US ruling highlights potential gaps in general insurance cover for cyber risks, says expert

Out-Law News | 19 May 2015 | 4:32 pm | 2 min. read

A ruling by a US court has highlighted why businesses should not rely on general insurance policies to provide cover for cyber risks, an expert has said.

Cyber liability specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said the ruling showed businesses should take out specific cyber insurance policies if they want to reduce their exposure to cyber risks.

The dispute ruled on by a district court in Utah concerned whether an insurer was under a duty to defend legal claims brought against data processing businesses it provided insurance cover to.

A gym company had claimed the data processors had breached an agreement it had with them over the processing of gym members' account information, among other complaints it had raised.

The data processors argued that the terms of its insurance policy with their insurer meant that the insurer was under a duty to defend the claims brought against them on their behalf. The processors said that the insurers' duty to defend was triggered because the gym company had raised issue with data processing problems that concerned "an error, omission or negligent act relating to the holding, transferring or storing of data".

The insurer had a duty to defend such claims brought against the data processors under the terms of their insurance policy. However, the Utah court determined that the gym company's complaint had not concerned an error, omission or negligent act relating to data processing and that the insurer was therefore not obliged to take up defence of the claims under the insurance policy it provided for the data processing companies.

Birdsey said that although the case did not specifically relate to the issue of cyber risk and insurance, there were lessons businesses could draw from the ruling about the gaps in coverage they could face if seeking to protect themselves from cyber risk through general insurance policies.

"The case highlights the value of standalone cyber insurance coverage," Birdsey said. "If insured businesses rely on more general insurance policies to provide them with cover against cyber risks then there is the potential that they could be left exposed to those risks because of the gaps often found in those general policies. This was the case in the dispute before the court in Utah where the data processors tried to rely on a technology errors and omissions policy to pass on legal risk to their insurer."

Birdsey said that we can expect similar disputes about the precise coverage of general insurance policies to arise in the UK as cyber risk to businesses continues to grow and if companies persist with relying on general insurance cover for that risk.

"We can expect to see similar disputes in the UK with businesses seeking to shoehorn cyber exposures into other more general insurance policies until dedicated cyber insurance is taken out as separate cover by most companies, particularly IT suppliers," Birdsey said. "More broadly, the Utah ruling might cause insurers to reconsider whether to write policies on a ‘duty to defend’ basis or revert back to favouring the more traditional 'duty to pay' approach in their insurance contracts, or indeed whether a hybrid approach where the insurer has the right but not the obligation to defend claims is more suitable."

Birdsey said that cyber risks are growing for businesses, especially with increasing outsourcing of data processing and storage to a cloud environment, and underwriters remain concerned about aggregation risks.