Cyber breaches are becoming more prevalent, substantial, and increasingly expensive, making cyber liability insurance essential for the survival of many companies. When cyber events are covered and losses paid, the financial burden is transferred to cyber insurance carriers. In addition to more robust underwriting strategies on the front end, cyber insurance carriers are increasingly turning to subrogation on the back end to offset the financial risks caused by cyber losses. In this article, two experts—Perla C. Heady, assistant vice president and claims counsel for cyber, technology & media liability claims at Sompo International Insurance, and Jean M. Lawler, attorney and commercial and insurance mediator and arbitrator at Lawler ADR Services, LLC—discuss cyber liability risks and the potential use of subrogation to limit losses.
What is subrogation and how are cyber insurance carriers using it to mitigate or limit losses caused by their insureds’ third-party service providers and vendors?
PERLA HEADY: Subrogation is an insurance carrier’s right to legally pursue a third party responsible for an insured’s insurance loss. Subrogation can limit losses for insurance companies, impacting a carrier’s bottom line. Given the ever-rising expense of responding to a covered cyber incident, I have seen, and expect to see more, cyber carriers pursue actions against responsible parties.
JEAN M. LAWLER: As a mediator, I see insurers actively seeking reimbursement of ransom payments and other incurred expenses from their insured’s service providers and vendors arising out of cyber incidents. The typical situation is where “bad guys” (i.e., threat actors) gained access to the insured’s computer network allegedly due to a failure by the vendor and for which the insured or its insurer paid a ransom and incurred other damages. These cases often come to mediation at the pre-suit or early-suit stages. The insured’s policy may be a cyber policy while the vendor’s policy could be a management liability or professional liability policy.
What are some examples of where subrogation might be pursued by an insurance carrier in the cyber liability risk space?
HEADY: One example could be a company that engages an IT vendor to install a new firewall. The IT vendor commits an error during the installation, resulting in unauthorized access to personally identifiable information (PII) maintained on the company’s server. The breach results in millions of dollars in incident response and ensuing lawsuit defense fees and costs. The company’s cyber policy covers the loss. When the matter concludes, the company’s insurance carrier seeks recovery of all monies paid from the IT vendor.
LAWLER: Here is another example. A company enters into an agreement with a managed service provider (MSP) to maintain the security and integrity of the company’s network and digital systems. The company suffers a ransomware attack, which results in significant incident response and business interruption costs. The company’s cyber policy covers the loss. The investigation determines that the ransomware attack occurred due to the MSP’s negligence in maintaining the security and integrity of the company’s network and digital systems. The company’s insurance carrier seeks recovery from the MSP of all monies paid.
What are some of the difficulties with subrogation in the cyber liability risk space?
HEADY: Determining the cause of a cyber incident is often difficult. Threat actors are often ahead of the game, devising better techniques for gaining access and remaining undetected. Forensic reports that can be helpful in determining a cause or responsible party are not always drafted and, when they are, such reports are inaccessible to carriers for legal privilege reasons. Further, a subrogation clause will only provide an insurer with the same rights an insured has against a third party causing a cyber loss. Insurers will often face contractual limitations that some vendors might include in their service contracts, impairing the insurer’s recourse against a responsible vendor. Finally, legal precedent involving subrogation in the cyber liability risk space is limited. It is still unclear how subrogation laws will be interpreted within this area.
LAWLER: Service providers and vendors will usually have multiple clients who have been harmed by the same cyber incident or data breach, meaning the vendor will generally not agree to exhaust its policy limits in settlement, leaving uninsured exposures. The insured and its insurer will each have unique damages they may want to recover, such that the insured and its insurer will need to agree on how to divide the recovery. There may also be coverage issues that the insured and vendor are dealing with, with their own insurers. Insureds and service providers who are professionals may have additional issues regarding the release of privileged documents, or documents subject to privacy laws such as HIPAA. The vendor’s policy may have burning limits or be claims-made.
Do you think the state privacy laws that have recently gone into effect will influence these claims?
HEADY: Privacy laws expanding legal recourse to parties who may not have had such rights in the past will unequivocally lead to an uptick in what is often costly privacy litigation. Insureds will turn to their insurance carriers for coverage and insurance carriers will be looking to minimize their financial risk for amounts paid to defend insureds.
LAWLER: Absolutely. Even if an insured is compliant with the law, a vendor’s activities affect the insured. Note that the recent $1.2 million Sephora California Attorney General settlement for California Consumer Privacy Act of 2018 (CCPA) violations required Sephora to: “…Conform its service provider agreements to the CCPA’s requirements; and provide reports to the Attorney General relating to…the status of its service provider relationships….”
Do you have any suggestions for best practices regarding these types of claims?
HEADY: Once a matter is submitted for coverage, it is important to flag potential areas of subrogation as early as possible and preserve any potentially relevant evidence. Additionally, it is important to always consider the cost of pursuing subrogation against any potential recovery. Where a subrogation target is uninsured or insolvent, pursuing subrogation may not be the most practical option.
LAWLER: Best practices start with good risk management. Know their vendors and service providers, their computer systems and practices, as well as the business activities they are to undertake. Ensure that they have appropriate insurance. After a breach, document damages and retain subrogation counsel early in the process. Share damage documentation with the vendor and its insurer early, as they will need time to evaluate the claim. The insured and its insurer should work together as partners to do what needs to be done to contain the effects of the attack and to recover available damages from the liable party and its insurer. These cases are excellent candidates for early resolution.