Coverage Disputes in Hacking and Ransomware Claims Cyber Risk Coverage
Most businesses now have coverage for cybersecurity loss. Cyber endorsements include coverage for the policyholder, including reimbursement of ransom payments, forensic investigation expenses, public relations expenses, and other expenses caused by the loss, including time element damages (business income). Coverage is afforded to policyholders for their losses and third-party claims against them. And, while large companies are reluctant to admit to the security breach, insurance companies have looked for loopholes to avoid paying for coverage. One such issue is what constitutes a “loss.” If an insured takes steps to mitigate the loss, including issuing customer refunds, vouchers, discounts, etc., Insurance Underwriters, Inc. , 90 F.4th 847 (5th Cir. 2024), the 5th COA was left to determine whether there was coverage for losses claimed by Southwest. They claimed the loss under their Cyber Risk coverage and System Failure coverage, which covered “all loss ... that an Insured incurs ... solely as a result of System Failure.” AIG sold the policy are those covered by the policy? In Southwest Airlines Co. v. Liberty
form, and Southwest purchased excess follow-up forms through other insurers, with Liberty Insurance only implicated if the losses exceeded $50 million. Southwest Airlines claimed to have incurred costs related to a computer system failure that led to a three-day disruption of its flight schedule. Southwest issued vouchers, coupons, refunds, promo codes, and advertising costs associated with the disruption. Liberty argued that those were not “losses” but rather discretionary costs associated with a “business decision.” The policy in question failed to define “incur” or “solely” but did define “losses” as “the actual and measurable interruption or suspension of an Insured’s business directly caused by … a System Failure.” The Court of Appeal reversed the trial court and found that the decision to issue the vouchers, refunds, promos, etc., while decided by Southwest Airlines, was precipitated by the root cause of loss — the disruption of the computer system. Liberty argued it wasn’t fair to allow its insured to define losses by its choice of
refunds — the court rejected the argument, relying on long-standing insurance law principles. First, policies and forms within should be harmonized to afford the coverage reasonably expected to be provided. Liberty’s position was the opposite — it wanted the exclusion to narrow the coverage to almost nothing. Second, courts and juries are well-equipped to handle causation issues in damages claimed by policyholders. The court noted this while upholding the long-standing indemnity principle in insurance coverage, and policyholders should not be put in a better position than they were had the loss not occurred. Third, the COA reinforced the basic premise of bad faith liability — insurers owe a duty to pay for claims when liability for those claims is “reasonably clear.” Or, stated another way, where there was a fact issue on whether there was a reasonable basis to deny the claim. It is not unusual right now for businesses to suffer disruptions based on a breach of their computer systems. At the same time, businesses are not always forthcoming about the loss. However, many companies have coverage for these disruptions, including time element coverages (like Business Income Loss) and other losses to mitigate the damage. The coverage for those losses will depend on the policy’s language, but the rules governing the payment of those losses are the same as those for any claim: Your insurance
company should pay the claim if liability is reasonably clear .
–Clint Brasher
2 || brasherattorney.com
Made with FlippingBook Ebook Creator