For businesses both large and small, cybersecurity threats continue to proliferate, to the point where being the victim of a cyberattack seems almost inevitable. According to a recent study, cybercrime cost the global economy $454 billion in 2016. As such, cyber insurance policies have become an increasingly popular method of mitigating the resulting losses, which can encompass both financial and reputational harm. For example, insurers have reported a “rapid rise” in cyber insurance policies following the June 2017 “Wannacry” ransomware attack. Even the government is getting involved, as on July 26 of this year, the House of Representatives convened a hearing titled “Protecting Small Business from Cyber Attacks: the Cybersecurity Insurance Option.”

The cyber insurance market is projected to grow from $1 billion in 2015 to over $7 billion in the next five to 10 years, depending on the source of the projection. According to a recent survey, 70 percent of businesses now offload the risk of a cyber-attack to a third-party insurance company. Given recent trends, this estimate is unsurprising. Insurers have taken note: In the early 2000s, fewer than a dozen offered cyber insurance coverage, whereas more than 70 do as of 2016.

Courts have begun to encounter a growing number of disputes over cyber insurance coverage, mostly relating to the scope of coverage, not to its existence. One recent example is the Southern District of New York's decision in Medidata Solutions v. Federal Insurance Co., No. 15-cv-907 (ALC) (S.D.N.Y. July 21, 2017). As discussed in this column, the Medidata court confronted myriad issues, including: (1) whether the insured was covered based on unauthorized access to (not use of) its computer systems; and (2) if there existed a sufficient connection between employee communications with a thief posing as the company's president and the resulting fraudulent wire transfer of nearly $5 million.