Article

Subrogation and cyber extortion: Real threats, real insurance recoveries

July 24, 2018

By Dan Twersky

A data breach or extortion threat can result in significant costs to a company in mitigating damage. Here are two stories of companies that were impacted by cyber incidents – and how our FINEX Claims & Legal Group (CLG) was able to help them achieve favorable outcomes.

When subrogation adds complexity

One company in the hospitality industry experienced a breach of its point of sale system as a result of a hacking, potentially impacting hundreds of thousands of customers – including exposure of credit card information. As a result, the company incurred millions of dollars in data breach response expenses. CLG assisted with the initial reporting of the incident to the applicable insurers and confirmed that the subsequently issued coverage positions of the respective insurers were accurate.

Adding complexity to this this incident, however, was a potential subrogation issue. Midway through the claim, a potentially liable third party vendor of the company (a trusted, long-term partner) made a good faith settlement offer in exchange for a full release of any claims in connection with the breach. The offer was made partly as a condition to continuing the favorable business relationship between the two companies.

As is common, the primary and excess cyber policies contained a subrogation provision precluding the company from taking any action that could affect the insurers’ rights of recovery from a third party. Agreeing to the vendor’s proposed settlement would have eliminated the insurers’ ability to pursue the vendor for damages at a later time. To further complicate matters, the total amount of the loss had not yet been determined. Lacking the complete information necessary to evaluate the settlement offer, it remained unclear exactly how far up the coverage tower the claim would ultimately reach. Finally, there were differences of opinion among the insurers as to the priority of amounts potentially recoverable through subrogation.

Seeing a way through

Despite these uncertainties, and with care taken to preserve the company’s business relationship with the vendor, the company sought advice on the priority issue and enlisted CLG to work with the insurers in devising a two-pronged solution, ultimately approved by all parties:

  • First, the insurers approved the settlement between the company and the vendor, resulting in a full release of all potential claims against the vendor.
  • Second, we arranged an ancillary agreement between the company and the insurers whereby the settlement funds would be held by the company until three conditions were met: 1) the underlying claim was closed, 2) the total loss amount was finalized, and 3) the priority of recovery issues was resolved. The company then released the funds to the insurers, who covered a majority of the damages.

Protecting against cyber extortion

A professional services firm suffered a cyber extortion threat: An unknown third party unlawfully accessed their network and threatened to divulge confidential customer information unless a seven figure ransom was paid. The incident was reported under their Kidnap and Ransom (“K&R”) and Cyber policies, both of which accepted coverage for certain aspects of the claim. With the assistance of outside legal and computer forensic vendors, as well as outside law enforcement, the threat was determined to be credible and the ransom was paid. The company continued to incur incident-related costs in order to ensure that the threat was in fact eradicated and that the threat actor would keep his/her promise not to divulge the confidential information.

As is the case with most K&R policies, coverage was provided from the first dollar, whereas the cyber coverage was provided in excess of a retention. Primary coverage was sought under the K&R policy, thereby maximizing the insurance recovery. The K&R insurer authorized and reimbursed the company for the full amount of the ransom and also covered the legal and forensic expenses – but only up to the date ransom was paid. The insurer took the position that the coverage ceased as soon as the extortion threat had been extinguished.

Getting more from a K&R policy

In confirming coverage with the cyber insurer for the post-ransom payment expenses subject to that policy’s retention, CLG put forth several arguments in favor of coverage under the K&R policy:

  1. The K&R policy did not contain a provision speaking specifically to the time after which the ransom was paid.
  2. The company had evidence that the threat was ongoing, despite the ransom payment.
  3. All of the expenses incurred following the ransom payment were solely and directly attributable to the extortion event, and should therefore be covered under the K&R policy.

Ultimately, the K&R insurer agreed to indemnify the company for the vast majority of the total loss; with a small remainder of the loss falling completely within the cyber policy’s retention.

Both of these incidents demonstrate CLGs capabilities to help coordinate complex claims processes involving multiple insurers and coverage towers, as well as offer creative resolutions and tireless advocacy beyond first impression issue resolution. Key to our efforts was facilitating communication among all of the insurers, third parties and company contacts to ensure a smooth and swift claims process.

Willis Towers Watson’s FINEX Claims & Legal Group (“CLG”) supports companies in all facets of claims advocacy. With respect to cyber risk, CLG provides policy wording recommendations based on actual and hypothetical claim scenarios, client alerts regarding legal and regulatory developments, vendor suggestions, proprietary cyber claims data, and more.