Headlines about massive cyber incidents at major companies have become almost routine. It is now universally agreed that every company should expect to confront a data breach or other type of cyber incident at some point, and some commentators even anticipate that most companies will face at least one successful cyberattack this year. The annual economic consequences of commercial cybercrime are projected to hit $6 trillion by 2021, according to a report by Cybersecurity Ventures, with the estimated average cost of each of these incidents approaching $4 million. Attacks are perpetrated by a range of wrongdoers, from disgruntled employees and other internal actors to criminal syndicates, nation states, political activists and other external actors.

Types of Cyber Incidents

Commercial cyber incidents take many different forms, including:

(1) Business Email Compromises (BEC). In a typical business email compromise (BEC), fraudsters identify and target corporate employees with responsibility for financial matters and then use various scams to deceive them into transferring funds to accounts controlled by the fraudsters. These scams include (1) spoofing email accounts and websites in order to mislead employees into believing an instruction to transfer money is from their supervisor or otherwise legitimate; (2) spear-phishing in which emails appear to originate from trusted sources; and (3) malware used to infiltrate legitimate email threads and divert payments by inserting billing and account information associated with accounts controlled by the fraudsters.

(2) Ransomware. Ransomware is a form of cyber extortion that uses malicious links and other malware to plant code that encrypts commercial data. Once the data is locked, hackers demand payment to decrypt the data or threaten to disclose exfiltrated data unless the ransom is paid. The FBI has said that ransomware is the fastest growing malware threat.

(3) Distributed Denials of Service. A distributed denial-of-service (DDoS) attack renders a targeted server, service, or network inoperable or sluggish by overwhelming the system or surrounding infrastructure with a flood of Internet traffic.

(4) Data Breaches. More generally, a data breach is any incident involving information that is accessed or obtained without authorization. Data breaches may be caused by malicious attacks or inadvertent human error. Personally identifiable information, such as credit card numbers and Social Security numbers, is the most common form of compromised data.

(5) Thefts of Intellectual Property. Cyberattacks are sometimes designed to steal intellectual property. In particular, profit-driven nation-state actors have been known to target data housed by U.S.-based companies that can be exploited to accelerate their own programs or otherwise for their benefit.

Types of Insurance Policies That Might Cover Cyber Incidents

Given the increasing frequency and costs of cyber incidents, there is growing demand for insurance policies that cover associated first-party and third-party expenses and losses. Whether a particular policy answers a claim relating to a cyber incident, however, is not always clear, and the law is still developing.

With respect to traditional general liability policies, a small but growing body of case law indicates that these policies do not cover losses often resulting from cyber incidents. In addition, general liability policies now often expressly state that "property damage" excludes losses of or damage to electronic data, and more broadly are excluding claims arising out of privacy-related incidents.

Personal and Advertising Injury provisions found in many general liability policies typically insure losses arising out of "publication of material that violates an individual's right to privacy." However, efforts to secure coverage under those provisions have met with mixed results. Several courts have denied coverage based on a lack of "publication" to third parties or on the basis that the privacy breach was committed by a third party rather than the policyholder.

On the other hand, Computer Fraud coverage that is sometimes included as an endorsement in general liability policies or as an insuring clause in crime policies may provide coverage for economic loss "resulting directly from the use of any computer to fraudulently cause a transfer of that property." Virtually all courts that have addressed these clauses have required proof of direct causation between use of a computer and the subsequent economic loss. It is therefore important to understand the nature and extent of intervening steps between the initial computer contact (e.g., the spoofing or malware) and the eventual loss (e.g., the outgoing wire transfer). Compare Medidata Sol. v. Fed. Ins. Co., 729 F. App'x 117 (2d Cir. 2018), with Commc'ns Int'l v. Great Am. Ins. Co., 731 F. App'x 929 (11th Cir. 2018).

Another important question under Computer Fraud clauses is whether the incident involved an "unauthorized entry" into the policyholder's computer systems, as coverage has been denied when such unauthorized access is not proven. See Miss. Silicon Holdings v. Axis Ins. Co., 2020 WL 869974 (N.D. Miss. Feb. 21, 2020) (finding that transfer of funds following spoofing was caused by employees' conduct and not by "fraudulent entry of Information into or the fraudulent alternation of any Information within a Computer System"); Aqua Star (USA) v. Travelers Cas. & Sur. Co. of Am., 719 F. App'x 701 (9th Cir. 2018) (finding that exclusion for losses resulting from data input by "person having the authority to enter the Insured's Computer System" barred coverage where fraudulent transfer was initiated by employee who was authorized to perform such transfers).

To address this uncertainty in general liability coverage for cyber losses, cyber-specific policies have become a more routine component of corporate insurance programs. In these policies, first-party coverage typically includes repair or replacement costs for lost or damaged data, business interruption losses, and remediation, including expanding security measures and notification and/or credit monitoring to victims. Third-party coverage in these cyber-specific policies typically includes defense costs and indemnification of claims for damage by clients, customers, or other third parties.

Even with respect to these cyber-specific policies, many provisions remain largely untested, and the outcome of coverage disputes will turn on application of the specific policy language to the unique facts presented by a particular incident. Insured entities seeking first- or third-party coverage under cyber-specific policies may face a range of complicated legal and factual issues, including the definition and number of occurrences; the nature and sufficiency of information to substantiate a claim; satisfaction of preconditions to coverage (including compliance with applicable security measures); and the appropriate calculation of loss for covered incidents. Calculating business interruption expenses following a breach may be particularly challenging given issues associated with cyberattacks (i.e., distinguishing between losses resulting from a policyholder's covered business interruption or more general reputational harm that is not typically covered).

Some of the issues that are likely to arise in cyber-related coverage disputes include the following:

PCI Costs: While Payment Card Industry (PCI) coverage typically includes fees, assessments, and penalties against the policyholder for a security incident, the language of these provisions is often not expansive. For example, in P.F. Chang's China Bistro v. Federal Insurance Co., 2016 WL 3055111 (D. Ariz. May 26, 2016), where the hack of a restaurant chain's computer system compromised more than 60,000 credit card numbers, the court upheld a denial of PCI coverage for $1.7 million in fees assessed by the bank that provided card processing services to the restaurant. Although the court acknowledged that the fees potentially constituted "privacy notification expenses" within the meaning of the policy, it ruled that PCI coverage was not available because of a policy requirement that the entity making the claim against the insured also own the compromised records. The court found that the compromised records belonged to the credit card company, not the bank that processed the transactions.

Territory Conditions: Territory conditions may create contested issues concerning the geographic location of the incident in question. Resolving such issues is likely to require expert testimony relating to origins of malware, fraudulent emails, and other aspects of cyber incidents, and could limit dismissals based on dispositive pre-discovery motion practice. See, e.g., Quality Plus Servs. v. Nat'l Union Fire Ins. Co. of Pittsburgh, 2020 WL 239598 (E.D. Va. Jan. 15, 2020).

Regulatory/Compliance Coverage: As New York and other jurisdictions adopt and begin to enforce comprehensive cyber regulations, there will be growing questions in situations where regulatory inquiries or findings are made absent an actual cyber incident about the scope of policies that expressly predicate coverage on the occurrence of an actual incident. And even where policies include provisions relating to regulatory violations, coverage disputes might arise as to the meaning of critical policy terms (e.g., "data breach" or "security event"), particularly where those terms are defined more narrowly than regulatory definitions.

Exclusions Barring Coverage: Disputes regarding cyber coverage are also likely to involve standard exclusions. For example, exclusions for claims arising out of the policyholder's contractual obligations may prove outcome-determinative in situations involving third-party vendors. So, too, a Terrorism/War Exclusion may give rise to complicated questions of policy interpretation. In this regard, several insurers denied coverage for losses arising out of the massive "NotPetya" ransomware attack on the basis of a war exclusion and purported Russian military responsibility for developing the malicious code.

Bryce Friedman and Nick Goldin are partners at Simpson Thacher & Bartlett. Karen Cestari, Jonathan Kaplan and Jacob Lundqvist provided valuable assistance in the preparation of this article.