iDo you know what your insurance covers?
This is a deceptively simple question — risk managers rightfully expect to know the scope of their coverages when they build their insurance programs. Unfortunately, judicial interpretation of common policy terms can turn what should be a straightforward question into a morass of uncertainty.
This uncertainty is exemplified in recent case law interpreting cyber insurance policies. Many commercial cyber policies provide coverage for damages “resulting directly from” some underlying action, be it fraud, hacking, theft, etc. For example, ISO’s commercial cyber insurance policy states that “We will pay for ‘loss’ resulting directly from a ‘security breach’ ‘discovered’ during the policy period.”
Unfortunately, those three words – “resulting directly from” – can cause many complications. Insurers often interpret them to require an immediate connection between the breach and the loss (e.g., a hacker breaching a bank account to steal money). Under this restrictive interpretation, however, necessary and substantial costs associated with the hack could be left uncovered, such as crisis response costs, ransomware payments, and root cause analysis. Policyholders (rightfully) read the plain language of their coverage to include these costs, which are impossible to decouple from the underlying security breach.
Addressing this dispute, courts nationwide are split into two opposing camps: The “proximate cause” camp interprets a “direct” loss broadly to require only proximate causation. In contrast, the “direct means direct” camp interprets a “direct” loss strictly to require no intervening acts. For example, federal courts applying Pennsylvania, New Jersey, Louisiana, and Maryland law have all come down in the “proximate cause” camp. Meanwhile courts applying California, Virginia, Illinois, and Wisconsin law have come down in the “direct means direct” camp.
While differing substantive interpretations of the same policy language across different jurisdictions frustrates the goal of consistency for policyholders, it is at least foreseeable given the patchwork of jurisdictions applying the laws of 50 different states.
A Momentum Shift
In some jurisdictions the momentum may be shifting in favor of expanded coverage. In 2019 in Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., the 11th Circuit rejected the “direct means direct” approach and applied the “proximate cause” standard under Georgia law to a commercial crime policy, finding that the “ordinary meaning of the phrase ‘resulting directly from’ requires proximate causation between a covered event and a loss, not an ‘immediate’ link.”
So, what does your policy cover?
The answer depends on what law applies. The inconsistent application of this common policy term creates a conundrum for policyholders that may have vastly expanded or constricted coverage under identical policy language. Therefore, it is critical for policyholders to be proactive, both when purchasing coverage and when bringing a claim, to understand the standard a reviewing court might apply to coverages, and plan accordingly by, for example, negotiating language consistent with the proximate cause approach or designating favorable governing law. When neither option is available, policyholders must be prepared for insurer attempts to narrowly interpret the phrase “directly resulting from” and recognize that the available coverage may be limited if the insurer prevails on the narrow interpretation.
