Current Landscape of Cyber Insurance

Data breaches have policyholders “scrambling to fit the proverbial square peg into the round hole of their insurance programs.” Insurers have pushed back, and the result has been not only coverage disputes, but also the development of more cyber policies that specifically address data breach.

It is the nascent state of cyber-specific insurance policies that accounts for many open coverage questions. But in Travelers Property Casualty Co. of America v. Federal Recovery Services, a case being called the first cyber-related liability dispute, a federal court in Utah found that typical insurance coverage issues of policy interpretation in fact do apply to a cyber-related fact pattern.

The case turned on whether the terminology “errors and omissions” in the policy was broad enough to include withholding of data, regardless of the reason. Citing the general rule that “an insurer’s duty to defend is determined by comparing the language of the insurance policy with the allegations in the complaint,” the court reasoned that Global Fitness’s allegations of “knowledge, willfulness, and malice” would not trigger Travelers’ duty to defend.

Policyholders will be better armed to mitigate damages by diversifying their coverage. They can take advantage of a variety of types of policies that cover cyber-related threats. For example, some insurers offer an add-on to standard crime policies for “social engineering fraud,” which covers policyholders in the event that employees are misled into sending money or diverting information based on fraudulent emails or other means.