Insights

Cyber insurance and subrogated recoveries

Insurance Law & Litigation

It seems that not a day goes by without a news headline regarding a cyber attack on a leading company or government department. According to the Australian Cyber Security Centre, ransomware attacks are on the rise, hitting critical infrastructure and businesses. Threat actors are also increasingly deploying software supply chain attacks, which have far-reaching consequences for businesses both upstream and downstream in a supply chain.

The cyber insurance market in Australia continues to grow, with cover for both first and third-party losses. This typically includes data breach investigation costs, costs to restore the organisation's network, extortion and ransom payments, costs and penalties arising from regulatory enquiries, business interruption loss and costs to defend third-party claims (impacted parties suing for breaches of privacy laws, etc.). This can translate into significant claim payments under cyber insurance policies, subject to relevant sub-limits and exclusions.

Increasingly, cyber insurers are looking at the potential to pursue subrogated recovery claims after they have made such payments. That is, to invoke their subrogation rights under the policy and at law to step into the shoes of the insured and recoup their losses from any third parties who may be liable for the cyber incident. The cyber insurance subrogation market is well developed in the US, but gradually emerging and developing in Australia.

Who are the targets of cyber subrogation claims?

In contrast with other types of fidelity recoveries (employee frauds, for example), the threat actors of a cyber attack are unlikely to be a viable recovery target as their attacks are perpetrated remotely, which affords anonymity and means attribution is usually extremely challenging. This is exacerbated by the involvement of state-sponsored actors in some cases.

Entities potentially liable for a cyber security breach can include network and data providers, managed service providers, cloud service providers, software consultants, antivirus software vendors, and business partners whose failure to implement adequate cyber security systems or adequate measures to protect the data shared with them contributed to the breach suffered by the insured.

Which types of claim can be pursued?

If, for example, an antivirus product was ineffective as it was not properly installed or maintained due to acts, errors and/or omissions of the service provider, possible claims could include negligence, breach of contract and misleading and deceptive conduct if representations regarding the efficacy of the security software are proven to be false.

What challenges are involved with these claims?

Before insurers embark on cyber recoveries, some of the key issues to consider include the following.

Investigation

Cyber threat actors are becoming more sophisticated in their tactics, techniques and procedures. Working out how a breach happened and which security steps would have prevented it often requires an investigation by independent forensic IT experts. Such investigations would usually be undertaken as part of the initial breach response and may inform the cyber insurer on the potential recovery target(s) and prospects of any such recovery.

Evidence of retainer

Once a recovery target has been identified, the next question is whether a formal written contract exists between the insured and the recovery target ─ for example, the insured's third-party product or service provider.

  • If a formal written contract exists, questions to consider include the exact scope of services to be provided, whether any onerous contractual limitations exist and whether any reciprocal contractual indemnities exist.
  • If there is no written contract, the insurer will have the additional hurdle of trying to prove the existence of the contract (either by conduct and/or orally), and the terms and scope of that contract. Any uncertainty may assist the target in arguing that their engagement was narrower.

Causation

The next key question is whether it can be established that the loss was caused wholly or partly by the recovery target. One consideration is whether the breach could have been averted with proper cyber security systems and data governance in place, including with antivirus software, or alternative security and data controls. A recovery claim will be assisted if, for example, the breach could have been prevented by upgrading the system and the third-party systems provider was responsible for this but failed to do so. On the other hand, if the cyber attack was a zero-day attack or a "Living off the Land" attack, which would fly under the radar of any prevention or detection technologies, then the prospects of substantiating a recovery action may be more difficult.

Costs

Finally, a key question for insurers in every subrogated recovery action is the potential costs of the recovery versus the payment to be recovered. If the recovery target is based overseas or is also a victim of the cyber attack and has suffered significant financial damage itself and/or is uninsured for its losses and any liability to third parties, a recovery action may be more difficult.

Litigated cyber recoveries

In the case of Ace American Insurance Co. v. Accellion, Inc recently filed in California, which arose out of the high-profile 2021 Accellion data breach, the insurer claimed that the third-party service provider had been negligent in handling a security vulnerability in its online file transfer service, which led to a ransomware attack on its customer (and Ace's insured), a Boston law firm.

In brief, Accellion maintained a notification system to inform clients of security vulnerabilities, but this was sent to two employees of the insured law firm who no longer worked there and was never followed up. Hackers stole confidential legal files and threatened to disclose them unless the law firm paid a ransom. In its defence, Accellion is arguing that the insured failed to update its contact information on Accellion's emergency notification system. Ace claims the law firm did all it could by notifying Accellion about the former employees' departures and it was Accellion's responsibility to update its own notification systems.

Watch this space.

Lander & Rogers has a Cyber Insurance team and a dedicated Recoveries team, including expertise in cyber recoveries. Please contact Colleen Palmkvist or Michael Williams (Recoveries) or Melissa Tan (Cyber) if you require any assistance in this space.

Photo by Anton Maksimov on Unsplash.


1A zero-day attack is an attack method that exploits a software vulnerability of which the developer is unaware, or where no patch is available.

1In a "Living off the Land" attack, a threat actor uses the legitimate software and functions that are available in the target's system to perform malicious actions on it.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.