infrastructure, resource and manufacturing companies — to understand that their
property policies may provide a source of
recovery in the event of such a loss.
Yet even if these losses fall within the
language of the policy, it is uncertain
whether insurers will willingly pay such
claims. On the one hand, the insurance
industry has recognized that cyber attacks
causing physical damage and business interruption are covered under traditional
insurance products. Notably, a November
2015 report from A.M. Best on cyber security issues facing insurers acknowledges
that such claims are currently covered under the language of traditional insurance
products such as commercial general liability, property and business interruption
polices. However, the report states that
the language in these policies was developed at a time when cyber liability claims
were not contemplated.
This claim is specious. As insurers
agree to renew their policyholders’ property and business interruption coverage
programs without explicitly addressing
cyber-related losses, they cannot reasonably claim to be unaware of the risk they
are taking on at the time of underwriting.
Another more striking acknowledgment of coverage under traditional policies for physical damage and business interruption losses caused by cyber attacks
appears in a 2015 report jointly published
by Lloyd’s of London and the University
of Cambridge’s Centre for Risk Studies
entitled, “Business Blackout, The Insurance Implications of a Cyber Attack on
the U.S. Power Grid.” In that report, the
authors consider the types of claims that
could be triggered by a hypothetical disruption to the U.S. power grid resulting
from a cyber attack.
The report acknowledges that physi-
cal damage resulting from such an attack
would trigger first-party property dam-
age and business interruption policies.
Like the A.M. Best report, the Lloyd’s
report suggests that coverage for these
attacks under traditional policies may
not be intended, but concedes that many
policies are “silent” or ambiguous as to
whether such claims are included. The
Lloyd’s report refers to policyholders’
expectation that such claims will be cov-
ered under their traditional policies and
the belief by insurers that they are not as
a “mismatch of expectation and reality.”
But given the significant amount of
attention cyber risk has received by the
media, government agencies, insurers,
brokers and policyholders, it would be
unreasonable for insurers to believe that
losses due to cyber attacks are not cov-
ered under traditional lines of coverage if
they are not clearly excluded.
The admission by one of the larg-
est excess insurers in the world that (1)
policyholders and insurers do not share a
common understanding of whether their
traditional policies provide coverage
for cyber-related losses causing physical
damage, and (2) many such policies are
silent on this issue, are particularly sig-
nificant. As a practical matter, this means
that coverage for such losses likely will
be disputed, and the issue of whether the
policies apply will either be compromised
by the parties or decided by the courts.
The role of a court in interpreting an
insurance policy is to find the common
intent of the parties, as expressed by the
language of the policies.
Generally, clear and unambiguous
terms in an insurance policy are given
their plain and ordinary meaning. How-
ever, where language is susceptible to
more than one reasonable interpretation,
an ambiguity exists. To the extent, as the
Lloyd’s report suggests, traditional prop-
erty policies are “silent” with respect to
coverage for cyber-related physical dam-
age losses, this leads to only two alterna-
tives: (1) the clear language of the poli-
cies is broad enough to encompass such
losses, or (2) the policies are subject to
more than one reasonable interpretation,
and therefore are ambiguous.
Under general principles of insurance
interpretation, ambiguities are resolved
in the insured’s favor and in line with the
insured’s reasonable expectations. Thus,
under either alternative, “all risks” poli-
cies that are silent with respect to cover-
age for cyber-related losses should be in-
terpreted to cover them.
Insurers have begun to develop exclu-
sions specifically designed to limit cover-
age for cyber events resulting in physi-
cal damage and business interruption.
Examples include Institute Cyber At-
tack Exclusion Clause 380 (CL 380) and
LMSA 3030, which have been designed
to bar coverage for claims relating to cy-
ber attacks that are committed with mali-
cious intent or are deemed acts of war.
Given the continued softness in the
property market, policyholders are well
positioned to resist attempts by insurers to
add such exclusions. To the extent these or
other exclusions already have been added,
under general principles of insurance interpretation, exclusions must be narrowly
construed, and the insurer bears the burden to show that the exclusion is: (1) clearly and unmistakably stated, (2) subject to
no other reasonable interpretation, and ( 3)
applicable to the present case.
Alex J. Lathrop ( alex.lathrop@pillsburylaw.
com ) is a partner in Pillsbury Winthrop
Shaw Pittman LLP’s litigation and insurance
recovery and advisory practices. He has
assisted clients with large, complex losses
in a wide array of industries – ranging from
energy, oil and gas, railroad, and large manufacturing companies, to emerging internet,
technology and medical device companies.
ACROSS THE COUNTRY
Insurance Carriers Ready
To Do Business NOW!
Qualified Investors will be Invited
to Atlanta as our Guests!
•Large, Exclusive Territories
•Established Ins. Carrier Relationships
•National Marketing/Admin Staff
•Best Industry Brand/Reputation
Own Your Own Business
A RYTECH Franchise is a Sound
Investment in Your Family’s Future
in a 60+ Billion Dollar Industry!
Rytechindd 1 21/07/16 11:33PM