.org/assets/docs/pdf/informationsecurity.pdf (discussing the Insurance Services Office, Inc.’s endorsement for “electronic data liability”).
[13] See Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010).
[14] See, e.g., Harsco Corp. v. Scottsdale Ins. Co., No. 49D12-1001-PL-002227, slip op. (Ind. Super. Ct. Apr. 26, 2011).
[15] See MBIA Inc. v. Fed. Ins. Co., 652 F.3d 152, 160 (2d Cir. 2011).
[16] See Eyeblaster, 613 F.3d at 804.
Disclaimer:
This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author’s law firm and/or the author’s past and/or present clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction. The opinions expressed here belong only the individual contributor(s). © All rights reserved. 2011.
Posted by Scott Godes 
