Ransomware attacks and cybersecurity breaches are front of mind in the insurance market, particularly the concern that alleged data breaches will result in criminal proceedings.
In this article, James Breese considers some of the coverage issues that may arise for such risks under cyber and directors and officers (D&O) insurance policies.
A former security officer at Uber is facing criminal charges in the USA for alleged failings in relation to a data breach in 2016. The individual is currently standing trial. Uber has already paid $148m for its alleged failure to disclose the data breach.
In the UK, the Information Commissioner’s Office has launched criminal proceedings against eight individuals suspected of conspiring to steal personal data between 2014 and 2017.
Developments such as these are of increasing concern to companies and directors.
Let us look at a hypothetical scenario and assume:
(a) a company has been the subject of a hacking attack, (b) data has been stolen, and (c) the company and the director responsible for data and cyber security are alleged to have breached their respective duties and obligations. The company has a cyber liability policy in place and a D&O policy.
We briefly consider five coverage issues that may arise: (i) double insurance, (ii) prior circumstances and claims exclusion clauses, (iii) final adjudication wording, (iv) fines and penalties, and (v) policy limits.
The starting point is that subject to the specific provisions of the two insurance policies, both policies could respond to provide cover for defence costs. In a typical cyber liability policy and D&O insurance policy, defence costs cover (for the company and individuals, respectively) will be included as standard. This will cover “the reasonable and necessary fees and costs incurred with prior written agreement” in responding to a covered claim. This presents the first potential coverage issue.
(i) Coverage gap or double insurance?
The company and its directors may expect to be adequately covered with complementary cyber and D&O policies. However, the directors may be disappointed to discover that the cyber policy does not extend to cover proceedings against individuals, while the D&O policy may contain a cyber exclusion. If so, if their employer does not indemnify them, they may find themselves left to fight the criminal proceedings unprotected and personally exposed to substantial defence costs.
Alternatively, both policies may appear to respond to the event. That seems a better starting point but can also give rise to challenges. The insured may be free to claim from either policy, subject to the provisions in the respective policies. Those provisions may require the insured to disclose the existence of the other policy, seek to pass on the liability to one or another and/or apportion insurers’ liabilities. The insured cannot recover twice.
This is further complicated where costs may be incurred for the joint representation of the company and its directors, engaging the provisions of the cyber policy on the one hand and the D&O policy on the other. Either or both policies may have express allocation clauses governing the coverage of defence costs incurred for the purpose of both covered and uncovered matters/persons. If the clauses in each policy do not marry up, there is potential for dispute over which policy is to respond and to what extent.
(ii) Prior circumstances and claims
Under a D&O policy, an insurer will generally exclude liability for any loss that arises out of a circumstance notified under another insurance policy before the inception of the D&O policy but not disclosed during the presentation of risk for the D&O policy.
In the two cases mentioned above, the allegations relate to conduct five to eight years earlier. They are, in principle, relevant to more than one insurance policy. None of this is uncommon for D&O claims. Complaints may first be raised against the company, which may turn into formal allegations against the company and eventually materialise as allegations against individual directors.
It would be prudent to consider whether to make the appropriate notifications across the suite of insurance policies that insureds have to mitigate so far as possible the risk of insurers invoking exclusion clauses at a later date.
(iii) Conduct exclusion
While both policies could, in principle, respond, both are likely to include exclusions or carve-outs for certain acts or conduct. There will be no cover for fraudulent, dishonest, criminal or intentional conduct.
Such exclusions will generally only apply where: (a) the allegations are established by a final adjudication or (b) the allegations are admitted by the insured. This means the insured is presumed to be innocent until proven guilty, and the insurer agrees to advance defence costs for the conduct of the claim until any guilt is established.
An exclusion clause such as this may be found in either of the two insurance policies we are considering. It may feature in the cyber policy to limit insurers’ exposure for any first-party cyber losses where there has been fraudulent, dishonest or criminal conduct.
The same or a similar clause will exist in the D&O policy. In the context of criminal proceedings arising from a cyber breach, policyholders should be alive to the provisions of the conduct exclusion but wary of any attempt by insurers to rely on it until criminal liability is established (not just alleged).
(iv) Fines and penalties
Subject always to the ‘conduct exclusion’, it may be possible for some fines and penalties to be insured under a cyber or D&O policy. Cover may be available for regulatory fines or penalties that are lawfully insurable.
This does not displace, however, the legal maxim that no cause of action can arise from an illegal act. This is generally taken to preclude coverage of liabilities arising from criminal acts (although not negligent ones, which are generally the intended focus of the cover).
Whether or not an insured is liable for a fine or penalty that is imposed may turn on whether the insured is alleged to have committed a strict liability offence where there may be no requirement of intent or even knowledge. On our facts, this may open the possibility of a fine or penalty being indemnified where the alleged data breach results from oversight or human error rather than anything more sinister. The insurability of fines for strict liability criminal offences remains untested, but in principle, there is no public policy or common law bar to recovery.
(v) Policy limits
One final point to mention is the possible erosion of policy limits where insurers assume the conduct of the defence to any or all allegations. Insurers often have a right but not an obligation under the policy(ies) to take over the defence.
Subject to how the policies are structured, insurers’ conduct of the defence could erode the separate limit available to pay any damages, settlement or fine for which the company and/or the director become liable. This may happen if the defence costs are paid out of an overall policy limit and are not ring-fenced. The converse is also true. It may be important for insured persons under a D&O policy to protect themselves by ensuring that the limit for defence costs is not eroded by any settlement that an entity may reach, for example, if the entity has any cover under the D&O policy.
Policyholders need to proceed carefully when considering whether to notify a claim and to which policy(ies). Some coverage disputes could be avoided if insurers are not presented with unfortunate technical defences. In the most serious of cases, such alleged breaches of the contracts will have severe consequences for companies and directors alike.
If the ICO and others are increasingly prepared to pursue criminal proceedings in cases of data breach, then insureds should consider the extent to which protection may be available under either cyber or D&O policies if criminal allegations are levelled. On close examination, the answer may not be exactly as expected.
You can find further information regarding our expertise, experience and team on our Policyholder Disputes pages.
If you require assistance from our team, please contact us.
Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.