University of California sues Lloyd’s of London in cyber insurance dispute

The University of California has filed a lawsuit against insurance marketplace Lloyd's of London. It claims that the company has refused to reimburse the university system for the costs of data breaches covered in a cyber insurance policy, with Lloyd's of London asserting that the statute of limitations applying to the claims had expired. The dispute relates to a cyberattack from 2014/15 that exposed personal information of patients at UCLA Health.

The university paid millions of dollars to notify targets of the attack, limit it, and to defend and settle lawsuits filed by patients. However, 26 Regents of the University of California state that underwriters at Lloyd's have "repeatedly denied coverage" for losses from the incident, according to a complaint filed to the Los Angeles Superior Court. This is based solely on a "supposed" condition to coverage that is not referenced in either of the insuring agreements under which the university seeks most of its losses, the complaint read. The story was earlier covered by the Wall Street Journal.

Underwriters argued University of California failed to comply with policy provisions

The defendants named in the suit are associations of underwriters, known as "syndicates," operating in the Lloyd's of London insurance market in the UK. The underwriters have previously argued that the University of California did not comply with cybersecurity provisions of the policy, which the University has denied. The case is Regents of the University of California v. Certain Underwriters at Lloyd's, 238TCV14642, California Superior Court (Los Angeles).

The University of California claimed the underwriters' argument that the statute of limitations for any coverage claim expired in June 2021, is incorrect, according to the complaint. "Defendants have also refused to follow the alternative dispute resolution procedure required by their own policy based on a meritless statute of limitation defense," the complaint read.

Lawsuit reflective of a changing cyber insurance market

The cyber insurance landscape that has seen significant change recently. As the frequency and severity of ransomware, phishing, and denial-of-service attacks have increased, demand for and conditions relating to coverage have evolved. Policies are becoming more diverse, complex, expensive, and harder to qualify for, presenting CISOs and their organizations with new challenges and considerations for optimal cyber insurance investment.

The University of California/Lloyd's of London case will be interesting in terms of setting precedents on how limitation legislation is interpreted in this context, along with the interpretation of contract terms upon any claim, Paul Watts, distinguished analyst at the Information Security Forum, tells CSO.

The are two key areas it should draw attention to for businesses - reading/interpreting the small print of cyber insurance policies, and the importance of good and proactive communication between organizations and their insurers, Watts says. "Be clear what stipulations, prerequisites, and requirements are set alongside your policy, and ensure you can meet them (and evidence them). Keep them regularly reviewed and work with your insurer to keep them refined at the time of policy update or renewal. If these carry with them a degree of subjectivity, its best to get the clarification up front - otherwise you'll find yourself having to negotiate and argue in the middle of a claim, which is the last thing you want to be doing."

Should a business be unfortunate enough to face a significant loss event, the earlier it can engage with insurers, the better and more efficient the management of that claim will be, he adds "It will be interesting how the limitations aspect of the case pans out; in the eyes of the law, just how long is too long to make a claim? The outcome of the case will certainly have a downstream impact on the market, so this is one to watch with interest for sure."

Last August, Lloyd's of London announced it would be introducing cyber insurance exclusions to coverage for "catastrophic" state-backed attacks from 2023. The company said it will require all its insurer groups to apply a suitable clause excluding liability for losses arising from any state-backed cyberattack in accordance with several requirements.

Statute of limitations complexity is significant

Complexities relating to the statute of limitations are significant in this case, Ed Ventham, co-founder of UK-based cyber insurance broker Assured, tells CSO. The statute of limitations refers to a legal principle that sets a specific period during which a company can file a lawsuit or be prosecuted for a particular offence. he says. "Once the statute of limitations expires, the company loses the right to bring a legal claim or seek criminal charges for that specific incident." The purpose of a statute of limitations is to ensure that legal matters are resolved in a timely manner, and its duration varies depending on the jurisdiction and the type of legal action, Ventham adds.

"Given that the claim took place in 2014/15, it would seem likely that the statute of limitation has expired and therefore would render any rights to that previous policy void. If there were a dispute, the requirement would have been to bring it to the underwriters' attention within the statute of limitation, which according to the defendants, was not done. From the evidence on show, I cannot see that this will be another catalyst for change within the cyber insurance market."