By J. Stephen Berry, Esq., Keith Moskowitz, Esq. , Diane D. Carter, Esq. and Samantha Wenger, Esq. of Dentons
With the number of cyber-attacks on the rise, companies are increasing their vigilance against cybercrime by taking more affirmative steps to protect their data systems. According to the US Government Accountability Office, the reported incidents of cyber threats to federal agencies increased more than 700 percent from 2006 to 2012. 
Obtaining cyber insurance coverage is one of many ways companies protect themselves against hacking incidents. Just like any other contractual agreement, the language of the cyber insurance policy controls the scope of coverage. Even the most vigilant insured may believe it has sufficient coverage for the most probable threats. But it is easy to overlook the equally probable threat right in front of you—the authorized user.
Upon hearing the term “hacker,” most imagine highly intelligent individuals who illegally access computer systems. These “unauthorized users” are often at the forefront of media coverage involving cybercrime. A common oversight in obtaining cyber insurance coverage is making sure the policy also provides protection for insider threats, also known as “authorized users.” A New York court addressed this issue.
In Universal American Corp. v. Nat. Union Fire Ins. Co. of Pittsburgh, PA, 959 N.Y.S.2d 849 (N.Y. App. Div. 2013), aff’d as modified 972 N.Y.S.2d 241 (2013), the insured, a health insurance company offering alternatives to Medicare, sought coverage from the insurer for losses incurred from the entry of fraudulent claims into its computer system. The claims were entered by providers, in some cases with the cooperation of the insured’s members, in exchange for kickbacks from the provider. The insured lost over $18 million from the fraudulent claims and subsequently presented the insurer with a proof of loss. The insurer denied the claim, and a breach of contract suit followed. At issue was whether the scope of the insurance policy included fraudulent claims entered by authorized users when the policy expressly limited coverage to fraudulent entry of data.
The insurance policy
The insurance policy included a rider that provided coverage for “Computer Systems Fraud.” Among other things, the rider indemnified the insured for losses incurred from fraudulent entry of data into the insured’s computer program. The insured argued that “fraudulent entry” included non-fraudulent entry of fraudulent information. Alternatively, the insured contended that the provision was ambiguous and should be construed against the insurer. The court disagreed with both arguments.
Due to the lack of precedent, the court relied on factually similar cases offered by the insurer and concluded that the policy language was not ambiguous. According to the court, the case cited by the insured involved an insurance policy with much broader language. The policy at issue specifically limited coverage to the “fraudulent entry of electronic data.” In deciding that the rider was not ambiguous, the court primarily considered “the reasonable expectations of the average insured upon reading the policy.” The court concluded that the rider limited coverage to “fraudulent entry” of data, not the non-fraudulent entry of fraudulent claims. Because the providers were authorized to enter claims into the insured’s computer system, the entry was not fraudulent. Thus, the insurer was not obligated to cover the insured’s losses.
Due to underdeveloped risk metrics on cyber threats, there is no true way to determine whether a company is getting the best insurance rates or coverage, says Karen Royster, Director of Information Technology for Global Brands Group. Andreas Baumhof, CTO of ThreatMetrix goes even further, stating that “[c]yber insurances are a bit of a rip-off. Think of car insurance—if it is insured for theft, it doesn’t matter how the theft was executed. In the cyber world, it seems it does matter.” 
Here are a few tips on getting the most coverage for your client’s money:
- Have a cyber forensics firm evaluate the computer system for internal and external vulnerabilities. Then, remedy the most debilitating risks to obtain a lower insurance premium.
- Read the insurance policy carefully to make sure it provides sufficient coverage for invasions by authorized and unauthorized users and that the policy language is clear in its scope.
- Review existing insurance policies to see what cybersecurity protection may be included already.
- Keep in mind that even the best cybersecurity insurance may not provide adequate protection for the reputational damage a company may face upon exposing a cyber-attack. So, weigh the options carefully.
- Review the cyber insurance policy prior to renewal to make sure there are no gaps in coverage and to make sure the policy is keeping pace with emerging cyber risks.
If you want to know more, consult our new book.
 U.S. Gov’t Accountability Office, CYBERSECURITY: A Better Defined and Implemented National Strategy Is Needed to Address Persistent Challenges (2013), available at http://www.gao.gov/products/GAO-13-462T.