Cyber liability insurance renewals have been complicating many client relationships lately. There are LOTS of changes this year in renewal requirements (I will be talking about these THIS Friday, July 29th—if you are interested in hearing what changes look like, register here).
But one story not being talked about much is how insurance providers are dealing with claims. I know we may tell our clients that their claims will be denied, but there haven’t been a lot of recent denials worth talking about. That’s about to change.
You may remember way back in the winter of 2019 when a relatively large non-profit telemarketing company got hit and actually fired all of its 300 employees days before Christmas. The Heritage Company had gotten hit by a ransomware attack, infecting all of its workstations and crippling their ability to operate. The entire network was caput.
None of their computers, servers or data were accessible. The CEO had made a hard decision to fire every single employee.
The Heritage Company had been shut down for nearly two and a half months, at which point it was able to restore its systems and begin hiring back all of its employees. That might be a great story in and of itself, but today I want to talk about what just started to boil up years after the original cyber incident.
According to a lawsuit filed back in January of this year, The Heritage Company is suing its insurer, who refused to pay anything from Heritage’s cyber liability insurance claim. The details are still getting sussed out in litigation, but the cyber insurance provider appears to have completely denied the claim—even though The Heritage Company had purchased what it thought to be coverage in the event of ransomware attack, data loss, data destruction and other incidental losses.
The Heritage Company is claiming that their policy said that they were covered in the event of a loss such as the one they described. But the provider is claiming that the actual insurance policy did not cover such an event. In their policy document, containing 54 pages of insurance language, it is unclear what was and was not covered. The Heritage Company is claiming that if they had known nothing from their traumatic event was covered, they would never have purchased the policy in the first place.
Did they misinterpret the policy document?
Is the dispute about the scope of loss- what inherently is covered by the policy?
Does the policy take a narrow view of what is covered? As in, do they only cover very specific events?
Or do they outline an expansive view of what isn’t covered? As in, do they detail specific events that the policy would not cover Heritage?
Whatever the outcome of this case, one thing is clear. The Heritage Company thought they had comprehensive coverage.
Couldn’t The Heritage Company be your client? I don’t mean that you would have let a business-shuttering ransomware attack take place on your watch, but if ANY event occurred and your client expected to be covered for it (and it ended up they weren’t), that wouldn’t be an ideal situation.
That is exactly why THIS Friday I will be going through some of the big gotchas today in cyber liability insurance. I will be diving into many of the requirements that are tripping folks up and may potentially put them in a place of a denied claim.
More details at: www.galacticscan.com/friday.
In any event, knowing your risks and what is and is not covered in your cyber liability policy is critical to your cyber risk mitigation plan.