Hunton Insurance Recovery Blog

Update: On May 1, 2023, the New Jersey appeals court affirmed the trial court's decision that a war exclusion did not bar $1.4 billion in coverage for Merck’s losses stemming from the NotPetya attack.

On June 27, 2017, the skies over New Jersey were clear and the ground steady. But Merck & Co., a New Jersey-based pharmaceutical company, was under attack. Malware ripped through its computers, damaging 40,000 of them and causing over $1.4 billion in losses.

Merck was not the sole target.^[1] Dubbed “NotPetya,” the virus tore through the US economy,^[2] and did an estimated $10 billion in damage. The US Department of Justice charged six Russian nationals, alleged officers of Russia’s Intelligence Directorate (the GRU), for their roles in the NotPetya attack, among others. The attackers’ goal, according to the DOJ, was:

A recent settlement filed by the Federal Trade Commission (FTC) and GoodRx may merit a review of your cyber insurance coverages. Earlier this month, the FTC took enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug provider, GoodRx, for failing to notify consumers of its unauthorized disclosures of personal health information.

As detailed in a February 27 Hunton client alert, the Health Breach Notification Rule generally requires that vendors not covered by the Health Insurance Portability and Accountability Act (HIPAA) of personal health records give notice in the event of a “breach of security,” which is defined to include “unauthorized acquisition” of personal health records.

Hunton Andrews Kurth LLP insurance partner, Andrea DeField, was recently interviewed by Courtney DuChene for Risk & Insurance magazine for their article, Cyber Captives 101: Is Self-Insuring the Right Risk Mitigation Choice for Your Business? As we’ve discussed previously on the blog, the cyber insurance market has become increasingly difficult, see here, here, here, and here, and captive insurance may present a potential solution, see here. However, as DeField notes in the article, “If you’re going to go through this whole time-intensive, labor-intensive ...

Recently, the Ninth Circuit dealt with a case involving a scenario that is becoming all too common. In Ernst & Haas Mgmt. Co., Inc. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022), a property management company’s accounts payable clerk received several e-mails from her supervisor instructing her to pay some invoices. Unbeknownst to the clerk, these e-mails did not originate with her supervisor, but were actually part of a fraudulent scheme to elicit fraudulent bank transfers. The clerk paid off hundreds of thousands of dollars in “invoices” before becoming suspicious but, by then, it was too late and the damage was done.

Hunton insurance attorneys, Walter Andrews, Andrea DeField, and Sima Kazmir, recently published an article in the Daily Business Review, discussing the scrutiny that companies face as a result of increased cyberattacks as well as tips for your next cyber insurance renewal.

A recent U.S. Treasury Department report noted that through June 30, 2021, the total value of suspicious activity associated with ransomware transactions was $590 million. The standalone cyber insurance industry has grown to address this pervasive risk. These major shifts in the cyber landscape mean that ...

A commentator recently summed up the risk of ransomware attack in 2022: “we’re all screwed.” True enough. But that’s all the more reason to prepare right now. After all, the only thing worse than a ransomware attack is not having adequate insurance coverage when it occurs. The time to prepare is now.

On September 21, 2021 and October 15, 2021, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued reminders of the sanctions risks for facilitating ransom payments to designated malicious cyber actors.  As discussed in our prior blogpost on OFAC's October 1, 2020 advisory, OFAC has made clear that it is increasingly willing to bring enforcement actions against entities, including cyber insurers, that facilitate payments to sanctioned threat actors on behalf of corporate victims.

This guidance should serve as a reminder to policyholders that ransomware and other cyber incidents trigger stringent regulatory and reporting requirements and that policyholders should consider engaging experienced advisors to develop a cohesive response strategy when cyber incidents occur.  OFAC’s guidance also should remind policyholders to carefully scrutinize cyber insurance coverages (and others) to ensure they provide the broadest possible coverage for cyber risks while still following OFAC guidance.

The Indiana Supreme Court recently reversed a trial court’s finding and an affirming intermediate appellate court opinion regarding the interpretation of a policy providing coverage for cyber-crime. In G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., the state high court rejected the lower courts’ narrow interpretation of coverage and impractical view on causation. A copy of the decision can be found here.

The adage goes, “the best defense is a good offense.” This appears to be the approach that New York insurance regulators are advocating in response to what they deem “systemic risk[s] that occur when a widespread cyber incident damages many insureds at the same time, potentially swamping insurers with massive losses.” On February 4, 2021, the New York Department of Financial Services (“DFS”), which regulates the business of insurance in New York, has issued guidelines, in the Insurance Circular Letter No. 2 (2021) regarding “Cyber Insurance Risk Framework” (the “Guidelines”), calling on insurers to take more stringent measures in underwriting cyber risks. In the Guidelines, DFS cites the 2020 SolarWinds attack as an example of how managing growing cyber risk is “an urgent challenge for insurers.”

It’s a cautionary tale of cyber fraud.  A title agent in a real estate transaction receives an email ostensibly from the mortgage lender providing instructions for transferring the loan proceeds into a settlement bank account.  After transferring the funds ($520,000), it becomes apparent that the transfer instructions came from an email address that was one letter off from the mortgage lender’s actual email address – it was a scam.  But it’s too late, the scammer has already withdrawn the funds from the settlement account and cannot be traced.

Is it illegal for an insurer to pay the ransom demanded in a cyber extortion or ransomware attack on its insured? According to the US Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) October 1, 2020 advisory (“OFAC Advisory”), in certain situations, it may be.

A Maryland federal court recently awarded summary judgment to National Ink and Stitch, finding coverage for a cyber-attack under a non-cyber insurance policy after the insured’s server and networked computer system were damaged as a result of a ransomware attack.  We discussed the significance of the decision in a January 27 blog post that can be found here.

A Maryland federal court awarded summary judgment last week to policyholder National Ink in National Ink and Stitch, LLC v. State Auto Property And Casualty Insurance Company, finding coverage for a cyber-attack under a non-cyber insurance policy after the insured’s server and networked computer system were damaged as a result of a ransomware attack.  This is significant because it demonstrates that insureds can obtain insurance coverage for cyber-attacks even if they do not have a specific cyber insurance policy.

The members of Hunton’s Insurance Recovery group present regularly on today’s hot topic insurance coverage issues. Upcoming insurance presentations for January 2020 include:

• Latosha M. Ellis will be a panelist on an ABA Section of Litigation webinar on “The Vaping Injury Crisis: Products Liability & Insurance Coverage Issues for Nicotine and Cannabis Industries” on January 9, 2020.
• Walter J. Andrews and Andrea DeField will be presenting an Enquiron webinar on “Cyber Insurance:  A Year In Review: What did we see in 2019 and what does that tell us about what to expect in ...

Energy industry: is your insurance sufficient to handle a major cyber event? Larry Bracken, Mike Levine, and I address this question and more in our recent article for Electric Light & Power, found here.  In the article, we identify three major gaps in cyber insurance that we routinely see when analyzing coverage for energy industry clients. The first major gap is coverage for bodily injury or property damage caused by a cyber event. Most cyber insurance policies exclude coverage for both bodily injury and property damage, even if caused by a cyber event. Meanwhile, many commercial general liability insurance policies now exclude cyber-related risks, thus creating a gap in coverage for these losses. The second gap we identify is coverage for fines and penalties, including those issued under the European Union’s General Data Protection Regulation (GDPR). Even where cyber insurance policies expressly purport to cover fines and penalties, it is unclear if these may be deemed uninsurable as a matter of public policy in certain jurisdictions. Finally, we identify a gap in coverage for business income losses when the insured’s network, or that of a vendor on which they rely, goes down. That coverage is a key component of a robust cyber program, but one that is typically only offered for an additional premium.

Equifax Inc. recently announced that it has agreed to pay up to $700 million to settle numerous government investigations and consumer claims arising out of a 2017 breach that exposed Social Security numbers, addresses and other personal data belonging to over 148 million individuals. Following the breach, Equifax faced investigations from the Federal Trade Commission, the Consumer Financial Protection Bureau, all 50 state attorneys general and consumers prosecuting nationwide multidistrict litigation. As part of the deal, Equifax will contribute approximately $300 million to compensate consumers, with the potential to increase to $425 million depending on the number of claims filed. Equifax also agreed to pay $175 million to state governments, plus another $100 million in civil penalties to the CFPB.

The City of Baltimore is the latest victim of increasingly common ransomware attacks. On May 7, 2019, unidentified hackers infiltrated Baltimore’s computer system using a cyber-tool named EternalBlue, developed originally by the United States National Security Agency to identify vulnerabilities in computer systems. However, the NSA lost control of EternalBlue, and since 2017, cybercriminals have used it to infiltrate computer systems and demand payment in exchange for relinquishing control. For instance, in Baltimore, the hackers have frozen the City’s e-mail system and disrupted real estate transactions and utility billing systems, among many other things. The hackers reportedly demanded roughly $100,000 in Bitcoin to restore Baltimore’s system. The city has refused to pay.

Hunton Andrews Kurth insurance partner Michael Levine was recently interviewed by LegalTech News concerning Ohio’s recent adoption of the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. The law, modeled after the New York State Department of Financial Services Cybersecurity Requirements for Financial Service Companies Act, seeks to provide a framework for states to address risks and develop cybersecurity guidelines for insurance companies. Ohio became the second state, after South Carolina, to adopt the model law. As Mike ...

In a recent post, we discussed the Sixth Circuit’s holding in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018), where the Sixth Circuit reversed the district court’s summary judgment for the insurer, finding coverage under its policy for a fraudulent scheme that resulted in a $834,000.00 loss. The insurer, Travelers, has now asked the Court to reconsider its decision.

The Sixth Circuit, in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018), reversed the District Court’s grant of summary judgment in favor of the insurer in a dispute over coverage for a social engineering scheme. The policyholder, American Tooling, lost $800,000 after a fraudster’s email tricked an American Tooling employee into wiring that amount to the fraudster.

The Federal Financial Institutions Examination Council (“FFIEC”), a U.S. governmental body comprised of banking regulators, recently issued guidance to financial institutions directing them to consider implementing dedicated cyber insurance programs to offset financial losses resulting from cyber incidents. Financial institutions face a number of potentially crippling risks arising from cyber incidents, including financial, operational, legal, compliance, strategic, and reputational risks resulting from fraud, data loss, or disruption of service. While cyber insurance can mitigate these risks, it is not required by financial regulators, and thus many financial institutions may not have obtained such insurance specifically designed to cover their cyber risks.  Nonetheless, the FFIEC now is urging financial institutions to include dedicated cyber insurance as part of a multi-faceted cyber risk management strategy and not to rely solely on traditional insurance.  In addition, the FFIEC is recommending that financial institutions have their outside advisors review their potential cyber insurance coverage to ensure that it will cover the relevant risks.

May 25, 2018 should be a day circled on many company calendars. On that day, the European Union’s long-awaited Global Data Protection Regulation (“GDPR”) will go into effect.  It is crucial for U.S. companies to prepare for the GDPR, as they, too, will be required to comply with a new set of data privacy rules if they are handling data from EU-based customers, suppliers, or affiliates. As long as you collect personal or behavioral data from someone in the EU, you must comply with the GDPR.

As we and our sister blogs have previously reported (see here, here, and here), the New York State Department of Financial Services enacted Cybsersecurity Requirements for Financial Services Companies, 23 NYCRR 500, on March 1, 2017. The first certification of compliance with this regulation is due today, February 15, 2018.

In what has been described as a “watershed” cyber incident, hackers recently used sophisticated malware—dubbed Triton—to take control of a key safety device installed at a power plant in Saudi Arabia. One of the few confirmed hacking tools designed to manipulate industrial control systems, this new breach is part of a growing trend in hacking attempts on utilities, production facilities, and other critical infrastructure in the oil and gas industry. The Triton malware attack targeted the Triconex industrial safety technology made by Schneider Electric SE. The attack underscores the importance of mitigating this and other similar risks through cyber and other traditional liability insurance as part of a comprehensive cybersecurity program.

The U.S. District Court for the Middle District of Florida, in Innovak International v. The Hanover Insurance Co., recently granted summary judgment in favor of Hanover Insurance Company finding that it had no duty to defend Innovak against a data breach lawsuit. Innovak, which is a payroll service, suffered a breach of employee personal information, including social security numbers. The employees then filed suit against Innovak alleging it had negligently created a software that allowed personal information to be accessed by third parties. Innovak sought a defense for the lawsuit from its commercial general liability carrier, Hanover Insurance Company. Innovak argued that the employee’s allegations triggered the personal and advertising injury coverage part of the policy, which covers loss arising out of the advertising of the policyholder’s goods or services, invasion of privacy, libel, slander, copyright infringement, and misappropriation of advertising ideas. The court disagreed and found the employees’ allegations did not involve a publication that would trigger coverage under the commercial general liability policy.

In a recent brief filed in the Sixth Circuit, American Tooling Center, Inc. argued that the appellate court should reverse the district court’s decision finding no insurance coverage for $800,000 that American Tooling lost after a fraudster’s email tricked an employee into wiring that amount to the fraudster. As we previously reported here, the district court found the insurance policy did not apply because it concluded that American Tooling did not suffer a “direct loss” that was “directly caused by computer fraud,” as required for coverage under the policy. The district count pointed to “intervening events” like the verification of production milestones, authorization of the transfers, and initiating the transfers without verifying the bank account information and found that those events precluded a “finding of ‘direct’ loss ‘directly caused’ by the use of any computer.”

Last week Bloomberg Law launched an online “cyber insurance suite” authored by Hunton attorneys, Walter J. Andrews, Sergio F. Oehninger, and Patrick M. McDermott. The online suite, available here and to Bloomberg subscribers, covers all aspects of cyber insurance, including identifying the major cyber risks and liabilities, applying for and obtaining cyber insurance coverage, and submitting claims under cyber coverages. It also contains an overview of case law evaluating coverage for cyber liabilities under traditional insurance policies and under cyber specific ...

In their new article for FC&S Legal, Hunton & Williams attorneys Lorie Masters, Syed Ahmad, and Jennifer White discuss critical questions that must be answered when assessing and protecting against cyber risk in the financial sector.  The article is available here.

In an article in the September issue of ABA Business Law Today, Hunton & Williams attorneys Lorie Masters, Sergio F. Oehninger, and Patrick McDermott discuss the increasing use of blockchain technology, the security of the technology, and insuring against the relevant risks. As they explain, the "potential disruptive uses of blockchain technology in the marketplace have been compared to that of the Internet." Thus, businesses across industries should consider their insurance would cover risks arising out of the use of blockchain technology. The authors point out that current ...

In an article that first appeared in Electric Light & Power, Hunton & Williams attorneys Sergio F. Oehninger and Paul T. Moura discuss the growing Electric Vehicle (EV) industry and the risks posed due to the consequential strain on the power grid. As they explain, demand and investment in EVs will likely spur greater demand for supercharging stations that consume significant amounts of electricity. Urban centers and real estate owners are also expected to increase the supply of these stations in order to make these areas more attractive and accessible to EV owners, drone operators, and autonomous vehicle fleets. All of this growth will put increasing demands on electricity supply that can be difficult for businesses to control, leading to grid outages that can cause an interruption in business operations, an inability to access or restore system data, and significant losses of business income. All of this raises the question—Can businesses count on their insurance coverage to respond to the risks posed by EVs?

Beginning last Friday, and still occurring today, one of the worst and most widespread malware attacks has impacted more than 200,000 victims in at least 150 countries, including Britain's National Health Service, FedEx, telecommunications companies Telefonica and Megafon, and automakers Renault and Nissan. The malware, known as "WannaCry," disables the user's computer system and all of its data. A note in a text file then appears stating that in order to unlock the computer, $300 worth of the digital currency bitcoin must be paid to the hackers. A countdown timer appears and the fee increases with time. The hackers threaten to delete all data on the computer system if payment is not sent within one week. Cybersecurity experts believe that the malware was sent to computers through "phishing attacks," which are emails that appear to be from reputable sources and include a download to a link that allows the malware to infect the computer. From these computers, the malware then spread to other computers on the network. One infected computer can spread this virus network-wide, and quickly.

The ABA announced last week that it would supplement its insurance coverage offerings to include cyber insurance. Chubb Limited will underwrite the insurance, which the ABA said “includes cyber coverage for a firm’s own expenses, such as network extortion, income loss and forensics, associated with a cyber-incident as well as for liability protection and defense costs.”

In its press release, the ABA referenced the revelations late last year that Chinese citizens had hacked two law firms to obtain information regarding mergers. The hackers then used that insider ...

As reported in the Privacy & Information Security Law blog, on October 25, 2016, the Federal Trade Commission released a guide for businesses on how to handle and respond to data breaches (the “Guide”). The 16-page guide details steps businesses should take once they become aware of a potential breach. The guide also underscores the need for cyber-specific insurance to help offset potentially significant response costs.

In a May 31, 2016 decision, a federal court in Arizona rejected P.F. Chang's attempt to recover an additional $2 million it paid following a 2013 breach in which hackers obtained and posted on the Internet approximately 60,000 credit card numbers belonging to P.F. Chang's customers.  P.F. Chang's was insured under a "CyberSecurity by Chubb Policy," which it had purchased from Federal Insurance Company for an annual premium of $134,000.  On its website, Federal marketed the policy as "a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today's technology-dependent world" including "consequential loss resulting from cyber security breaches."