Specialty Podcast: Exploring Million-Dollar Cyber Vulnerabilities & Coverage Disputes
By Alliant Specialty
How could a single cybersecurity vulnerability cost a company a million dollars? Steve Shappell and David Finz, Alliant Claims & Legal, discuss a record-breaking year for data breaches and the cautionary tale of cybersecurity lapses leading to million-dollar penalties. As well as developments in coverage litigation exploring contract formation, notice issues and the criticality of timely claims reporting.
Intro (00:00):
You are listening to the Alliant Specialty Podcast dedicated to insurance and risk management solutions and trends shaping the market today.
Steve Shappell (00:08):
Good afternoon. Thank you for joining in with David Finz and myself, Steve Shappell. A lot of coverage litigation this month and as always, a lot of cyber developments. I'll turn this over to David because I know David wants to talk about some recent developments with DFS and the First American Title. David, let me turn it over to you to talk about cyber from the month of November.
David Finz (00:27):
Sure, thanks, Steve. This has been another year for the books for cyber. We're looking at a report from the Identity Theft Resource Center that indicates that 2023 has already broken the annual record for data breaches. In fact, the first three quarters of the year we saw 2,116 data breaches that were reported. That surpasses the previous all-time high of 1,862 that was set back in 2021. It's worth noting that nearly 10% of the cyber attacks were the result of what are called zero day vulnerabilities. These are extremely difficult to detect, extremely difficult to repel against because there is no history around them. There's no readily available patch to deal with them. Also, not surprisingly, out of this, 344 organizations reported having been impacted by their use of the MoveIt file transfer software; that was the subject of a vulnerability that resulted in a lot of claims that we saw over the summer and fall of this year.
They're still rolling in. So, definitely plenty to keep our claims folks busy. But I also wanted to talk about a development that we're following now with the New York State Department of Financial Services. They recently entered into a consent order with a prominent title insurance company. And I think this serves as a cautionary tale of sorts for other financial institutions in terms of the level of cybersecurity that they need to have in place. New York state's been out in front of this cybersecurity regulation, or as it's known around these parts, Part 500. This is something of a model that other states and even federal banking regulators have followed. And there were two particular standards that were at issue in this case against the title insurance company. One standard was meant to deal with a risk assessment. Basically, companies had to conduct a risk assessment and use that in the development of their own cybersecurity policies.
The other was with respect to limiting user access privileges to systems that hold what New York State calls non-public information or NPI and to encrypt this data when it was in transit as well as at rest. So, the company in question here had developed a proprietary app. The problem with this app was that without any type of additional login or authentication, users of it who might've been on there to look at their own transaction were able to access with some very limited modifications in their search terms, the records from other transactions. And a reporter in 2019 discovered this, called attention to the vulnerability. The company took prompt action once that report was made public to remediate this; they shut down access to this app and the hyperlinks that were generated by it. They notified the affected parties and they offered them credit monitoring and they also notified the DFS of the incident.
So, they did all of that by the book. But the problem was that once DFS started investigating, it came to light that the company had been aware of this vulnerability in their app five months prior to the journalist's report. And their failure to take action during that five-month period is what landed them in the crosshairs of the New York State regulators. So as a result of that, they were assessed a $1 million penalty and they were required to take some remedial action to improve their cybersecurity. It bears noting here, I am a champion of cyber insurance, and it is a very important product, but it doesn't cover everything. And in this particular instance, the state was explicit that the title company was not going to be able to use insurance proceeds to pay off the cost of that penalty. And you know, that bears noting here because what's important is to recognize that the best way to manage the risk is to not have a covered claim in the first place.
And that's why our risk consulting team is able to offer assessments; risk assessments to our clients and even to companies who are not currently using Alliant as their insurance broker, to be able to come in and conduct a gap analysis and figure out where you might have some room for improvement in your security controls so you don't wind up with an incident like this and get on the radar of the regulators as a result of some unremedied vulnerability. So, very important development here. It just shows the breadth of the enforcement authority of the state regulators and the importance of financial institutions doing what's required under Part 500, which is to conduct a risk assessment and to create policies that are based upon the results of that assessment. With that, I'm going to turn it back over to Steve to talk about some of the coverage disputes that have been heating up and that warrants some attention as well.
Steve Shappell (05:48):
Thanks David. Appreciate it. Never a dull moment in the cyber world. This month's newsletter, I encourage you to look at it. It's really interesting. It almost reads like a law school exam/textbook. There are so many interesting issues that go to the core of insurance. We have contract formation issues, where we have carriers using a warranty to deny cover. We have public policy defenses, using Section 533. We have good old-fashioned notice issues. We have, whether it's one claim, two claims, related claims, a really interesting month. So, we had a couple of circuit court decisions, which always warrants a lot of attention. I mentioned the warranty case previously, and warranty for those of you who've listened to me talk on this podcast and elsewhere is a big deal. Contract formation is a big deal. It goes to the integrity of the process.
I like to be hard on the insurers on warranty and severability issues, but in fairness it goes to the tenant of contract formation of let us be very clear on what we're insuring. And warranties are one of the ways carriers address this, that if you're going to buy insurance, either new insurance or new layers of insurance, you have to make certain warranties even though most warranties aren't really warranties. They are representations of the lack of facts or circumstances which could lead to a claim. And this got a 9th Circuit decision that came out that's in the newsletter. One of the things that's really interesting and telling from this is the consequences. The court concluded that the signer of the warranty had information and very clearly in the court's opinion, knew or should have known the facts as they ultimately played out.
But what was also interesting in that case was the issue of imputation. One of the things that we talk a lot about, and I really encourage anyone listening to this podcast who has to be asked to sign a warranty, to spend time scrutinizing that warranty and editing that warranty. It's really clear that the representation is very subjective and there's severability, meaning the knowledge of the signers is not imputed to all insurers. And this is a very big deal in the management liability world, where a policy of insurance ensures numerous individuals and the severability prevents an insurer from imputing that knowledge to others. And here what happened in this 9th Circuit case worthy of comment is the court specifically noted that the non-imputation provision didn't apply to the warranty issue. And so, one of the things I would comment on is if you need to sign a warranty, scrutinize the language really carefully and make sure that the principles in this contract, which are carefully negotiated, that being severability and non-imputation, apply to those representations being made in that warranty letter as well.
The other claim I want to comment on, and I think this will be my tradition on this call, is notice. These policies, as I say almost every month, are claims made and reported, which means that policy only responds to claims which are made during and reported during the policy period. It is critical; it is not a condition like a CGL policy where you might have prejudice that will forgive you for being a little slow and noticing claims made and reported as a very different legal beast. And notice is important. Once again, this month we had a case which reinforces that if you don't notice a claim timely on a claims made and reported, you will lose coverage for that claim and any related claim. And I mentioned related because there's a 10th Circuit case on relatedness in this month's newsletter, which is really interesting and probably a topic for another day, because David and I could talk for days about interrelatedness and the sword in the shield because it works both ways, but let me just leave it at that. Notice, if in doubt whether you have a document or an email or a phone call that warrants noticing a carrier, I'll tell you, every single carrier that I ask will say, if in doubt, send us a notice. What I'm asking everybody, if you get any information and you're not sure what to do with it, call us and we will help you analyze that information you have so that late notice will never be an issue. I can assure you it is a much better way to manage your risk. With that thank you everybody, have a great day.
Μύ
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. ΒιΆΉΣ³» Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask ΒιΆΉΣ³» Services for a referral. This document is provided on an βas isβ basis without any warranty of any kind. ΒιΆΉΣ³» Services disclaims any liability for any loss or damage from reliance on this document.
Thanks for your message.
Weβll be in touch shortly.