The recent ruling in T-Mobile USA, Inc. v. Steadfast Insurance Company signals several good indicators for policyholders. A straight-up win for the policyholder, the case held that the insurance company could not reap the benefits of the policyholder’s successful efforts to recover part of its loss from third parties. That holding alone clarifies that cyber insurance policies are meant to protect policyholders. Further, it indicates that policyholders should be made whole before insurance companies can recoup monies paid as coverage.
In the case, T-Mobile had suffered a $17.3 million loss from a cyber-security breach that was covered under its cyber insurance policy. The policy had a $10 million retention or “SIR” that T-Mobile absorbed before the policy paid the remaining $7.3 million in coverage. By pursuing its vendor for indemnity, T-Mobile recovered $10.75 million. The insurance company then claimed that it did not owe any coverage, arguing that T-Mobile’s “loss” did not exceed the retention. The court disagreed and held that the recovery from a third party could be applied to the retention and did not eliminate T-Mobile’s “loss.”
The case indicates that cyber policies are covering losses and, when an insurance company refuses to provide coverage, the policies can be enforced in court. The facts of the case illustrate the growing complexity of cyber incidents, that increasingly involve numerous parties with different losses. T-Mobile was able to hold a vendor liable by relying on and enforcing contractual indemnity obligations. Policyholders should pay attention to such indemnity provisions in their contracts. These provisions may help make higher deductibles more palatable, because they can be enforced as first-dollar obligations from vendors or other business partners. The contractual insurance requirements that go hand-in-hand with those indemnity provisions–requiring the vendor or business partner to have responsive insurance in place–can be of equal importance. Often the expectation is that such insurance policies will pay for the contractual indemnity obligations.
As the cyber insurance market continues to harden, policyholders can expect insurance companies to dispute coverage. Policyholders also can help spread or transfer their risk by looking to the indemnity provisions in their commercial contracts and, potentially, to the insurance policies backing up those contractual obligations. The T-Mobile case is an excellent, if hard-fought, example of those protections the policyholder put into place being enforced to provide the expected recoveries.