In part one of this two-part series addressed the importance of limiting exposures in a cyberattack because it is no longer a matter of if an attack will occur, but when. This type of approach allows an organization to identify points of entry, increase training for personnel since they are frequently the exploited link and take other preventative measures. However, when the inevitable cyberattack occurs, subrogation is one way to lessen the financial impact for an insurer.
Cyber subrogation: Who’s ultimately liable?
To end up in subrogation, it’s naturally going to be a multi-party (read: complex) matter. At the end of the day, there is a third party (or multiple third parties) involved whose actions or inactions allowed the breach or cyber incident to occur to the insured company.
Consider the following scenario:
ABC Corp. is a national apparel retailer. Sales are carried out through a network of local kiosk owners in shopping centers throughout the country who rely on ABC for sales support, back-office administrative support and payment processing. ABC hires a nearby IT company to provide managed services along with PCI compliance and general data security compliance. The IT company fails to maintain ABC’s systems and, on November 15th, ABC suffers a ransomware attack orchestrated by the Conti group.
The attack cripples ABC systems and the threat actors claim to have exfiltrated 50G of data, including customer payment data. As a result of the attack, kiosk owners are significantly affected. The owners (i) cannot process payments as cash transactions are limited, forcing many to close, and (ii) are not getting new merchandise shipments for the holiday shopping season because orders cannot be placed or shipped.
After three weeks, the systems are restored, but ABC determines the threat actors exfiltrated payment card and mailing list data of customers. ABC promptly notifies 2 million customers on December 10, many of whom express anger at the local kiosk owners.
This scenario offers many pathways to understanding how a claims adjuster could approach subrogation by first determining the path of insurability and second, determining who’s responsible and who’s liable for the ultimate loss.
In our scenario, the insured is the retailer and a claims adjuster would want to establish the ownership interest between the kiosk owners and ABC Company. When there’s a franchisee and a franchisor, there’s typically an agreement that speaks to the ownership, processing, and security of customer information. Typically, the franchisor wants to own all of the customer information. Franchisors also tend to dictate the POS system, which in the case of the retailer probably also includes inventory management and logistics. This is the case with our insured, ABC.
So, even if ABC Co. doesn’t own the kiosks, their systems are connected to ABC’s systems and they are processing the personal information of customers. Who’s really responsible then? The franchisor or the franchisee? That’s where subrogation could possibly come into play. But then there’s the IT company that manages ABC’s POS system. Who brought in the IT company? Was it the franchisor? Were they required or chosen? This is yet another wrinkle that will come into play.
The story of ABC Co. is a typical ransom scenario. The adjuster would want to consider the total loss incurred between legal, forensics, notifications, PCI investigation and penalties, identity monitoring, public relations, data recovery, replacing/updating systems and equipment, business income, paying the demand, being sued, and doing the regulatory work. This is the case under a lot of insuring agreements. If it costs the insurer $10M, it becomes the goal of the adjuster to subrogate and get that money back.
Every loss triggered under the insuring agreement in this scenario is linked back to the security failure and/or the loss of the private information. In this case, it’s intertwined. The adjuster may determine that this wouldn’t have happened but for the IT vendor.
Business interruption losses add to the equation
The business interruption loss in the scenario described above will consider the net profit or loss that would have been earned plus continuing normal operating expenses that must necessarily continue during the period of restoration. The business interruption loss measurement will begin eight hours after the ransomware attack interrupts ABC’s business operations through the period of restoration which ends when ABC’s system is restored. In this case, it is determined that the period of restoration will be three weeks.
The forensic accountant will be measuring the income loss resulting from the inability of the ABC’s kiosk owners to conduct business. In addition, ABC is turning to their policy for the future loss of income resulting from their inability to place orders for the holiday season. In this case, there are several considerations that the forensic accountant will have to contemplate and discuss with the carrier as it relates to the application of the policy.
- Should the carrier determine that the period of restoration ends on the date and time that the systems are restored, does this preclude the forensic accountant from considering the future loss of income that may occur due to reduced inventory levels at the kiosks resulting in their inability to fulfill demand anticipated to occur during the holiday shopping season?
- Can the forensic accountant consider the immediate increase in sales experienced at various kiosks once the system is restored and the kiosks begin operations? Will the carrier consider the increased sales as “make-up” or “delayed revenue,” and if so, what is the reasonable length of time to include these increases as an offset to lost sales?
- Does the policy’s Dependent Business Loss clause respond to the businesses selling the merchandise to ABC’s kiosks for the orders that were not placed? In this case, if coverage is determined for the Dependent Business Loss, it will be subject to a sub-limit.
The policy in this case will also respond to the consequential reputational loss, which will be during the notification period which is the 30-day period beginning on December 10 when the two million customers are notified. The forensic accountant will be measuring the income loss that ABC is prevented from earning as a direct result of the damage to ABC’s reputation caused by the actual security breach. The analysis of the income loss for this period will be complicated by the potential loss of income experienced due to reduced inventory levels because of the inability to place orders.
ABC Co. will do whatever is reasonably necessary to secure such rights and is obligated to not prejudice them. The documentation and information provided by ABC Co. served as the basis of the forensic accountant’s business interruption calculation. This documentation and information along with the forensic accountant’s analysis will serve as the basis of the recoveries sought after in subrogation, specific to the business interruption and any extra expenses. The forensic accountant can anticipate that their analysis will fall under the scrutiny of the IT company’s insurance carrier, and it may be necessary for the forensic accountant to provide further explanation and basis for their business interruption calculation.
The path to successful subrogation
How can the insurer in this case successfully find their way through a cyber subrogation? In this fictitious example of ABC apparel company, once the payments are made by the carrier, it is likely the insurer is going to move forward with their rights of recovery in subrogation against ABC’s IT company.
Here, we offer three considerations:
- Contracts: Does the contractual language with the third party favor you or prohibit you from going after the money?
- Evidence: Do you have evidence that the third party was at fault?
- Ability to pay: Does the third party have the ability to pay? Do they have room in their E&O policy to cover the loss?
Cybersecurity risks are real. The uncomfortable feeling insurers have is real. And when a loss occurs it really boils down to two things for insurers: Whether to pay and whether you can get your money back. As the scenario in this article proves, it’s not always a straightforward process but with some basic considerations at hand, adjusters can make smarter decisions about how to proceed.
Danielle M. Gardiner, CPA, CFF, ([email protected]) is senior vice president of Lowers Forensics International. Joseph Lazzarotti ([email protected]) is an attorney at law with Jackson Lewis P.C. Special thanks to Shiraz Saeed ([email protected]), vice president – cyber risk product leader at Arch Insurance Group for his contributions.
Disclaimer: This article should be considered for general information purposes only, representing the personal views of the authors and contributors within, and do not reflect the views of Arch Insurance Group.