Those who follow the fast-moving growth of cyber-insurance as a product have been waiting for the other shoe to drop: coverage litigation, particularly about the many loopholes and limitations in first-party coverage for data breaches and similar events. One such shoe has now dropped, in the form of a federal-court complaint filed in Oregon, by Travelers, seeking to avoid paying out first-party losses for a malware event at a web-hosting/management company. The basis for the dispute appears to be the timing of the malware infection – that is, whether the infection occurred before the policy period/retroactive date – which we have noted before as a significant concern with cyber coverage.
The insured here, Peak Web, is in the business of designing, building and managing web-sites and online applications for other companies, including online gaming companies. Travelers sold Peak Web a cyber coverage policy (its “CyberFirst” policy, which is marketed as being for technology companies) beginning in June 19, 2015. (The complaint does not say whether that was the first cyber policy that Peak Web had purchased.) Peak Web experienced a network outage on October 27, 2015, and additional outages on a few occasions thereafter, that were caused by a “bug” in software installed on Peak Web’s system.
Peak Web sought payment of first-party expenses incurred as a result of the outages. First-party expenses normally covered under the CyberFirst form include business interruption, data restoration costs, and “crisis management” costs, which can include public relations and legal advice on notifications to customers.
In the suit, Travelers asserts that some or all of the expenses submitted by Peak Web are not in fact covered by the policy. Although the complaint does not specify the basis for that position, its recitation of certain parts of the policy suggest that the dispute is about when the software bug entered into Peak Web’s system and when it first caused any kind of incident.
Travelers cites portions of the policy that exclude coverage: 1) if the insured’s “wrongful act” — the act that allowed the bug in, in the first place — happened before the policy period began and/or before the “retroactive date,” which is the date the insured first bought this type of policy; 2) if the first in a series of “computer system disruptions” occurs prior to the policy period; or 3) if the first “computer violation” in a series occurs prior to the policy period. (These are limitations commonly found in cyber-risk policies from many insurers.)
The implication from these citations to portions of the policy is that Peak Web did not have cyber insurance before the Travelers policy and that the “bug” entered the system and caused some level of disruption or outage before June 19, 2015, even if the “big one” didn’t occur until October. That suspicion about the infection occurring four months or more before the major outage would be consistent with the statistics about the long average gap in time between when a network intrusion occurs and when it is discovered. If the bug was allowed to infect the system before the policy incepted, and caused any type of damage before that date as well, none of the first party costs would be covered, under Travelers’ view.
This kind of coverage dispute may be very hard to avoid, even by buying cyber coverage as early as possible to fix an early “retroactive date,” which we have written about before. But it certainly illustrates that the Pollyanna attitude of many in the industry that first-party claims will be covered and not to worry, is not something that anyone can rely on.