The University of California is suing insurance companies operating in the Lloyd’s of London market after they refused to make a cyber insurance pay-out following an cyberattack on the university’s health service. The attack in 2014 hit University of Los Angeles Health (UCLAH), which lost data belonging to over 4.5 million patients.
The regents, or board members, of the university have filed a case in the Los Angeles superior court, and are seeking damages from the unnamed insurers which are part of Lloyd’s, the London-based global insurance market.
Experts believe the length of time taken to settle the case could mean there are discrepancies between cyber protections the UCLAH had in place when the attack took place, and the level protections demanded by insurers.
Lloyd’s of London sued by the University of California
The attack on UCLAH took place in 2014, but the University of California didn’t discover the full extent of the breach until a year later, when it was revealed millions of users has had their data stolen. The university was subject to several class action lawsuits, and ended up paying out over $7.5m to victims.
However, when it came to approaching its insurers for reimbursement under their cyber insurance policies, the unnamed insurers, operating under the Lloyd’s of London umbrella, “repeatedly denied coverage” according to the court filing. The syndicates have claimed this is due in part to a statute of limitations, which passed in June 2021. They have also alleged that the university did not comply by the appropriate regulations laid out in the cyber insurance policy.
The university says it complied with the requirements of its policies, and says it has been denied the opportunity to open a dispute resolution policy with the insurers.
The length of time that has passed in this particular case is unusual, and may have led in part to the dispute, says Craig Dunn, head of cyber M&A insurance at Aon. He also believes the level of cover secured by the university may not have been sufficient, particularly as the cost of cyber insurance has risen sharply in recent years.
“For an entity of this size, if they declare they have certain controls in place and the reality is different, problems can arise,” Dunn says. “If you say you were driving a Corolla and you insured your Corolla, but in actual fact it was a Ferrari, you’re not going to get paid for the equivalent of the Ferrari.”
Do old cyber insurance policies pay out?
Other companies with older insurance policies have managed to secure pay-outs for high profile hacks, Dunn says. Retailer Target suffered a data breach that cost the company $100m in 2014, when attackers stole the credit card data of 400 million customers. It recovered $90m of this through its insurance.
Similarly, Capital One suffered a cyberattack in 2019 that resulted in the loss of personal data belonging to 106 million customers. The bank recovered $10m to cover some costs of the hack, albeit a small proportion of the $270m bill it ran up paying compensations
“There was lots of attacks back then that were still covered,” Dunn says. “It was just that the frequency was was fairly low then in comparison to now.”
These disputes can drag on for years, making statute of limitations issues common during cyber insurance policy claims, Sheilyn Pastor, head of the insurance coverage group at law firm McCarter & English, told the Wall Street Journal. Arguments between policyholders and insurers can be lengthy because assessing damages from an incident isn’t easy, she explained.
“You may not actually know if you’ve sustained a loss by virtue of the breach until a later point, and so you need to know the law, because it may be that there is something that has happened that extends your period, or that the period isn’t even running yet,” Pastor said.