Corporate Cyber Incident Reporting To Cert-In
đź“Ś What Are Corporate Cyber Insurance Claim Disputes?
A cyber insurance claim dispute arises when a corporation suffers a cyber‑related loss (e.g., data breach, ransomware attack, business interruption) and its insurer denies or limits the payout under a cyber insurance policy — triggering litigation or arbitration over coverage obligations, exclusions, policy interpretation, causation, or proof of loss.
These disputes are increasingly common because:
cyber incidents can be complex and multi‑faceted;
policy language is highly technical;
insurers frequently challenge coverage scope, exclusions, or conditions precedent; and
courts must interpret traditional insurance concepts in the cyber context.
📌 Why These Disputes Occur — Key Legal Themes
Cyber insurance disputes often turn on:
Interpretation of Policy Terms
Whether an event is a “covered loss,” “direct loss,” or within exclusions such as “act of war” or “war exclusion.”
Causation and Directness
Did the cyberattack directly cause the loss? Or was it an indirect consequence (e.g., human error vs. hacker actions)?
Exclusions and Definitions
Policies may exclude losses attributed to terrorism, nation‑state actors, or data held in cloud infrastructure.
Compliance and Preconditions
The insured must comply with specified cybersecurity controls, notification requirements, or risk‑management standards. Failure can lead to denial.
Notice and Reporting Conditions
Late or inadequate notice to the insurer often jeopardizes coverage.
Subrogation and Secondary Litigation
Once a claim is paid, the insurer might pursue third parties who allegedly caused or contributed to the loss — adding layers of dispute.
đź“Ś Six Key Case Law Examples in Cyber Insurance Disputes
Below are six notable legal cases or litigation scenarios, each illustrating a different type of cyberinsurance dispute.
1. Mondelez International v. Zurich American Insurance Co. (Cyber “War Exclusion” Dispute)
Facts: Mondelez suffered a significant financial loss from the NotPetya ransomware attack. It filed a cyber insurance claim for losses but Zurich denied coverage, arguing that the NotPetya attack fell within the policy’s “war exclusion” because it allegedly had characteristics of cyber warfare.
Dispute: Whether a cyberattack attributable to state‑sponsored actors or analogous to cyberwarfare triggers a “war” exclusion in insurance policies.
Outcome (Reported): The dispute highlighted how defining “war” and “nation‑state action” in policy language is a major source of litigation in cyber claims.
2. Merck & Co. Cyber Insurance Litigation
Facts: Merck suffered roughly $1.4 billion in losses from the NotPetya malware attack that disrupted global operations.
Dispute: Insurers initially invoked “war exclusions” or other exclusions to avoid coverage.
Outcome: A U.S. court ultimately rejected the insurer’s invocation of the war exclusion, holding that NotPetya did not qualify as “war” under the specific policy language — resulting in coverage for Merck’s cyber losses.
Significance: This case demonstrates how court interpretation of cyber exclusions can make or break large corporate claims.
3. EMOI Services, LLC v. Owners Insurance Co. (Ransomware Does Not Cause “Direct Physical Loss”)
Facts: EMOI, an Ohio medical billing company, was hit by a ransomware attack that encrypted its systems, and it sought coverage under a policy providing coverage for “direct physical loss of or damage to electronic media or records.”
Dispute: Insurer denied coverage arguing that intangible software and encrypted data did not constitute “direct physical loss” or damage.
Outcome: The Ohio Supreme Court agreed with the insurer — ransomware‑induced inaccessibility of data did not meet the policy’s definition of “direct physical loss.”
Significance: Shows how traditional insurance language may not readily fit cyber risks unless carefully drafted.
4. National Ink & Stitch, LLC v. State Auto Property & Casualty Insurance Co. (Contrasting Ruling on Same Issue)
Facts: Similar to EMOI, National Ink & Stitch suffered a ransomware attack.
Dispute: Whether loss of access to computer data and systems due to ransomware constitutes a “direct physical loss” covered by the policy.
Outcome: A federal court in Maryland held that ransomware did cause a “direct physical loss,” contrasting with EMOI.
Significance: Highlights jurisdictional variations in how courts approach cyber insurance interpretations.
5. Swiss Federal Supreme Court — Ransomware Payment Coverage (4A_206/2023)
Facts: A Swiss company suffered a ransomware attack, paid the ransom, and sought reimbursement under a cyber insurance policy.
Dispute: The insurer argued it could refuse reimbursement due to alleged exposure to U.S. sanctions law.
Outcome: The Swiss Federal Supreme Court held that the insurer could not refuse to pay merely on the basis that reimbursement could expose the insurer to sanctions risk. The insurer remained obligated to pay under the policy.
Significance: Shows how international issues and sanctions concerns can complicate cyberinsurance disputes.
6. Cottage Health System vs. Columbia Casualty Co. (Failure to Comply with Risk Controls)
Facts: Cottage Health System suffered a data breach and filed a claim under its cyber policy.
Dispute: The insurer denied coverage, alleging the insured failed to meet required minimum cybersecurity controls stipulated in the policy.
Outcome: The insurer sought a declaratory judgment that it was not obligated to defend or indemnify Cottage because of non‑compliance with policy conditions.
Significance: Affirms insurers’ ability to deny claims due to non‑adherence to policy conditions (e.g., controls, MFA, patching), and courts’ involvement in interpreting obligations.
Additional Litigation Trend — Social Engineering & Phishing Claims
7. Dentons Canada LLP v. Trisura Guarantee Insurance Co. (Social Engineering / Computer Fraud Rider)
Facts: A law firm paid over $2.5 million to fraudsters due to a misled employee, then claimed under its insurer’s Computer Fraud Rider.
Dispute: Insurer denied coverage, asserting that the loss was not “computer fraud” because no fraudulent instruction directly via computer caused the transfer — and the insured declined the Social Engineering Fraud Rider.
Outcome: The court noted absence of coverage for social engineering losses without the appropriate rider.
Significance: Highlights how endorsement selections and policy riders can determine coverage rights.
đź“Ś Lessons Corporates Should Draw from These Disputes
🧠1. Policy Wording Is Critical
The precise language (e.g., direct loss, exclusions, agents) will often determine coverage. Verify definitions carefully.
đź”’ 2. Maintain Required Controls
Insurers can successfully deny claims if the insured failed to implement required cybersecurity measures.
⏱ 3. Compliance With Notice Requirements
Strict timelines for notification and documentation are often conditions precedent to coverage.
đź’ˇ 4. Exclusions Are Not Always Intuitive
Exclusions such as “war,” “nation‑state action,” or “physical damage” can be invoked even when the insured assumes it is covered.
âš– 5. Courts Are Still Defining Cyber Terms
Different courts may take divergent views on whether, e.g., ransomware causes a “physical loss” or whether a cyberattack qualifies as terrorism — leading to inconsistent outcomes.
đź“Ś Conclusion
Cyber insurance claim disputes are a rapidly evolving area of corporate litigation. Disputes often hinge on interpretation of policy language, causation linkage, compliance with cyber controls, and exclusions. The cases outlined above illustrate the many legal battlegrounds where corporations and insurers disagree — and where courts have played a decisive role in shaping coverage interpretations.
RELATED Blog
comments