An Ironshore Cyber Policy–Part X: Insuring Agreement I.E.:

Tech E&O, Network Security, Internet Media and MPL Insurance Policy
Insuring Agreement I.I: NETWORD EXTORTION AND REWARD PAYMENTS COVERAGE

Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies. It also ignores policy limits, retention matters, notice requirements, time intervals for coverage, etc., important as these are. As usual, the discussion of everything in this blog is tentative, partial, and perhaps mistaken here and there.  It is a new and
relatively uncharted ocean.

Be sure to read the “Concluding Remarks,” Even if you don’t read all–even much–of the rest of the blog.
___________________________________________________________________________

NETWORK EXTORTION THREAT AND REWARD PAYMENT COVERAGE

This title introduces a relatively new type of first-party coverage not to be found in many so-called “real world” policies, although it is to be found in some–of what might be called elite policies. Often it is to be found in (1) D&O policies for businesses, such as (a) those doing business in some overseas places, and/or (b) anywhere there is or likely to be a rebellion (or something of the sort), and/or (c) some sea areas, e.g., where companies that have significant employees sailing around not very far west of parts of Africa. (2) Less often there are crime policies in which the relevant coverage appears, at least by endorsement; and (3) there are specialty kidnap and ransom policies.  (In theory it could occur as an endorsement to maritime insurance policy, but that is doubtful.)
Insuring Agreement
This insurance agreement–and remember, it is first-party insurance–consists of two paragraphs.  The accord with the conjunction in the title. One pertains to expenses incurred in dealing with the threat, and this may include what must be spend after the threat is carried out.  The second paragraph  covers some payments made as rewards  to prevent execution or deal appropriately with the persons making threats after the is carried out.  (Many people are not included in the Insurer’s obligation to pay for information–police persons, for example.) These same types of provisions are to be found in corresponding, or analogous,  so-called “real world” policies.

It is best to deal with the operative definitions. These are Network Extortion Threat, Extortion Expenses, and  Extortion Payments. Nearly all of the key terms in the insuring agreement turn on these three phrases.

Definition: “Network Extortion Threat”

This term, roughly, refers to a credible threat or series thereof made by a natural person to an Insured
where such natural person:
introduces or threatens to introduce Malicious Code into the Company’s Computer System;
interrupts or threatens to interrupt its System by means of a Denial of Service Attack;
disseminates, divulge, or improperly utilizes or so threatens at least one of these involving Non-Public Personal Information or Confidential Corporate Information obtained from the Company’s Computer System.
Roughly speaking, the definition seems to be reasonably clear as it stands, at least as to what is included and what is not. The exception to this is Confidential Corporate Information.  It includes only information of third parties, subjected to a confidential agreement,  provided to the Insured to enable it to perform Miscellaneous Professional Services for the third party for a fee. Covered Miscellaneous Services are  those listed on the dec sheet, subject to two exceptions Technological Services (a long list of computer services running from design to repair and on to licensing) and the phrase Electronic Publishing suggests its own meaning (or some of it at least).

The definition is not without puzzles, however. Of course, virtually all terms which appear to be quite precise are actually not.  There will be disagreement about many terms, and that can lead to dispute regarding coverage claims. Could a “logic bomb” be like that?  What if “cookies” had distant dangerous cousins which are not technically “cookies”? And so forth. Furthermore, why would the covered threats be limited to those made by a natural person?  Why couldn’t a corporate entity make such a threat?  Would a threat be a covered threat if it was designed, engineered, and carried out ultimately by a corporation, although it is delivered by a natural person? Why are the Company’s own trade secrets left out of the list of Confidential Corporate Information? What, if anything, is the difference between “disseminating” and “divulging” something?

One very important fact is built into the definitions. It is the one referring to Miscellaneous Professional Services.  It is perfectly clear that lawyers and law firms can fit on that list.  Doesn’t that fact suggest that such actors might want to make sure that there are such lists potentially favoring them and that their confidential information is covered on policies like this one?
Definition: “Extortion Payments”
This phrase means “monies paid to a third party whom the Company reasonably believes to be responsible for a  Network Extortion Threat,” provided that the Insurer has consented in writing, provided that the purpose of the payment is to terminate the Threat, and provided that the “Extortion Payments” do not exceed the amount of Business Interruption Income Loss the Insurer reasonably believes would have been incurred had such Extortion Payments not been made.

[One of the most important features of this definition is that it restricts the amount claimable by the Insured as equal to some normal expenses and Business Interruption Income Loss. Why would one think that the threat sums demanded would be restricted in this way?  This policy leaves the insured uninsured over this sum, and it has nothing to do with the policy limits. One can envision a policyholder or its counsel demanding that this amount be eliminated by endorsement.

Another of the most important features of this definition is that it is that it is the Insurer’s reasonable beliefs as to the amount of BI Loss that control the amount owed. One can easily imagine a policyholder or its counsel asking these questions: Why should it not be the reasonable beliefs of the Insured? Or a reasonable conclusion coming from an appraisal? Or a matter subject to “quickie” arbitration? (So far as I can tell there is no mandatory arbitration clause in the contract.)  Perhaps, the Insurer might respond that the contract of insurance articulates a long and complex method of calculating the amount in question and so renders all the policy holder’s problems matters of no concern.  See the Conditions section VII.D.1. But wouldn’t the policy holder respond that if this were true, then why not leave the relevant calculations to the Insured?]

The Insuring Agreement
Now that the definitions have been spelled out (more or less), the actual terms of the agreement are easily formulated.

The first paragraph reads this way (pretty much): “The Insurer will reimburse the Company for any Extortion Expenses and Extortion Payments actually paid by the Company as the result  of a Network Extortion Threat[.]”

The second and much longer paragraph reads this way (in brief part): “The Insurer will reimburse the Company for any reward paid to any person or entity, other than. . . for information leading to the arrest and conviction of any person who” is making or has made a Network Extortion Threat, provided that the Insurer has approved it in writing. [The emphasis is mine.]

[First, notice that “reimbursement” is the key idea regarding payment.  Of course, this means that the Insured has to have spent the money first. Second, the Insurer is really running the show, since it must consent in writing. Third, the Insurer has no duty to reimburse if the person making the threat has not yet been convicted of making the threat. Fourth, the information must “lead to” “arrest and conviction”; one wonders what “lead to” might mean.  It is part of a standard phrase in situations like this one. On the other hand, everything in insurance policies is open to linguistic debate.  It seems relatively clear, however, given  the number of times the word “direct” appears in the policy and given that it does not appear here, perhaps it is to be concluded that the information need not lead directly to “arrest and conviction.”  Then again. . . .

Exclusions

As is often in this policy, there does not appear to be an exclusion peculiar to this insuring agreement. Narrow applications of these exclusions would be found in the definitions used in the exclusion.  The exclusions in this policy, as usual, are (or at least appear to be) drawn from the so-called “real world” policies, or they are (or–again at least appear to be) general and apply to several of the passages in the policy.

Concluding Remarks

This is the most difficult insuring agreement of the 11 of them.  I suppose there is always one like this in any group, but it reinforces the necessity that these policies may not simply be read thoroughly and then reviewed a bit by a coverage lawyer; they must be studied.

One of the principal functions of lawyers representing policyholders (or policyholders to be) is to advise them as to meaning. The answer must always be tentative–very guarded and explained to the client that all analyses just now are uncertain to an unusual degree. Advice of what to buy and how to think about what policy to purchase and/or what the client has in the policies it has purchased is crucial for the cyber lawyer. Many “Big Firms” have entire departments devoted to this; it seems to go with specialties in dealing with “Electronic Storage of Information.”

In addition, cyber policies have not been “around” long enough to have achieved anything like substantial and lasting stability. Clients should also be made to understand that the contents of the policies of different carriers may be strikingly different in a lot of different ways. In addition, the client must be made aware that these kinds of policies may well (and, indeed, are likely to) change at least somewhat every year for some time to come.  This can only be done right if there is encyclopedic knowledge of the nuances in complex policy language and a high level knowledge of  the complicated, quilt-like structure of concepts to be found in the innards of the policies being discussed.  Of course, both the complex language nor the hidden substantive relationship will be far less than perfect