Ransomware attacks are on the rise. Cyber criminals continue to exploit lax security measures, which have become more acute in the work-from-home environment, and hack into companies’ systems, encrypt their data, and then demand multimillion-dollar ransoms.
Though cyber insurance policies are designed to cover these losses, insurers have responded to the increasing size and frequency of these attacks by increasing premiums, skyrocketing self-insured retentions, narrowing policy terms, and more recently, advancing coverage defenses to avoid claim payments.
A case pending in a California federal court illustrates how insurers are changing their attitudes toward these claims.
In Boardriders, Inc. v. Great American Insurance Company (C.D. Cal., Docket Number 8:21-cv-1260), Boardriders Inc. (the parent company to apparel brands Billabong and Quiksilver) sought coverage under its cyber policy following a 2019 ransomware attack in which hackers shut down the company’s networks and demanded nearly $25 million for the decryption keys.
Boardriders contends that although it immediately tendered the claim to its insurer and expected immediate assistance, the insurer engaged in delay tactics by demanding detailed information and took eight months to issue a coverage position.