2015 will be remembered as the year the Cyber insurance marketbegan to really take shape. The market remains robust and continuesto present for insurers opportunities for unprecedented growth.However, the market conditions for large and small to medium-sizeenterprises differs greatly. That is because, in part, insurers aretargeting small and mid-size enterprises as highly profitable. 2015will also be remembered as the year data breach coverage disputesunder stand-alone cyberinsurance policies began to leak into thecourts. This article will address these trends of continued, albeitsegmented, market growth and cyber-coverage litigation and whetherwe can expect them to continue in 2016.

An insatiable demand for Cyber insurance

We have continued to see in 2015 once-in-a-lifetime growth inthe insurance market, driven almost exclusively by Cyber insurance.And, growth trends are showing no signs of slowing. According to asurvey conducted by RIMS, 74 percent of those without Cyberinsurance are planning on buying it within the next one to twoyears. Likewise, total annual premiums for stand-alone Cyberinsurance are projected to grow to $20 billion by 2025. This growthstems, in part, from increased awareness of the importance offirst-party Cyber coverage and business interruption risks fromdata breaches.

What is holding back an even greater increase in premiumscollected is the general lack of capacity in the market. Somecarriers are responding by adding capacity. For example, ACErecently announced it will offer Cyber insurance policies with a$100 million limit. Further, despite a reduction in capacity bysome carriers, according to Neeraj Sahni of Willis, largepolicyholders can still obtain maximum limits of between $350million and $400 million, although doing so may requireself-insurance at one or more layers of the tower of coverage.

A related trend that continued in 2015 is carriers retreatingfrom the market. It appears today that fewer than 10 domesticcarriers, plus the London market, remain willing to write primarystand-alone Cyber insurance (other carriers write only excesscoverage). This trend is likely due to: (1) carriers beingsnake-bitten by Cyber insurance losses and the potential fordevastating aggregated losses, (2) carriers not having a comfortlevel with the required qualitative assessments of theirpolicyholders' cyber security defenses (as opposed to quantitativeassessments historically used to underwrite property and casualtyrisks), and (3) the lack of individuals with substantial expertisein both insurance underwriting and cyber security. This talent gapis especially problematic given that the underwriting ofcyber-risks necessitates technical dialogues with the board,including the CISO/CIO/CTO, of highly sophisticated multinationalconglomerates.

A final trend from 2015 is the spike in cost of Cyber insurancerenewals for point-of-sale retailers and large health carecompanies. Some carriers are imposing 150 percent premiumincreases. Companies in those industries, or other industriesplagued by data breaches, must thus be prepared to purchase veryexpensive, albeit necessary, Cyber insurance coverage.

The emergence of Cyber insurance litigation

It was only a matter of time before courts began to see coveragelitigation under stand-alone Cyber insurance policies. Thesepolicies have been sold for years, and data breaches areubiquitous. Moreover, anti-policyholder rulings by Connecticut andNew York courts in prominent coverage litigation under commercialgeneral liability (CGL) policies, in addition to the promulgationby ISO of specific data breach loss exclusions, left Cyberinsurance policies as the last place for policyholders to turn toin the aftermath of a data breach. Coverage disputes under Cyberinsurance policies thus were inevitable.

Two recent cases should inform the Cyber insurance marketplacein 2016 and beyond. First, in Travelers Property Casualty Co.of America v. Federal Recovery Services Inc., a Utah federalcourt found the insurer had no duty to defend its policyholders inthe underlying lawsuit. The most significant aspect of the decisionis that the parties were disputing coverage under the Network andInformation Security Liability and Technology Errors and OmissionsLiability parts of a CyberFirst Policy. This was the first coveragedecision with respect to a standalone Cyber insurance policy.

Notably, the case did not involve a data breach or other likecyber security loss, but rather a classic intent to injure versusnegligent conduct dispute. Nonetheless, it is important torecognize that the court interpreted the terms of the Cyberinsurance policy under the same framework it would use for atraditional CGL or Errors & Omissions liability policy. Thisapproach should reassure those concerned that judicialinterpretations of Cyber insurance policies might be totallyunpredictable (because of their novel terminology). Instead, thedistrict court's opinion suggests that Cyber insurance disputeswill not be decided against a blank canvas.

Second, in Continental Casualty Co. v. Cottage HealthSystems, Columbia Casualty Company (CCC) filed a declaratoryjudgment action in federal court in California, seeking adeclaration that it is not obligated to cover Cottage Health System(CHS) and that it is entitled to full reimbursement from CHS ofdefense costs and settlement payments paid on behalf of CHS. Thelitigation concerns a NetProtect360 policy, containing PrivacyInjury Claims and Privacy Regulation Proceedings coverageparts.

The claim giving rise to the coverage litigation involved a databreach that resulted in the release of private healthcare patientinformation. This spurred a class action lawsuit, which settled for$4.125 million. CCC paid the settlement, but unilaterally reservedits right to seek reimbursement of attorney's fees and settlementpayments attributable to uncovered claims.

The subject policy contained a Failure to Follow MinimumRequired Practices Exclusion, which stated that CCC was not liableto pay any loss based upon CHS' failure to "continuously implementthe procedures and risk controls" identified during theunderwriting process. CCC contends that CHS failed to adhere tocertain basic security practices, and that its failure to do so wasthe cause of the data breach and subsequent loss. These allegedfailures include deficiencies in CHS' file transfer protocolsettings on its internet servers, maintaining security patches,assessing information security exposure, and detecting networkintrusions.

This case was dismissed so the parties could pursue alternativedispute resolution. Nonetheless, this litigation serves as acautionary tale to policyholders to negotiate for the removal ofthese and other broad exclusions from their Cyber insurancepolicies. Policyholders do not want to be like CHS and think theyare covered for data breach losses, only to find out post-breachthat because they did not carefully read the policy, thedeficiencies in their cyber security apparatus left them exposednot only to data breaches, but also may leave them uninsured.

In sum, 2015 was a year of robust overall Cyber insurance marketgrowth, although large accounts and certain industries began tofind that Cyber insurance may not be as viable (read: affordable)an option as it once was. There are no signs of this trend abatingin 2016, especially as market consolidation, the talent gap, and aninability to devise effective data breach modeling persist.Additionally, 2015 saw coverage litigation in its nascent stages.There can be no doubt this trend will continue, too, aspolicyholders and insurance carriers utilize the courts to findcommon ground as to the meaning of non-standardized policy terms.Ultimately, Cyber insurance for data breaches was in 2015, and willcertainly continue to be in 2016, the most important issue to theinsurance marketplace.

Republished from Legaltech News.

You're invited to join us on Facebook!