Crack the Code: Evaluating Cyber Claim Exposure

January 2024

Insurance Insight_390x160

By Taylore Karpa Schollard

Small businesses account for 99.9 percent “of all American businesses,” with more than 33.1 million small businesses employing a staggering 61.7 million Americans.1 There is nothing “small” about their import to the economy or the unique insurance questions facing them. Nor is there anything “small” about the potential exposure insurers of small businesses face. In 2022, studies showed that small businesses incurred commercial losses of over $200 million.2

While theft, weather, and fire-related losses continue to be the triggers for the “most common business insurance claims in America,” it is important for insurers to keep a watchful eye on cyber loss trends given the potential for substantial exposure cyber losses pose. Small businesses are reported to “account for 43% of cyber attacks annually.”3 In 2020, reports indicate that over 700,000 small businesses suffered cyber attacks, resulting in “a total of $2.8 billion in damages.”4 The potential for cyber claims is likely to increase as instances of cybercrime continue to grow. Indeed, studies show that ransomware attacks increased by nearly 93% in 2021 alone.5

As cyber losses are expected to continue to trend upward, this article provides a brief update on recent cyber insurance cases to assist insurers in evaluating their risk and handling cyber claims:

  • National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, 435 F. Supp. 3d 679 (D. Md. 2020)

- The insured embroidery and screen-printing business sought coverage under a business owner’s policy for the cost of fully replacing its entire computer system after a ransomware attack that prevented it from accessing its files, software, and corporate data. Even though the insured paid the ransom, some of its art files needed to be completely recreated. The computer system also ran more slowly due to protective measures instituted after the loss.

- The insurers argued that because the insured did not lose complete functionality of its computer system, the insured did not suffer a covered loss. The court disagreed. It held that the insured sufficiently proved it suffered the required “physical loss or damage” because “loss of use, loss of reliability, or impaired functionality demonstrate the required damage to a computer system.”6

  • Yoshida Foods International, LLC v. Federal Insurance Company, No. 3:21-cv-01455-HZ, 2022 WL 1748000 (D. Or. Dec. 6, 2022)

- A cyber-criminal hacked into the insured’s computer system, encrypting it so that the system could not be used. The hacker demanded a ransom payment in cryptocurrency only. The ransom was paid by the insured’s president using his own personal cryptocurrency holdings. The insured company eventually reimbursed the president for the payment and sought coverage.

- The court found that the payment was a direct loss to the insured and rejected the insurer’s argument that the payment was not covered because it was made from personal funds and was voluntary, particularly given that the payment was made under duress.7

Staying up to date on trends in cyber coverage and developments in legal precedent is an insurance company’s first line of defense in evaluating its potential exposure and effectively handling cyber claims when they arise.

1 Ashlee Tilford, Small Business Insurance Statistics 2023, Forbes Advisor, Sep. 28, 2023, https://www.forbes.com/advisor/business-insurance/small-business-insurance-statistics/, and sources cited therein.
2 Id.
3 Nivedita James Palatty, 51 Small Business Cyber Attack Statistics 2023 (And What You Can Do About Them), Astra, October 26, 2023,  https://www.getastra.com/blog/security-audit/small-business-cyber-attack-statistics/#:~:text=Small%20businesses%20account%20for%2043,%2425%2C000%20due%20to%20cyber%20attacks.
4 Id.
5 Tilford, supra.
6 “Here, not only did Plaintiff sustain a loss of its data and software, but Plaintiff is left with a slower system, which appears to be harboring a dormant virus, and is unable to access a significant portion of software and stored data. Because the plain language of the Policy provides coverage for such losses and damage, summary judgment will be granted in favor of Plaintiff's interpretation of the Policy terms.”
7 The above discussion identifies only one of the holdings discussed in the Yoshida case.

+ READ MORE - READ LESS

The articles on our website include some of the publications and papers authored by our attorneys, both before and after they joined our firm. The content of these articles should not be taken as legal advice. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the views or official position of Robins Kaplan LLP.

Disclaimer
Back to Top