Until a few years ago, the coverage world was barely cognizant of cyber attacks or mega data breaches, let alone cyber insurance. While cyber-specific forms or policies were initially underwritten in anticipation of the Y2K bug, it was hardly on the radar for most policyholders thereafter and for good reason: The risks seemed too remote to affect a risk manager’s decision to purchase such insurance. It also did not help that cyber-specific insurance in the 2000s lacked consistency, had high deductibles or premiums, or had insufficient limits. Thus, there was little appetite on the policyholder or insurer side to purchase or develop a robust new coverage program for cyber-specific risks.
That dynamic abruptly changed by the turn of this decade when a cluster of highly publicized cyber attacks occurred, such as those against Sony, Target, Home Depot, and, more recently, Anthem. The risks were no longer too remote for risk managers to ignore. Companies suffering a data breach faced significant first- and third-party losses, which, in turn, exposed company executives and their board members. Companies also scrambled to secure coverage under so-called traditional policies, such as comprehensive general liability (CGL) policies. Insurers, in turn, argued that such risks fell outside the underwriting intent of these policies.
With the battle lines drawn, a perfect storm developed in the courts and in the insurance market, both of which we will explore. We first examine the critical and key decisions for cyber coverage under CGL policies. We then examine the market’s response to these decisions and how the battle over cyber coverage has shifted to cyber-specific policies.