[PODCAST] A Conversation With JAMS on the Evolving Cyber Insurance Landscape

In this podcast, JAMS neutrals Andrew Nadolna, Esq., and Bruce A. Friedman, Esq., are joined by Joan D’Ambrosio of Atheria Law and Kirsten Jackson of Latham & Watkins for a discussion of the role that alternative dispute resolution (ADR) plays in cybersecurity insurance coverage disputes. Drawing from their combined decades of experience, the group reflects on the rapid pace of risk evolution within cybersecurity and how that is prompting policyholders and insurers to pivot their approach to coverage.

They discuss the importance of closely evaluating a cyber insurance policy to ensure it is well written so that the policyholder understands the exclusions included. The group concludes by discussing the challenges in resolving cybersecurity insurance disputes and sharing their insights on what they anticipate seeing on the horizon, reiterating that prevention is the best cure when addressing these types of disputes.

JAMS - Podcast Transcript

[00:00:00] Moderator: Welcome to this podcast from JAMS. In this episode, we're going to talk about the role ADR plays in cybersecurity coverage disputes. We have four guests, including two JAMS neutrals, Andrew Nadolna, who spent 17 years in claims leadership positions at AIG, including as global head of casualty claims, and Bruce Friedman, a former trial lawyer of 37 years with significant experience in insurance law. We also have two lawyers in private practice, Joan D’Ambrosio of Atheria Law, who represents insurers in privacy claims, including those involving data security and privacy breaches, and, finally, Kristen Jackson of Latham & Watkins, who represents policyholders on the full spectrum of insurance cases, including those involving cyber liability.

So thank you all for joining us. Joan, let me start with you. As counsel to insurers for many years, how would you characterize the state of cybersecurity coverage disputes now? What does the landscape look like compared to maybe 10 years ago?

[00:01:05] Joan D’Ambrosio: Thanks. And thank you for having me. It's a pleasure to be here. I guess I'd start by saying 10 years ago is an absolute lifetime in the cyber world, let alone the cyber insurance world. So, you know, kind of taking it back, I mean, over the last decade, cyber insurance policies have developed and changed significantly, starting mostly as add-on coverages to ENO policies and other types of policies before morphing into stand-alone products.

[These policies offer] an increasingly wide range of coverages and opportunities for risk transfer for companies buying the insurance, including first-party coverage for incident response and containment; review of notification obligations; notifications to individuals, usually consumers or patients, if health care; and defense of third-party claims, including regulatory investigations and litigation.

Many policies now offer expanded first-party business interruption, business income coverage, reputational coverage, etc.

So, in terms of the disputes arising from these policies, most coverage disputes continue to be resolved between insurers and policyholders—increasingly, in our experience, with the assistance of ADR, but outside of court, meaning there is still very little published case law. There are a lot of reasons for this method of addressing these disputes, including the rapidly changing coverage forms and the high level of partnership, for the most part, between insurers and policyholders in this evolving space. We might talk today about some of the case law that's out there, like a case involving Travelers and International Control Services, or ICS, which addressed alleged misrepresentations in the cyber application process but was resolved shortly after filing and it involved rescission of the policy, and the Merck coverage case, which gets lots of attention, including over the past week at the appellate level, arising from the 2017 NotPetya incident, but, of course, [it] didn’t even involve cyber policy. Those are property insurers litigating the war exclusion. So, overall, we were at a fairly initial stage for cyber coverage disputes.

There are maturing coverages, though, drastically differing policy forms, and lots of movement with policyholders and brokers and insurers within the market. And all of that leads to sort of a ripe environment for addressing some of the disputes that are now rising to the top.

[00:03:32] Moderator: So, you mentioned we're in a sort of nascent period for disputes. Certainly, you know, on the—on the court side, more private disputes. How would you say the market, you know, for insurance has responded? The market for coverage?

[00:03:44] Joan D’Ambrosio: Well, I work with lots of very smart insurers who spend a lot of time trying to adapt and pivot to these new risks. I mean, this is the big challenge here, right? [It’s], you know, what—what cyber risks look like today is completely different to what it looked like 10 years ago when we were worried about data and people losing data. Now we're worried about bad guys and threat actors that continue to pivot with new tactics and things that we never even thought of. So, I think the insurance market has been incredibly adept at trying to figure out how to underwrite to these moving targets and not shy away from them for the most part.

[00:04:23] You know, with literally no usable actuarial data or, you know, looking in the past doesn't predict the future. So, I think it's pretty exciting to see the energy that's going into trying to underwrite these risks. But you know it obviously presents immense challenges because the minute you write a policy, there's likely to be something that you hadn't thought of.

[00:04:43] Moderator: Right. Hey, Kirsten, what's your view from the policyholder’s side?

[00:04:47] Kirsten Jackson: Certainly, I agree with Joan. I would say the landscape has certainly changed, and a lot of that has to do with the fact that cybercrimes have been on the rise. I read a lot of pretty interesting statistics, and one was that in 2015, cybercrime cost the world economy about 3 trillion [dollars].

[00:05:06] Moderator: Wow.

[00:05:06] Kirsten Jackson: And it's predicted that by 2025, cybercrime will cost the world economy around $10.5 trillion. Just to put that in a little bit of perspective, which means that in a sense, cybercrimes will have the world's third-largest GDP, behind the U.S. and China. You know, it—it's not really a secret why we're seeing more of this. You know, a society becomes more digital in part due to behavioral changes following the pandemic. There's also increased political instability, including the war in Ukraine. So, it's not surprising that we're seeing more of this, but I would also note that there's probably been a resurgence recently of third-party security and privacy liability claims arising from violations of privacy acts in various states, including in Illinois, California, Texas and New York. And you know, in fact, all four of us, I believe, met working on a privacy cyber coverage case in the Cottage Health matter about 10 years ago. So, we're seeing a little bit of those issues returning.

[00:06:10] Moderator: Are there any other sort of specific legal questions that you see as the most contested in this area?

[00:06:17] Kirsten Jackson: Certainly. As Joan noted, I'm seeing a lot of issues involving the application of war exclusions to coverage for cyberattacks. So, when cyberattacks occur, it can sometimes be difficult, if not completely impossible, to identify the attacker and whether they're a nation-state or if they're backed by a nation-state. But that information can be a deciding factor in whether the victim’s business is covered under its cyber insurance policy for the losses it suffers from a cyberattack. And the devil really is in the details of the language used in a policy's war exclusion. As Joan mentioned, just earlier this week, a New Jersey appeals panel held that a war exclusion did not apply to bar coverage for a 2017 malware attack on Merck. And a lot of that had to do with—Joan is correct—the fact that it's a property policy, not a cyber policy, but also because the exclusion in that case didn't specify cyberattacks.

So one thing that policyholders are going to wanna look at when they're in the process of comparing and shopping around coverages is they’re really going to want to pay close attention to the language of exclusions and, you know, they can vary, and that can make all the difference.

[00:07:34] Moderator: Hmm. Andrew, as Joan said, a lot of these disputes don't make their way to court, necessarily; they make their way to folks like you. What kind of disputes are you seeing these days?

[00:07:44] Andrew Nadolna: So, I see all kinds of disputes in the cyber space. But I wanna connect up with what Joan said about the market 10 years ago, because I've been mediating for about seven years. One of the first disputes I ever got was a cyber dispute. It involved a policy that I would just say was not well written, was a little bit hazy on what it was trying to do. There was a dispute about [a] HIPAA violation arising out of a lost laptop by a medical company, and it was not clear whether fines and penalties were covered or not. That wouldn't happen today. I think most insurers have fairly well written policies that have been tested, looked at by lawyers. And as I look at the disputes I've done over the last seven years, many of them where there was a dispute about whether things were not covered, are now covered—they’re either in the base form or they're covered by endorsement, whether it is [a] business email compromise or payment card data, whatever you think of. And so, the policies are broader in [scope], and I don’t have as many “is it covered or not?” kinds of disputes. What I have are bits and pieces. So, most of the claim has been covered and paid. And then there's an issue about a sublimit, for example, credit monitoring. How much will we pay for a class for credit monitoring? Is it a year? Is it two years? Is it three years? There's an interpretive question there. So, I see sublimits quite a lot. I see just valuation of business interruption and different interpretations from an accounting perspective of what that looks like. I do see a little bit about different kinds of exclusions within [a] cyber policy. I have not yet seen the war exclusion, and I do think the war exclusions on cyber policies are much more focused than the war exclusions across other lines of business. But I see quite a variety, and none of them seem to be the same.

[00:09:39] Moderator: Hmm. And the cases that make it to you—why did they make it to you? What makes them ripe for ADR or good for ADR rather than court?

[00:09:49] Andrew Nadolna: So, most of the cyber policies have some sort of ADR clause requiring either arbitration or mediation. And usually, if there's a choice for the policyholder, the policyholder will choose mediation, although sometimes the parties decide to mediate on their own and they're not even trying to trigger that clause. And I think both sides realize it's good to try and resolve these outside of court without any further publicity, without a written record, without, you know, Law360 notifications. And I think they're also looking for someone who knows a little bit about the area and can provide at least a little bit of substantive feedback, or at least tough questions about the positions that are being taken, so that each side knows that they're sort of thoroughly tested by the ADR process.

[00:10:39] Moderator: And Bruce, you've mediated disputes involving cyber breach class actions. What dynamics drive those cases into mediation?

[00:10:50] Bruce Friedman: Dynamics generally are those that would be applicable to most class actions, and that is the cost of the litigation from the defense side and the desire to get an early settlement from the plaintiff's lawyer's side of the case. The number of cyber class actions that I've been seeing has increased in a large way over the course of the last few years to a point where I'm seeing cyber class action arising out of a data breach probably once a week.

And these are class actions that generally arise out of [a] breach and ransomware situation in which the threat actor is holding a business's system in return for a ransom payment. And during the course of that, of course, there's a question about what is the threat actor seeing or having access to in terms of the business and what kind of data or information—consumer or health-related data—are they potentially having access to? And in those cases, there're just so many data breaches, and I think, as Kirsten pointed out, the growth in the size of the costs of this to the world economy is just enormous. So, in terms of the insurance side of the—of the third-party cases, the couple of issues that I see really don't relate to the insurance coverage so much as they relate to the limits of the cyber policy. Cyber policies cover both third-party liabilities, like these class actions, as well as first-party coverages in terms of restoring, either paying a ransom payment and/or restoring the system to its full capacity, so that the business can move on. A lot of money gets spent before the third-party case is even brought.

The note—and there's a significant notice requirement to the business that's been breached in terms of notifying consumers or customers or employees that their information has been accessed. So, when it gets time for the third-party class action to be settled, there often is an issue relating to the remaining policy limits. Is there enough to settle the third-party case?

The other issue is that cyber insurers have a lot of experience in settling these cases. And so, they kind of know the market for these settlements, and they're very precedent-conscious in terms of what they'll pay in one case versus another, and they are not going to overpay only to be—hear from the same plaintiff's lawyers in another case that they were able to get X dollars in that case, [so] why won't they pay the same here? So those are the couple of things that come out from the insurance side, at least with respect to the data breach cases.

[00:13:50] Moderator: Mm-hmm. You said in—they’re very precedent-oriented. What are the biggest challenges in resolving these disputes when they get to you, that you find?

[00:13:59] Bruce Friedman: Well, the biggest legal challenge, generally speaking, is a standing issue whether the class representative has any damage. It's very unusual to see a class representative in these cases that has actually been damaged or can tie whatever damage they have to a specific cyber breach in part because there are so many cyber breaches. That's a legal hurdle. There are many other arguments with respect to whether a class is appropriate for class certification. But those are the legal issues that get presented. The practical side of it is simply that the insured policyholder, as well—and the insurance company in many cases, believe[s] that they can defeat these cases based on the legal issues, but the cost of doing so is such that it drives them into a settlement context that will allow them to settle for essentially a cost of defense without having to litigate and basically exhaust the rest of the policy.

[00:15:01] Moderator: Hmm. Andrew—as we have several folks who have noticed hyper security incidents certainly going to grow—you spent time at AIG, so you know what in-house folks are facing. What can parties do to get ready?

[00:15:14] Andrew Nadolna: Well, I think there's—there's a lot of people out there sort of dealing with playbooks for these kinds of situations, and I think the most important thing is knowing what your organization is capable of and isn't, and figuring out where you have to find outside resources to handle the rest of it. And I—I think that's a challenge for every organization, every company. After that, I think the most important thing is probably having your insurance people ready to go to get notice to your insurers because a lot of the things that you might outsource in terms of responding to a cybersecurity incident are things that insurers, cyber insurers, provide under their policies. Crisis response, forensics incident response—all of these things are things you can contract for with your cybersecurity policy. And then the other piece of that is just making sure your contractual arrangements with all of your vendors and suppliers and contractual partners are up to date in terms of how you deal with cybersecurity incidents so you know what you're doing and—and how you're going to go about doing it and who's responsible.

[00:16:17] Moderator: Hey, Bruce, would you add anything to that?

[00:16:19] Bruce Friedman: I would say this: that in those cases where the—either the existence of cyber insurance is in question or the balance of limits is—policy limits are limited, that it is important to share financial data of the business itself with the plaintiff's counsel. If the ability to pay is going to be a question in the mediation, then this comment would apply to all mediation, wherever the ability to pay comes into play. I think the defendant insured has to be prepared to discuss their financial condition, within mediation confidentiality, in order to persuade plaintiff's counsel to be more realistic about what they can obtain in a settlement.

[00:17:06] Moderator: And Joan and Kirsten, I want to allow you to have a final word about anything that you are looking forward to. What should we all be looking out for? Joan, I'll—I'll start with you.

[00:17:15] Joan D’Ambrosio: Thanks. Yeah, I think that we are going to see more of these issues come up for some kind of review and resolution on the points that were just made by Andrew and Bruce. I agree that there are challenges with respect to settling these cases, but I would also add in addition to what kind of policy limits or sort of financial resources are available. There's also a great amount of creativity being brought to trying to resolve these cases. Not, for example, all data is the same. So, with some large data breaches, you may have subsets of people that have more or less sensitive data, and some of the better settlements, I think, that are being approved by the courts and are accepted by the plaintiff attorneys really do recognize that. And that's something that's starting to evolve more over time, I think, than we saw initially, and those are things I think where we can all work together to try to create settlements that satisfy all the requirements but also accept and acknowledge the fact that, as Bruce says, there [are] very few people that ever can establish that they've been harmed. But certainly, the risk of harm differs depending on the type of data. So that's something that we're very focused on in working with neutrals and other attorneys, on trying to continue to develop the best possible strategies to get to the best possible resolutions.

[00:18:35] Moderator: Thank you. And Kirsten?

[00:18:36] Kirsten Jackson: Yes. So, I think I would just kind of caution that the prevention is better than cure for all of this. So, I would encourage, from a policyholder perspective, to really focus on, when they're purchasing cyber insurance policies, that they're really carefully reviewing the policy language—preferably with the help of their broker or outside counsel—and they're looking at the language carefully. They're comparing, for example, war exclusions. They're comparing other forms of exclusions and conditions, and they can be aware that there may be room to negotiate more favorable terms and find alternative insurance products that might have more favorable language in the market.

[00:19:23] Moderator: All right, Andrew and Joan, Kirsten, Bruce, thank you so much. It's been a great conversation.

[00:19:30] You've been listening to a podcast from JAMS, the world's largest private alternative dispute resolution provider. Our guests have been Andrew Nadolna and Bruce Friedman of JAMS, Joan D’Ambrosio of Atheria Law and Kristen Jackson of Latham & Watkins. For more information about JAMS, please visit www.jamsadr.com. Thank you for listening to this podcast from JAMS.