After a 2017 global malware attack that disrupted Merck’ s worldwide operations — including manufacturing, research and sales — the giant drugmaker was shocked when its insurance carrier declined to cover the estimated billion-dollar-plus of losses caused by the cybercrime.
The insurer claimed the attack was an “act of war” — which is excluded under most policies — and Merck waged a multi-year court battle until a New Jersey judge recently ruled that the company is entitled to up to $1.4 billion of damages. Experts say this case serves as a cautionary tale for small businesses that are hacked: they may get an unpleasant surprise when they file their own cybersecurity claims.
“I find that most smaller- and mid-sized businesses do not have cybercrime or cyber liability insurance,” cautioned Thomas Novak, a Sills Cummis & Gross PC member. “Both coverages are often offered by insurers as part of a package policy in conjunction with D&O [directors and officers liability] insurance and EPLI [employment practices liability insurance]. Businesses without D&O almost never have either coverage. Even small- to mid-sized businesses that have D&O rarely purchase cyber liability. Additionally, cybercrime is often covered by crime policies, but few small- to mid-size businesses take this coverage.”
Watch out for hidden traps
Business owners should have a good understanding of just what their insurance policies do, and do not, cover, cautioned Steven Weisman, a partner at McCarter & English LLP. “Over the years, the market started developing cyber-risk coverage, and expanded it to include ransomware and other coverage,” he said. “But you have to look beyond that. For example, what if your business gets hacked and then loses revenue because it has to shut down for a period of time? Some companies might look to their commercial property policy’s business interruption insurance — companies have had mixed success with this during COVID-19 mandated shutdowns — but first-party property insurance typically specifically excludes coverage for losses due to computer system incidents.”
And it can get even more complicated. “Let’s say you have an outside company handling your payroll, and that third-party vendor gets hacked. Your business may still have some liability,” he notes. Will you be covered? It could depend on the way your policy is worded.
Some companies don’t appreciate these nuances “until they have a loss,” he added. “It’s best if they speak with their insurance broker, legal counsel or others to evaluate the scope of their coverage, before something happens.”
The situation is often exacerbated because “most businesspeople do not like to discuss their insurance prior to a loss,” he added. “As a litigator, I usually do not become involved with the situation until after a problem has occurred. Where a client has been hacked and they lack insurance, I review what would have potentially been covered had they purchased the insurance. Where they have insurance but an exclusion applies, I review other policy forms that lack or limit the exclusion so they have better protection going forward.”
Novak and Sills Cummis represented a national nonprofit medical institution that was licensing third parties’ intellectual property to foreign entities. “It had a major concern about being held liable for damages if the IP was not protected or was the subject of a hack,” he said. “We reviewed the various coverages available in the marketplace and ultimately negotiated a surplus lines coverage that met its somewhat unique needs. Cyber risk lays at the intersection of two different coverages: crime and cyber liability. Cybercrime is typically covered by a crime policy whereas cyber liability is covered by a cyber liability policy. Few policies cover both of these risks.”
A desire for a robust cyber policy isn’t enough, cautions Brian Blaston, a partner at Hardenbergh Insurance Group. Often, the client seeking a comprehensive cyber policy has to meet certain standards set by individual carriers. “We’re working with a client in the educational space that’s potentially a target because of the personal information it has,” he said. “We’ve connected them to a resource that can assist with cyber security measures and we’re getting them to a spot where they can qualify for more-robust coverage at a reduced cost.”
Unfortunately, many smaller companies don’t think about cybersecurity until they’re hacked or they find out about a cyberattack, he added. “They feel they’re not a target, but the reality is many are vulnerable to ransomware, for example. The objective is to try to create a risk management plan that, hopefully, you’ll never have to use.”
Going the distance
Insurers increasingly want to see “ demonstrable representations from their insureds that reasonable security is in place,” noted Steven Teppler, co-chair of the American Bar Association’s Information Security Committee. “It begins with a company knowing what’s in its information system. And its hardware and software, and what kind of access people in the organization have, and how well it’s protected against an outside attack. Often a company will bring in an outside expert, under attorney-client privilege, to evaluate the system. I often explain the situation like this: ‘if you’ve got 11 doors, and only 10 are locked, then you might as well have no locks at all.’”
The Merck coverage dispute was over a “hostile/warlike action” exclusion contained in a property policy, noted Karen Painter Randall, chair of Connell Foley’s Cybersecurity, Data Privacy and Incident Response Group. “Nonetheless, even with standalone cyber liability policies, it is important for small- and medium-sized business owners to have a clear understanding of what coverage, exclusions and enhancements are being offered. The devil is in the details, so it is important to work with an experienced cyber liability broker and cybersecurity counsel when exploring cyber and other companion coverage.”
The rise in ransomware and other costly cyberattacks means that “insurers are vetting potential insureds more closely, by demanding much more information before binding the business,” she added, as well as “confirming that companies are following an approved framework to ensure proper cybersecurity measures are in place, such as patch management, multifactor authentication and an incident response plan.”
A business should also plan ahead. “We recommend that our clients work closely with an experienced cybersecurity team, including key stakeholders, IT, legal and cyber liability brokers, to prepare for policy renewal at least six months before the renewal date to evaluate their current security posture and identify any problem areas before going out to market,” Randall said. “Going through this exercise not only prepares the client for renewal to ensure proper coverage but helps to identify and address potential vulnerabilities early on to prevent a cyberattack.”
In fact it’s vital “not to wait for an incident,” warned McElroy Deutsch partner Diane Reynolds. “As part of our annual review with each client, we help them to review their cyber coverage to ensure they have sufficient coverage to guard against risks they may face. We can also help them to train and monitor their employees, since human error is often one of biggest vulnerabilities.”
That kind of planning pays off. “A large and growing financial services company located in the Northeast approached us even though they had not suffered any cyber incidents,” she recalled. “We had an interdisciplinary team made up of technical, legal and other professionals evaluate their systems, practices, and any regulatory guidance. Consequently we were able to address their potential cyber issues in an economical manner, while placing them in a very strong position regarding their legal, network, policies, procedures, training, and overall corporate practices. In fact the client then leveraged this competitive advantage as a way to attract new business. So you could view the entire exercise as a capital investment.”