In what may be the most widespread cyber incident in history, a defective software update from the global cybersecurity firm, CrowdStrike, led to an abrupt outage among airlines, banks, and hospitals. While CrowdStrike took responsibility for this failure and has since addressed the software issue, many businesses are still grappling with the effects of the outage. According to a market-leading cyber risk analytic firm, insured losses are expected to reach into the hundreds of millions (and perhaps even billions) for businesses who have faced contingent business interruptions.

CrowdStrike’s outage has the potential to be a major event for cyber insurance carriers and their insureds. Airlines, healthcare facilities, and banking institutions will be looking to their cyber policies to recoup their losses. Specifically, impacted businesses should focus on whether their policies cover “dependent” or “contingent” system failures. Unfortunately, merely having coverage for attacks on a shared computer system is not sufficient; insureds must determine whether their policy also has coverage for an inadvertent outage on the network of a company that the insured depends upon to conduct business. Ideally, the full policy limits should be offered but this coverage is sometimes sub-limited. Lastly, insureds must determine whether the time during which they incurred lost income and extra expenses because of the outage exceeds the policy waiting period, which is typically in the range of eight to twelve hours.

One of the many lessons to learn from CrowdStrike’s debacle is that policy wording matters. Now more than ever, impacted businesses should dive into their current policy and see how policy provisions are phrased, and whether their broker has negotiated the best available coverage. If not yet in the policy, insureds are encouraged to explore coverage for contingent system failure. With losses mounting due to the CrowdStrike outage, businesses should also work on business continuity planning should another major IT meltdown take place again. 

Under Texas law, a carrier must show an intent to deceive in order to deny coverage based on a material misrepresentation in an application. The insured was a holding company (the “Company”) that included dozens of subsidiaries, through which the Company operated battery recycling facilities and manufactured supplies for the oil exploration industry. The Company renewed its D&O coverage for itself as well as its subsidiary companies. During the renewal process, underwriters were provided with a consolidated balance sheet that represented some of Company’s long-term debt. Prior applications with the same carrier had disclosed the full extent of the debt. 

Following renewal, the Company was sued for allegedly fraudulently inducing the purchase of notes by failing to disclose that a subsidiary had engaged in market manipulation and price fixing in Europe. The Company noticed the suit, which was denied by the carrier. The denial letter referenced the Company’s long-term debt, but it relied on an exclusion for claims brought against security holders of the Company’s subsidiary as the basis for the denial. The lawsuit later settled, and the Company filed suit against the carrier alleging, among other things, breach of the insurance policy and bad faith. During litigation, the carrier argued that coverage under the policy was barred by the Company’s material misrepresentations of the full extent of its long-term debt in its insurance application. The lower court, applying Nevada law, agreed, finding there was no coverage because of the material misrepresentation. The decision was appealed.

Ultimately, the Ninth Circuit determined Texas law applied to the carrier’s affirmative defense of material misrepresentation. Under Texas law, the carrier was required to show, in addition to a material misrepresentation, “1) that there was intent to deceive on the part of the [Company]; and (2) that [the carrier] gave notice to the [Company] of its refusal to be bound by the policy, within 90 days of discovering the falsity of the application.” Therefore, the lower court’s decision was reversed and remanded. 

A federal court’s decision reiterated the importance of noticing all written demands as claims within the policy period, especially if a remote possibility that the issue could resurface in the future exists.

This case involved an Insured accounting firm’s agreement to serve as an Independent Trustee for the closing and liquidation of a Charter School. While serving in this capacity, the Insured received letters from a judgment creditor of the Charter School requesting public records pursuant to the New Jersey Open Public Records Act. Subsequently, the judgment creditor filed a complaint with the New Jersey Government Records Counsel (the “GRC”), who filed interim orders on the matter. Most notably, the GRC distributed a Second Interim Order in which the GRC found in favor of the judgment creditor and awarded attorney’s fees. Later, the Insured filed a Request for Reconsideration in which the Insured, among other things, referenced “potential disputes” with the judgment creditor that may result in further disputes.

Eventually, the Insured was served with a Complaint filed by the judgment creditor seeking the books and records previously requested, dissolution of the Charter School, and bank records. The Insured reported the Complaint to its insurer under the professional liability insurance policy. The date of the Complaint’s filing fell within the policy period; however, the date when GRC issued a Second Interim Order fell before the inception of the policy at issue. Subsequently, the insurer issued a denial letter citing a late notice issue, the Prior Notice Exclusion, and a warranty statement provided by the Insured, all relating to the complaint, letters, and orders issued prior to the inception of the policy.

The policy defined Claim as a "demand received by you for money or services naming you and alleging an act or omission, including personal injury or advertising injury, in the rendering of professional services.” According to the court, the Second Interim Order “clearly found the Insured liable for damages in the form of attorney's fees,” which met the definition of Claim. Therefore, the GRC Second Interim Order was a Claim that was first made before the noticed policy’s inception. Because the Second Interim Order and the Complaint were “interrelated claims,” there was no coverage for the Complaint, too.

The court also ruled that the Prior Knowledge Exclusion applied to bar coverage for the matter. The Prior Knowledge Exclusion provided coverage would only be available for a Claim if “prior to the effective date of this Policy, none of you had a basis to believe that any such act or omission, or interrelated act or omission, might reasonably be expected to be the basis of a claim.” In deciding this question, the court utilized the subjective-objective test. Under this analysis, the exclusion was satisfied "if the insured had knowledge of the relevant suit, act, error, or omission”—subjective awareness. And “whether a reasonable professional in the insured's position [would have expected] a claim or suit to result”—objective awareness. The court ruled that the Request for Reconsideration filed by the Insured satisfied both, subjective and objective, prongs of the test. Thus, Prior Knowledge Exclusion was triggered as a bar to coverage.

The New York State Department of Financial Services (DFS) recently issued an Insurance Circular regulating the use of artificial intelligence (AI), “external” consumer data, and information sources in the underwriting and pricing of insurance policies. The DFS seeks to ensure the responsible use of this technology, particularly around the prevention of unlawful discrimination in its deployment.

Insurers will be required to produce “proxy assessments” to demonstrate that the use of data derived from this technology does not have a discriminatory impact upon protected classes. The DFS also mandated oversight of the use of AI and external data sources by the insurer’s Board of Directors and senior executives. Insurers are expected to be transparent about their use of AI and to disclose how this technology influences underwriting and pricing decisions. Insurers must also provide consumers with a basis for any adverse decisions resulting from reliance upon such data sources. Recognizing the role of third-party service providers in the field of AI, the DFS clarified that insurers will be responsible for selecting vendors who comply with applicable laws and regulations governing the use of AI.

While AI promises to bring efficiency to the insurance industry by aggregating data and streamlining business processes, regulators are keen to ensure consumers’ rights are not sacrificed in the process. Apart from the obvious need to protect confidential data (the breach of which could trigger coverage under a Cyber insurance policy), the focus on non-discrimination suggests that third-party civil rights claims could result from the misuse of AI, which have the potential to trigger Employment Practices Liability coverage.