A recent ruling by an Arizona Federal Court regarding cyber insurance set a precedent that cyber insurance claims shall be interpreted based on what the policy says it covers rather than what the policyholder believes is covered. The case was P.F. Chang’s Chinese Bistro v. Federal Insurance Co. and was regarding an incident in 2014 where P.F. Chang’s was the target of a cyber-attack, where about 60,000 credit card numbers were stolen. P.F. Chang’s looked to its cyber insurer, Federal Insurance Co., to cover a $2 million charge in fees from its credit card service providers. Federal, however, denied the payment based on the restaurant chain’s policy, which contained contractual liability exclusion. This liability exclusion led Arizona Federal Courts to side with Federal Insurance Co.
Contractual liability exclusions have existed in insurance policies for decades but they are relatively new to cybersecurity. Aside from this aspect, assumption and misinterpretation seem to define this case, as P.F. Chang’s believed their costs would be covered as they had “flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world.” P.F. Chang’s, like many other companies, was treating cybersecurity like it was an entirely new beast and while it is for the most part, cyber policies still tend to contain lots of the old principles found in traditional policies. In order to avoid conflicts like this one in the future, cyber insurance providers need to write out their policies in a more simplified way and policyholders must read through their policies with more diligence. Both sides of the equation need to work harder at making this new field of insurance more clearly understandable.