While the market for specialty cyber insurance policies has heated up considerably over the past few years, a good deal of uncertainty still affects the market as the scope of these newly-minted policy provisions remains untested (not to mention the real scope of risk businesses face). Compounding this uncertainty is the fact—in contrast to the more established D&O policy market—that so many of the cyber policies vary widely from carrier to carrier. A recent dispute between a New Orleans luxury hotel and Lloyd’s of London underscores the importance of working closely with your broker and outside coverage counsel to properly assess the risk your business faces and fully vet the coverage provisions a cyber carrier is proposing.
In many respects, the story of Hotel Monteleone is the greater story of businesses in the digital age in miniature: In 2013, the hotel suffered its first substantial cyber attack, but, unfortunately, did not have a cyber policy. Learning from this experience, the hotel bought a $3 million cyber policy from Ascent Underwriting of Lloyd’s of London (“Underwriters”) in 2014. During the 2014 policy period, Hotel Monteleone suffered a second cyber attack, which resulted in substantial Payment Card Industry (“PCI”) assessments and fraud reimbursement charges. Hotel Monteleone requested full coverage for these losses, which Underwriters denied, and the hotel filed suit in Louisiana state court in December of 2015.
PCI fines, penalties, and assessments are a thorny issue in cyber coverage. Unlike most of the cyber-related losses that carriers are insuring for, PCI-related losses are arguably contractual. In efforts to protect consumers and reduce cyber breach expenses, the payment card industry has established a set of security standards (“Payment Card Industry Data Security Standards,” or “PCI-DSS”). Retail and services businesses are explicitly required to comply with these standards when entering into payment processing agreements. Under these agreements, businesses can be subjected to “fines” and “fees” for non-compliance with security standards, as well as “assessments” for the amount the issuing banks spent to monitor or cancel and re-issue at-risk cards and the amount of fraudulent charges on the at-risk cards. The difference here is significant: fines, fees, and penalties loss is typically excluded under most policies, while liability for third-party losses (which the “assessments” effectively are) is typically covered. In fact, PCI “assessments” may be the most substantial kind of loss a business faces after a card data breach, as it should represent reimbursement of the actual losses suffered by card issuers, payment processors, and consumers.
Hotel Monteleone’s policy contained an endorsement, subject to a $200,000 sublimit, for PCI “fines or penalties,” defined as “a written demand received by [the hotel] by a credit card association for a monetary fine or penalty because of [the hotel’s] non-compliance with Payment Card Industry Data Security Standards.” Under this same “fine or penalty” language, PCI fines or penalties are otherwise excluded under the policy.
Naturally, Hotel Monteleone’s argument is that the parties agreed under the policy language to subject only PCI “fines or penalties” to a $200,000 sublimit, and that “assessments” are subject only to the $3 million policy limit. In support for this, the hotel points out that PCI assessments for its 2013 cyber attack were well in excess of $200,000, and that the hotel’s new 2015 cyber policy with Underwriters now defines PCI Fines and Penalties to include “reimbursements, fraud recoveries or assessments.” Significantly, the hotel has also sued its broker, arguing that in the event the hotel is subject to the sublimit, the broker should be liable for the hotel’s losses over $200,000 for failing to inform the hotel that it was not being covered up to the policy limit for PCI assessments.
Underwriters is currently trying to force arbitration, arguing that the hotel’s argument that the policy’s arbitration provision does not apply in Louisiana is not consistent with Fifth Circuit precedent.
As important as coverage for cyber events is, Hotel Monteleone illustrates that the legal landscape of cyber insurance is still developing and uncertain. In order to reduce the risk of being tied up in similar disputes, business should consult with seasoned brokers and coverage counsel who can apply lessons from insurance recovery disputes in other areas to prevent unexpected denials of coverage from insurers.
Reporter, Andrew M. W. Mutter, Atlanta, +1 404 572 4705, amutter@kslaw.com
