CYBER CORNER

A FEDERAL BACKSTOP FOR CYBER INSURANCE?

The Federal Insurance Office (“FIO”), an agency within the U.S. Department of the Treasury, recently requested public comment on whether risks to critical infrastructure from catastrophic cyber events warrant government involvement to offset the potential financial impact. The move was prompted by a report from the Government Accountability Office recommending that the FIO and the U.S. Department of Homeland Security conduct a joint assessment on this issue.


The FIO’s notice in the Federal Register begins by acknowledging that, “through underwriting and pricing, insurers can encourage or even require policyholders to implement strong cybersecurity standards and controls.” However, federal officials remain concerned about the underwriting appetite for cyber coverage. There is precedence for a government backstop on certain lines of insurance. For instance, the Terrorism Risk Insurance Program, which was established after September 11, 2001 to help maintain capacity in the Property & Casualty market, and the National Flood Insurance Program are two examples.


The question is whether the time has come for a federal role here as well. Exclusions for war and warlike actions have long been a staple in cyber insurance policies, and Lloyd’s recently took steps to limit coverage in the London markets for large-scale, state sponsored cyberattacks. Closer to home, a few U.S. insurers have begun inserting “widespread event” exclusions on their policies, cognizant that attacks on key managed service providers could effectively take down whole sectors of the economy.  

 

The Takeaway

It is not clear that a federal backstop is necessary, but once taxpayer dollars are involved, the temptation will be great for the federal government to begin dictating the security controls that should be required to obtain insurance. 

COURT LIMITS COVERAGE FOR COMPUTER SYSTEM FAILURE

Southwest Airlines Co. v. Liberty Ins. Underwriters, Inc., No. 3:19-CV-2218-C (N.D. Tex. Sept. 6, 2022)

A federal trial court recently dismissed a case brought by an airline against one of its cyber insurers over a denial of coverage for losses stemming from a failure of the airline’s computer system, ruling that the losses were indirect and either outside the scope of coverage or expressly excluded from the policy.


Although the airline succeeded in getting several insurers on its cyber program to pay on the claim, one of the excess insurers declined coverage on the grounds that much of the claimed loss consisted of various customer promotions, rewards, vouchers, and advertising costs. Applying the policy wording, which called for losses to be incurred “solely” as a result of the system failure, the court found that these costs were borne out of “Plaintiff’s desire to protect against potential future losses [arising from] possible customer backlash and ill will.” Accordingly, the court concluded that these expenses, “even if incurred on sound business judgment, were the result of various business decisions not incurred solely as a result of the subject system failure.” 

 

The Takeaway

Not every cost a company incurs in the wake of a business interruption is covered under a cyber policy, even if the decision to incur the expense seems prudent at the time. Also, words matter: a simple amendment to the policy to replace “solely” with “proximately caused by” could have made a difference here.