The Nov. 28 Washington appeals court ruling held that the telecom giant satisfied a $10 million deductible under a cyber policy with a Zurich American Insurance unit with funds it received from a vendor involved in a 2015 data breach. The court rejected Zurich’s argument that a policyholder can’t use a third-party payment as a deductible and found that the insurer must cover T-Mobile’s losses stemming from the breach.
The decision will add firepower to companies’ insurance negotiations at a time when most cyber attacks involve third-party vendors and businesses face the prospect of being denied coverage because of high deductibles, insurance brokers and attorneys say. Policyholders are getting more aggressive about seeking recoveries from vendors as more cyber attacks target third-party weakness and deductibles jump, they say.
Companies facing insurance disputes over data breaches haven’t had much guidance from courts. Most cyber coverage rulings so far deal with general liability or property insurance. With so few decisions on standalone cyber insurance policies, the T-Mobile ruling will prove useful for future cyber insurance fights, Daniel Healy, an Anderson Kill partner, said.
“We are seeing more policyholders prepared to pursue their vendors in various loss scenarios, including cyber-attacks,” Healy said. “The T-Mobile ruling enables policyholders to push back an insurer’s argument that if policyholders can get recoveries from third parties, they can’t get full coverage.”
More than 60% of data breaches can be traced directly or indirectly to third parties, according to data from Risk Management Society, a trade group for risk managers.
“The T-Mobile ruling gives policyholders some comfort and peace of mind that they should try and initiate recovery proceedings and indemnification from at-fault vendors,” said Andrea DeField, a partner at Hunton Andrews Kurth. It encourages them to use the recoveries to pay for the increasingly expensive cyber deductibles, she said.
Organizations often seek recoveries from vendors, as cyberattacks frequently target vendors’ security weaknesses, said Emily Garrison, a litigator at Honigman LLP. Businesses usually have an indemnity agreement with third parties on their service contracts that allows them to recover, she said.
High Cyber Deductible
T-Mobile’s data breach policy requires it to pay a $10 million out-of-pocket deductible for the full amount of the policy, $15 million, to kick in. The networking giant incurred $17.3 million in losses from class actions and regulatory probes after its vendor, Experian Information Solutions Inc., suffered a 2015 breach that exposed millions of T-Mobile customers’ credit information.
The company received a $10.75 million settlement from Experian, but its insurer said T-Mobile can’t use the recovery as a deductible and refused to provide coverage of the remaining losses. Zurich argued that when factoring in the money from Experian, T-Mobile ultimately only suffered less than $7 million in losses, which didn’t meet the $10 million deductible threshold.
But the Washington appeals court found the Experian payment satisfied the deductible, and therefore Zurich must provide $7.3 million in coverage.
The decision is significant in part because many companies’ cyber policies have a similar deductible requirement as T-Mobile’s, and many have grown too high to satisfy, said DeField. Cyber insurers have charged higher premiums and raised the deductible amounts to respond to increasing cyberattacks and losses, she added.
“Companies who have $10 million deductibles now only had $1 million or less before 2020, and those who had $250,000 deductibles before are paying at least $1 million now,” said DeField, who works with companies on insurance negotiation.
A $10 million cyber deductible is typical for mid-sized and large companies, and DeField’s team has frequently seen cyber deductibles as high as $25 million for multinational businesses, she said.
With bigger dollar amounts at stake for deductibles, there will be more disputes over what a business can use to pay for cyber deductibles, said Louisa Weix, a partner at TittmanWeix who represents insurers in coverage disputes.
Cyber insurers who wrote policies with a similar deductible requirement as T-Mobile’s may now want to revise terms to expressly forbid companies from paying deductibles with third-party recoveries, she said.
In court papers, T-Mobile said
It is “extremely common” for a hack that begins with or involves a third party to spill over to another organization’s network, said Evan Bundschuh, vice president at broker GB&A Insurance.
For example, the $70 million Kaseya ransomware attack happened when hackers infiltrated the software company’s system and sent out a fraudulent update to as many as 1,500 businesses using the Kaseya software, he said.
The 2020 SolarWinds attack involved a similar situation when attackers gained access to SolarWinds’ network and sent a false update to organizations using the software. Thousands of government and private entities’ networks, including the US Treasury’s, were down for hours as a result.
The problem spills over into other types of organizations too. In February, Toyota shut down production at car plants after a plastic supplier suffered a data breach. School districts in Connecticut, New York, and Colorado have recently sued Illuminate Education, which offers software to track student progress, after students’ information, over 800,000 records in New York alone, was compromised by a cyber attack.
“More and more claims that we’re dealing with have the same fact pattern and scenario; that is the vendor, whether it is a cloud service provider or someone you outsource for payroll or customer services, getting breached, and policyholder companies are responsible,” said DeField.
An organization like T-Mobile may have put in the best cybersecurity controls on their system, she said.
“Unfortunately, it doesn’t always help because the vendor could be your weakest link,” DeField said.
To contact the reporter on this story:
To contact the editors responsible for this story: