Between a Rock and a Hard Place: The Potential Effect of Executive Order 13636 on Cybersecurity Insurance Coverage
By J. Wylie Donald, Jennifer Black Strutt, and Cynthia M. Morrison, McCarter & English, LLP
Headlines trumpet the brazen theft of millions of dollars from ATMs by sophisticated hackers.1 Testimony before Congress elucidates the challenges facing the electricity grid in the form of cyber activity from “criminal groups, hackers, disgruntled employees, nations or terrorists.”2 The Secretary of Defense points a finger at China as engaging in cyberwarfare.3 What can be done about it all? Certainly technology is a part of the solution. So is insurance. On the legal front, the federal government itself weighed in this spring with a new executive order.
As a result of several notable security breaches and congressional failure to pass proposed legislation, on February 12, 2013, the Obama administration issued Executive Order 13636 – Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Order”), establishing a voluntary set of security standards for critical infrastructure industries.4 Among other things, the Order directs the Executive Branch to increase the volume, timeliness and quality of cyber threat information sharing, which should result in further developing a public-private partnership. While the Order takes a step in the right direction toward improved cybersecurity, entities in the private sector may find themselves between a rock and hard place.
Under the Order, an entity may receive governmental notification that it may be the target of a cyber threat, such as the scenarios noted above. However, given the government’s interest in protecting intelligence and law enforcement sources, methods, operations, and investigations, very little information may actually be disclosed. Alternatively, more detail may be provided as “classified information” and the entity may be instructed to maintain the confidentiality of the government’s notice. This is understandable from the standpoint of the Department of Homeland Security. But what about the targeted entity? What happens if the security threat becomes an actual attack?
If the entity is insured, one would think that the entity should be able to rely on its insurance policy to cover the loss. But if the entity failed to give its insurer timely notice in accordance with the terms of the policy, the insurer may be able to disclaim coverage. On the one hand, the insured may have little information and the insurer will insist that coverage is not triggered in light of the minimalist nature of the unclassified report. On the other hand, the government may know very well the details of the planned attack and may share such information in the hopes of averting the danger. But if confidentiality restrictions prevent the disclosure of the information to the insurer, again the carrier may disclaim. Therefore, the government’s warning, which presumably was given in an effort to assist the entity, may have the opposite result and jeopardize the entity’s ability to recover for any loss.
This article analyzes the harmful effect a vague warning or a confidential disclosure pursuant to the Cybersecurity Order may have on a policyholder’s ability to recover for loss caused by a cyber attack.
Executive Order 13636
The Cybersecurity Order provides that the threat of cyber intrusions “represents one of the most serious national security challenges [the United States] must confront.”5 The Obama administration issued the Order specifically to address “repeated cyber intrusions into critical infrastructure [which] demonstrate the need for improved cybersecurity.”6 Some of the likely infrastructure industries affected by the Order are banks, electrical utilities, transportation providers, and telecommunications companies.7
Within 120 days of the date of the Order (that is, by June 5, 2013), the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence were to issue instructions to ensure timely production of unclassified and classified reports of cyber threats to the United States that target a specific entity.8 These officials are tasked with establishing a system for tracking the production, dissemination, and disposition of the cybersecurity information sharing reports. Participation is voluntary, and the Order does not establish any liability limitations or protection to the participating infrastructure industries.
To date, it is unclear what information will be provided to an entity pursuant to the Order. On February 22, 2013, Dr. Andy Ozment, the White House Director for Cybersecurity, provided comments that offered little guidance.9Dr. Ozment indicated that, although the government recognizes the need to broadly share information, “information sharing is complicated for the government.”10 One of the primary concerns is that if information is shared too broadly, the cyber adversaries will modify their behavior, reducing or even nullifying the value of the information. One method of controlling the dissemination of information and thus ensuring that adversaries do not have access is the granting of security clearances. However, as Dr. Ozment advised, the government “can’t give a clearance to everybody who needs to understand cybersecurity and operate to defend their critical infrastructure.”11 Therefore, given the need for security clearances and protection of classified information, what the government shares with the private sector may be vague and incomplete.
Cybersecurity Insurance Coverage:
Cybersecurity insurance is a developing market. Several cybersecurity risks are currently insurable, including liability arising out of data breach or loss, costs related to data breach (such as credit monitoring and forensic costs), network damage, cyber extortion, and some regulatory issues.12 Policyholders may have difficulty finding coverage for business interruption, restoration costs, and reputational damages.13 Indeed, many consider catastrophic loss (such as cyber disasters caused by, “war, terrorism, critical infrastructure failure, ‘in the wild’ and state-sponsored computer viruses”) to be uninsurable.14 However, carriers are moving toward coverage for “cyber hurricanes,” or situations “where thousands of policyholders are impacted by a single event.”15
Cybersecurity coverage is typically written on a “claims-made” basis, meaning there will be coverage only for a claim reported to the insurer within the policy period or extended reporting period. These policies typically exclude coverage for claims that occurred prior to the policy’s start date.
In order to trigger coverage, a policy usually requests timely written notice of a claim, or of circumstances likely to give rise to a claim. The “notice of circumstances” is the concept at issue here. Although some in the insurance industry believe a notice of circumstances is optional, some courts have found that a notice of circumstances is required.16 These types of provisions are common in, for example, directors and officers liability policies. The following is a sample of this type of provision used in a cybersecurity policy:17
If during the Policy Period an Insured becomes aware of any circumstances which may subsequently give rise to a Claim, and during the Policy Period the Insureds:
- give to the Company written notice of such circumstances, including a description of the circumstances in question, the identities of the potential claimants, the consequences which have resulted or may result from the circumstances and the way in which the Insureds first became aware of the circumstances; and
- request coverage under this Policy for any Claim subsequently arising from such circumstances,
then the Company will treat any such subsequent Claim as if it had been made against an Insured during the Policy Period, provided that written notice of such Claim is then given to the Company in accordance with … [additional policy terms].
Thus, it is not unusual for a policy to require certain information concerning a potential claim in order for there to be coverage when the claim later arises.
Interplay of Cybersecurity Order and Cybersecurity Coverage
Assuming a policyholder receives information from the government of a cyber threat, the policyholder will need to consider whether its insurer should be informed. The simplest case is when the policyholder receives detailed information concerning the threat. Such a report is very likely to be classified.18 If “notice of circumstances” is mandatory, the insured is immediately between Scylla and Charybdis. To give notice based on the detailed information in the classified report from the government is to violate the law, unless the insurer’s claims person also has a security clearance (which is not likely to be the case). Violating such classification rules can subject the violator to fines and imprisonment.19 However, not to give notice is to fail to meet a condition of coverage, which means the subsequent claim may be denied.
Alternatively, a notice of circumstances may not be mandatory (as is the case in the provision given above). A policyholder giving notice, however, will get the benefit of being able to relate any subsequent claim to its notice. This will mean that the policyholder is not subject to denial of the claim based on a theory of misrepresentation20 or on the doctrine of “known loss”21 should the policy need to be renewed before the claim comes in. Further, giving effective notice now will ensure that subsequent modifications to the policy (such as a reduction of limits, increased deductibles, or new exclusions) will not affect coverage. However, as with a mandatory notice of circumstances, the insured may be barred from disclosure because of the classified nature of the government’s report.
It is no better with government reports of an unclassified nature. In such reports, the information provided by the government is likely to be vague, as suggested by Dr. Ozment.22 If the policyholder decides not to provide a notice of circumstances, it risks the problems identified above with respect to not providing classified reports.
Sharing the unclassified reports with the insurer, however, may not help either. First, the carrier may reject the notice of circumstances as lacking sufficient detail. As noted above, one cybersecurity policy requires:
- a description of the circumstances in question,
- the identities of the potential claimants,
- the consequences which have resulted or may result from the circumstances, and
- the way in which the Insureds first became aware of the circumstances.
It is possible, even likely, that the unclassified reports will leave items 1-3 vague and unspecified. That could be fatal to the efficacy of any notice relying on such report.
One court has held that “allowing coverage to be triggered by broadly phrased, innocuous, or nonspecific statements, would permit an unbargained-for expansion” of a claims made policy.23 Another court stated that the purpose of a notice of circumstances is to permit an insurer to set reserves.24 Vague and uninformative reports would be insufficient to allow an insurer to evaluate the potential claim or claims and set reserves. Still a third has ruled that an insurer’s knowledge of the insured’s general bad practices did not satisfy a policy requirement that the insurer “receive notice of the ‘facts and circumstances [relating to specific wrongful acts] having the potential to give rise to a claim.’”25 These decisions might be summed up in the words of one treatise: “[A]bsent policy language leading to a different result, a discovery clause should not be satisfied unless the insurer was put on notice of specifics.”26 To be sure, policyholders may have room to argue that any notice was specific enough, but the purpose of obtaining coverage is to have coverage, not to have an argument.
Second, submitting a vague report that a carrier does not accept as relevant to a subsequent claim might be of little concern if it had no other effects. However, by submitting a notice of circumstances it is certain that the notice will be considered at an entity’s next insurance renewal. At that time the carrier may take steps to limit its loss on the potential claim. A policyholder might see new exclusions addressed to the threat, lowered limits, increased deductibles and an increased premium. If the notice is viewed by the carrier as inadequate to trigger coverage, but results in more expensive and reduced coverage down the road, then giving notice was a bad idea.
The end result under either a classified or unclassified report from the government may be an impossible situation for the policyholder. If the government places the policyholder on notice of a potential claim, but the policyholder does not give notice to the carrier either because the policyholder does not believe it has sufficient information to report or because it refuses to violate its confidentiality obligation, it runs the risk that the insurer may disclaim coverage. However, if the policyholder does give notice, it either risks jail and fines for improper disclosure of classified material, or risks a reduction in coverage and increased premiums with no accompanying coverage for the anticipated claim if it makes an unavoidably vague report.
The Cybersecurity Order is in effect and presumably government agencies are in the process of preparing and disseminating unclassified and classified reports. Entities involved in critical infrastructure should: take steps to ensure they know how they will respond upon receipt of a government cyber threat report; initiate a dialog with their cybersecurity insurers to understand what the carriers expect and how a notice of circumstances will be treated; and join the discussion about how the requirements of the Cybersecurity Order are going to be implemented so that some of these problems may be nipped in the bud.
At a minimum, affected policyholders should prepare a plan of how to process any information received so as to address how the information will be shared. A group within the policyholder’s business should likely be formed to review receipt of information and to decide what actions should be taken. Prior to receiving information, this group should review the entity’s insurance policies and, specifically, review the policies’ notice provisions and then assess how those provisions may be met. For example, in a cleared facility, the Facility Security Officer (“FSO”) would be the point of contact with the Defense Industrial Security Clearance Office (“DISCO”). Any classified information provided to the policyholder can be vetted by their FSO and, possibly in communication with a representative from DISCO, they can determine whether any portion of the communication may be shared with the carrier. If the FSO is told by a representative of DISCO, the Department of Homeland Security or the Department of Justice, that no portion of the classified report may be shared with the carrier, at least the insured will know that it has a basis for withholding the information. (Whether that will insulate the insured from a denial based on a failure to disclose has not been tested.)
In addition to reviewing current policies, and assembling a team of individuals to review cybersecurity information, a policyholder’s team should also consider negotiating with its current insurer or seeking a new carrier who will be flexible when addressing the notice requirements and willing to clarify the policyholder’s obligations. An insured would like to know in advance that its carrier will not require that classified information be turned over or that an unclassified report that is not accepted as a notice of circumstances would not affect future policy terms or premiums. Continuing with the example above, will the carrier be satisfied with a sanitized report from the FSO? Will the carrier seek to qualify someone in its organization to handle classified cyber information?
Last, the discussion on cybersecurity is ongoing and will continue into the future, but the framework in which cyber threat response is being developed is happening now. The relevant agencies (the Departments of Justice and Homeland Security and the Office of the Director of National Intelligence) are right now putting together their instructions for the production and dissemination of unclassified and classified reports.27 The Cybersecurity Order specifies that the instructions shall address the need to protect intelligence and law enforcement sources, methods, operations, and investigations.28 The Order does not say anything at all about critical infrastructure entities being able to access their insurance; it should.
J. Wylie Donald is a partner at McCarter & English, LLP in the Firm’s Insurance Coverage Group. McCarter & English’s Insurance Coverage Group counsels only policyholders and has recovered hundreds of millions of dollars, by settlement or judgment, on behalf of policyholder clients. Jennifer Black Strutt is an associate, and Cynthia M. Morrison a former associate, in the Insurance Coverage Group as well.
© 2013 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.