Can Cyber Insurance Recovery from a Third Party Satisfy a Self-Insured Retention?

Joshua Gold


December 27, 2022

Cyber Insurance Claims

When a particular source of business risk escalates, and insurance claims for losses stemming from that risk rise accordingly, insurance industry response is generally threefold: more exclusions, more claims denials, and higher premiums/retentions.

Cyberinsurance appears to have hit that trifecta. According to the Hiscox 2022 Cyber Readiness Report, median losses stemming from cyberattacks increased by 90% in the United States in 2022. The median rate increase for cyber coverage in Q1 2022 was 37%, according to a May 2022 insurance market report by Gallagher, and retentions have risen accordingly. And as noted in our last Fine Print column, Lloyd’s of London has responded to judicial rulings finding war risk exclusions inapplicable to cyberattacks by prodding syndicates to impose certain exclusions for state-backed cyberattacks.

As the terrain has become more perilous, companies increasingly seek indemnification from outside service providers or business partners to whom a data breach can be traced. In a global economy, businesses necessarily outsource core processes, participate in global supply chains, and rely on multiple partners to process transactions. In a 2021 Ponemon Institute survey, 51% of respondents said their companies had experienced a data breach caused at least in part by third parties.

Tapping All Sources to Cover Data Breach Costs

When a company determines that a third party is responsible for a breach, it will seek, and can obtain, compensation. Can a successful recovery from a vendor or other third party be used to cover an insurance policy retention? In one recent cyber insurance coverage dispute, the insurance company said no, but last month, a state appeals court ruled otherwise.

In that case, T-Mobile USA Inc. v. Steadfast Insurance Co., T-Mobile sought coverage in the wake of a data breach for claims arising from privacy class action litigation and “inquiries from the Federal Communications Commission, the Federal Trade Commission, and state attorneys general.” Under a cyber insurance policy sold by a unit of Zurich, T-Mobile self-insured the first $10 million of any cyber loss, and Steadfast covered the next $15 million. T-Mobile sued Steadfast for refusing to cover its share of the approximate $17.3 million in costs and expenses related to the breach. 

Steadfast argued that there was no coverage because the policyholder had received partial indemnity, $10.75 million, from another party, Experian, which when added to T-Mobile’s $10 million self-insured retention, exceeded the total loss. The trial court rejected this position, and the insurance companies appealed. On November 29, a three-judge panel of the Washington State Court of Appeals upheld the trial court, concluding that the covered $17.3 million loss attached above the $10 million self-insured retention, and Steadfast could not “set off” T-Mobile’s recovery from Experian to avoid covering the remainder.

The appeals panel refuted Steadfast’s assertion that Experian’s payment “absolved” the insurance company of its duty to pay losses in excess of T-Mobile’s retention:

“the Experian recovery did not “absolve” T-Mobile from payment because it did not set free or release T-Mobile from its obligation to pay the costs and expenses it incurred from the data breach. T-Mobile remained directly liable for those obligations and paid them in full. Experian then reimbursed T-Mobile for some of those data-breach-related costs and expenses T-Mobile already paid. We conclude that the policy does not exclude as a covered loss the $10.75 million T-Mobile recovered from Experian.”

The appellate court’s decision is an important reminder that on occasion, policyholders will have to fight for their coverage with one or more insurance companies in one or more courts even when they suffer a cyber claim that is clearly covered under the terms of their dedicated cyber insurance policy. It is also important to remember that many insurance policies covering cyberrisks will cover some or all of the costs involved with regulatory suits, inquiries and investigations.

Leaving aside the retention issue, T-Mobile’s losses were squarely within the cyber policy’s coverage grant. T-Mobile’s coverage for “Loss” under the cyber insurance policy included “punitive, exemplary, or multiple damages, or…civil fines, sanctions, or penalties imposed pursuant to Privacy Regulations or resulting from a Regulatory Proceeding…; and…Consumer Redress Funds.” The cyber policy also covered “Privacy Breach Costs,” which the policy defined as “the reasonable and necessary fees, costs, charges and expenses incurred…for the purposes of retaining an accountant, attorney, public relations consultant or other third party” to investigate the cause, determine indemnification obligations, effect compliance with privacy regulations, notify affected individuals, manage public relations, and procure credit monitoring services.

The appeals court panel found that the evidence showed that the policyholder had incurred substantial “costs tied to responding to government regulatory agencies, defending itself in numerous underlying lawsuits, defending itself against Experian, and prosecuting its indemnification claim in the Experian arbitration” after the data breach.

Takeaways from the T-Mobile Decision

Companies preparing to maximize recoveries for losses stemming from a cyberattack can take several lessons from the T-Mobile case.

First, as breaches can often originate from a cloud service provider, payment processor or other third party, make sure that service contracts have indemnity agreements that will enable recovery from at-fault contractors—and that, where appropriate, your company is named as an additional insured in vendors’ insurance policies.

Second, seek a cyber insurance policy that does not expressly bar paying a deductible or self-insured retention with money recovered from a third party. Many cyber policies do have such provisions. The Zurich/Steadfast policy did not.

Third, when a cyber loss is suffered, consider multiple lines of insurance coverage and provide notice to all potentially responsive policies as soon as is possible. This is essential because a single insurance company is seldom willing to cover all aspects of the loss. This is especially true where first-party cyber loss is incurred, but so too is liability from regulatory, class action and other third-party claimants in the wake of a cybersecurity incident. In fact, the cyber claims process these days often entails multiple insurance companies inquiring about other lines of insurance that the policyholder may have purchased. Take a cue from such inquiries, and promptly notify all potentially responsive policies in the wake of a cyberattack.

Joshua Gold is a shareholder in Anderson Kill’s New York office, chair of Anderson Kill’s cyber insurance recovery group and co-chair of the firm’s marine cargo industry group. He is co-author with Daniel J. Healy of Cyber Insurance Claims, Case Law, and Risk Management, published in 2022 by the Practising Law Institute.