The ransomware attack against United Healthcare subsidiary Change Healthcare, which froze medical claims and payments throughout the United States for weeks, should serve as a wake-up call to all companies and organizations not only to maximize cyber defenses, but also to ensure that their insurance policies will respond to losses and liabilities stemming from a cyberattack. Policyholders should know that the “human factor” does not preclude cyber coverage, despite insurance companies routinely arguing that claims are barred or limited in coverage when employees, managers or other human beings factored into the losses suffered from a cyber incident.
For example, an early 2024 case involving a “layered” cyber insurance program sold to Southwest Airlines did not involve a hacker. Instead, it involved a computer system failure that excess cyber insurance company Liberty Insurance argued were partly due to the airline’s management decisions. Specifically, after a three-day outage in 2016, Southwest submitted a cyber coverage claim for $77 million in losses from massive delays and disruptions to its operations.
The primary insurance company and three excess insurers paid the claim, but Liberty Insurance, the last layer in the tower, demurred. Southwest sought coverage for costs incurred through various programs and initiatives aimed at assisting the nearly half-million customers affected by system failure, including:
- FareSaver promotional codes disbursed to customers with cancelled flights or flights delayed more than two hours
- Travel vouchers disbursed to customers with cancelled flights or flights delayed more than two hours
- Cover refunds made by customer service agents to customers upon request to compensate for alternate travel arrangements
- Rewards points distributed to Southwest’s frequent flier program members with cancelled flights or flights delayed more than two hours
- Advertising costs for a week-long extension for a sale the airline had been promoting at the time of the system failure
Liberty Insurance denied Southwest’s claim, saying the airline’s discretionary management decisions caused the losses. The federal trial court agreed, concluding that “Southwest’s costs were not caused by the system failure but rather were the result of ‘various and purely discretionary customer-related rewards programs, practices and market promotions.’” On appeal, the United States Circuit Court of Appeals for the Fifth Circuit reversed the trial court and remanded the case for causation analysis.
Southwest’s primary and excess cyber policies promised system failure coverage for “all loss…that an insured incurs…solely as a result of a system failure.” Liberty argued that “all five categories of costs that Southwest claimed were not incurred solely as a result of the system failure but rather were the result of Southwest’s subsequent business decisions,” adding that “Southwest acknowledge[d] that those costs were the result of business decisions.” Southwest countered that such business decisions and the accompanying losses were not excluded. The Fifth Circuit agreed with Southwest that such cost items could not be denied coverage as a matter of law under a “but for” causation test—that is, whether the costs in question would not have occurred “but for” the system outage. The appeals court remanded the case because the trial court failed to determine whether Southwest would have incurred any of these costs if the system outage not occurred. Further, the Fifth Circuit refused to find specific insurance policy exclusions applicable to the insurance claim, ruling that Liberty’s definition of a “consequential damages” exclusion was so broad it would effectively make coverage illusory.
The Fifth Circuit’s Southwest decision has certain parallels to prior coverage claims for cyber losses, including Second Circuit's oft-cited 2018 decision in Medidata Solutions v. Federal Insurance Company, in which the appellate panel refused to agree with the insurer Chubb that actions by certain employees severed the causation chain under a proximate cause analysis. The court rejected Chubb’s argument that oral confirmation by an employee was one of several intervening causes for cutting off computer fraud coverage to the policyholder. Similarly, in 2021’s G&G Oil Co. of Indiana v. Continental Western Insurance Co., the Supreme Court of Indiana rejected an insurance company’s argument that there was no coverage under a crime insurance policy for a ransomware attack where the policyholder’s executive “voluntarily” made a cryptocurrency payment to the hackers. The court noted that the ransom payment to the hacker was not voluntary but made under duress and thus did not bar insurance coverage.
The Eighth Circuit’s 2016 decision in State Bank of Bellingham v. BancInsure Inc. presents another example of a court rejecting an insurance company’s argument that human decisions or human error precluded coverage for a cyber loss. The court held that the bank was entitled to insurance coverage despite the insurance company’s argument that the bank’s loss was caused by a virus entering the system as a result of a bank employee’s breach of computer security protocols.
These cases all highlight that cyber insurance policyholders should take any argument that employee actions, decisions or omissions somehow sever the chain of causation needed to demonstrate insurance coverage with a grain of salt. There can be coverage even when policyholders practice less-than-ideal cybersecurity hygiene or make decisions intended to mitigate losses. Catastrophic cyber breaches are grave and expensive, making it especially imperative that organizations prepare to navigate their way to coverage to weather these storms.