Cyber Insurance And Risk Management: Lessons from Recent Legal Cases

Cyber Insurance And Risk Management: Lessons from Recent Legal Cases

According to an article by Risk Management Magazine, recent ransomware attacks—including the one on United Healthcare subsidiary Change Healthcare, which disrupted medical claims and payments nationwide—have highlighted critical gaps in cyber insurance and risk management strategies, especially when human error is involved.

These attacks underscore the necessity for companies to bolster cyber defenses and ensure their insurance policies adequately cover cyberattack-related losses, especially since the “human factor” does not invalidate cyber coverage, despite insurers often arguing otherwise.

The article cites a 2024 case involving Southwest Airlines’ cyber insurance claim after a 2016 system failure led to $77 million in losses from delays and cancellations. While primary and some excess insurers paid, Liberty Insurance denied the claim, arguing management decisions contributed to the losses. Southwest sought coverage for customer compensation programs and promotional costs, which Liberty deemed discretionary. Initially, a federal court agreed with Liberty, but the Fifth Circuit Court of Appeals reversed this, demanding a causation analysis. The appeals court emphasized that losses would not have occurred but for the system failure and rejected Liberty’s broad interpretation of policy exclusions.

This decision mirrors previous rulings where courts upheld coverage despite insurer arguments that human actions severed causation. In Medidata Solutions v. Federal Insurance, the court found employee actions did not negate coverage. Similarly, in G&G Oil Co. of Indiana v. Continental Western Insurance, a ransom payment made under duress was deemed covered. The State Bank of Bellingham v. BancInsure case also supported coverage despite employee error leading to a cyber loss.

These cases highlight that cyber insurance policyholders should challenge insurer claims that human errors or decisions invalidate coverage. Effective preparation and understanding of cyber insurance and risk management are crucial for navigating and securing coverage following cyber incidents.