Why You Shouldnt Count On General Liability To Cover Cyber Risk

Travelers Insurances legal spat with P.F. Changs over wholl pay breach costs will likely illustrate why enterprises shouldnt think of their general liability policies as backstops for cyber risk.

As the legal troubles for P.F. Changs restaurant chain kept piling up over the
breach discovered this summer
affecting 33 of its locations, its legal team made an insurance end-around play that many enterprises try after a breach. It filed a claim for coverage under its comprehensive general liability (CGL) policy. But a lawsuit filed earlier this month from its general liability insurer, Travelers Insurance, offers a good lesson to organizations on why this ploy rarely works.
Travelers asked the US District Court in Connecticut to clear it of any obligation to defend or indemnify the restaurant company during breach litigation. Its argument to the court: that not only is a breach like this not covered in its general policy definitions, but that even if it were, the restaurant company hadnt met a $250,000 basement floor limit up to which the firm needed to self-insure for covered events.
According to a number of legal and insurance experts, the case is about as open and shut as it gets for Travelers.
The likelihood that PF Changs would prevail seems quite slim, says Francoise Gilbert, an attorney with Palo Alto-based IT Law Group.
Thats because this is hardly the first time that the cyber mettle of CGLs has been tested in court. Dating back to
Sony Entertainments case
against its CGL insurer Zurich American in 2011, the rulings have been pretty clear that cyber incidents are rarely on the table for coverage under general liability policies.
In general they find that there is no coverage. A court might rule that there is coverage if occurrence causes the loss of use of some physical computer component or data storage medium, Gilbert says. On the other hand, a court might find that there is no coverage if there is no physical injury to tangible property resulting from the mere loss of data.
On the off-chance that Travelers does not win its case, this will still likely do little for enterprises hoping to use CGLs as an umbrella for cyber risk fallout.
If Travelers is not successful and their CGL policy is found to provide coverage, the result would most likely be the implementation of stricter exclusions on policies that do not want to pick up cyber exposure in any way, says Michael Carey, senior advisor for CyberInsure Solutions. From a general perspective, unless the CGL policy expressly grants cyber coverage, the proof would need to show that there is implicit coverage through the lack of dedicated cyber exclusions, which would be a weaker position to have in court.
This, of course, is the whole reason companies like Travelers offer cyber liability insurance -- a.k.a. cyber insurance -- as an added type of coverage.
The reality is that its not the spirit of general liability coverage, its not the intent of the coverage, and even P.F. Changs knows that, because it is rumored that they have a distinct cyber policy, says Jake Kouns of Risk Based Security, who gets annoyed when cases like these are painted by the media as a knock against cyber liability policies when theyre actually about disputes over general liability policies. I just get slightly frustrated when people see something like that and they immediately jump to the conclusion that, Oh, this is a slimy industry, you cant trust cyber liability insurance.
Unfortunately, misconceptions by enterprise IT risk managers about the insurance industry are still prevalent, in spite of a rapidly maturing cyber insurance market. According to Carey, the assumption that a CGL will transfer breach risks to an insurance company is a prevalent one.
This is a mistake many companies are making. Many business owners assume their current insurance, including CGL, covers cyber, but it often does not, says Carey, who offers a pretty simple rule of thumb: If you are not sure your business is covered for cyber, it probably is not.
[Insurance policies customized for cyber attack protection are on the rise as businesses worry they could be the next Target. Read
Cyberinsurance Resurges In The Wake Of Mega-Breaches
.]
Gilbert agrees that many companies arent aware that general liability doesnt cover cyber risks. She hopes that the Travelers case can help increase awareness about the difference between the two kinds of coverage so they can better manage different risks.
According to Kouns, whose company tracks breach and vulnerability information to sell to insurance underwriters and who has helped develop cyber risk policy products for a major insurer, not all cyber insurance policies are created equal. However, he says that well-chosen cyber insurance works very well, and that there are plenty of legitimate options on the market that do a good job transferring those risks that solid security practices cannot mitigate.
Right now I will tell you that pricing for cyber liability insurance is stupid low -- unbelievably low, he says. I cant imagine it will stay this low once losses continue to come in, but at this point Im stunned by any company that doesnt have some sort of cyber liability in place today.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Why You Shouldnt Count On General Liability To Cover Cyber Risk