The recent SolarWinds hack has been described as one of the worst intelligence failures on record, but it may also have a significant economic impact on the many private-sector companies that fell victim to the attack. Although the full economic fallout will not be known for some time, businesses affected by the attack (and businesses that may face similar attacks in the future) should start thinking about the potential cybersecurity insurance implications of the SolarWinds hack now.
Extensive Remediation Efforts
It is still early and there is much we do not know, but remediation efforts could be extensive. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said it “expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”
According to Thomas P. Bossert, formerly homeland security adviser to President Trump and deputy homeland security adviser to President George W. Bush, the remediation effort could require “segregated replacement of entire enclaves of computers, network hardware and servers across vast federal and corporate networks.”
Insurance may cover some of these remediation costs, but policyholders should be aware of the following potential issues that may arise in connection with any such claim.
One of the first issues policyholders should consider in connection with any cyberattack is notice. Most cyber insurance policies require the policyholder to provide the insurer with notice of a cybersecurity breach as a condition to coverage. Many policies require notice to be given “as soon as practicable” after discovery of the breach, while some policies require notice to be given during the policy period or within a certain number of days after the policy period ends.
Notice provisions are important because an insurer may deny an otherwise valid claim based on late notice. Many states require an insurer to prove that it was prejudiced by the late notice to prevail on a late-notice defense, but some states do not.
Accordingly, policyholders should be aware of the notice provisions in their cyber policies (and any other policies that may provide cyber coverage) and provide notice of cybersecurity breaches in accordance with those provisions.
Breach Response Costs
Cyber insurance policies typically provide a mix of first-party and third-party insurance coverage. First-party insurance provides coverage for losses suffered by the insured, while third-party insurance provides coverage for the insured’s liability for losses suffered by third parties.
One of the most important grants of first-party coverage for policyholders in the early stages of responding to a cyberattack is the coverage grant for breach response costs. Although different cyber policies use different terms, most policies provide coverage for certain costs incurred as a result of a cybersecurity breach.
For example, many cyber policies provide coverage for reasonable expenses incurred by a policyholder to investigate the cause and extent of a breach. Some cyber policies also provide coverage for expenses incurred to restore electronic data damaged by a cyberattack.
As policyholders assess the fallout from the SolarWinds hack, they should be aware of what type of breach response costs their insurance policies cover and keep their insurers apprised of the remedial actions being taken to the extent required or appropriate.
Given Russia’s potential involvement in the SolarWinds hack, policyholders should also be aware of the war exclusion. Once again, different policies use different terms, but most cyber policies (and first-party property policies that provide cyber coverage) exclude coverage for loss or liability arising out of “war” and a variety of other hostile actions that fall short of declared war.
For example, some policies exclude coverage for loss or liability arising out of “military action,” while others exclude coverage for loss or liability arising out of “hostilities,” “acts of foreign enemies,” or damage to or destruction of property “by or under the order of any government.” Insurers may rely on this policy language to deny coverage for loss or liability arising out of a cyberattack that is blamed on a foreign government.
In 2017, for example, several insurers relied on the war exclusion to deny coverage for business interruption losses arising out of the NotPetya cyberattack, which the U.S. government blamed on Russia. Many cyber policies, however, now contain a “cyberterrorism” exception to the war exclusion that may make it more difficult for an insurer to rely on the exclusion to deny coverage for a state-sponsored cyberattack that falls short of full-scale war. That said, the definition of “cyberterrorism” varies widely from policy to policy, so policyholders should carefully review their policies to assess the risk associated with this potential coverage defense.
The SolarWinds attack is an important reminder that even the most sophisticated companies remain vulnerable to cyberattack with potentially serious economic consequences. Cyber insurance is one way to address that risk, but it is only effective if it provides coverage when called upon. Accordingly, policyholders should review their cyber insurance programs, consider the issues discussed above, and decide whether they are adequately protected.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Jeffrey J. Meagher is a partner in K&L Gates’ Pittsburgh office, where he focuses his practice on insurance coverage and complex commercial litigation.