Category Legal Affairs

Beware of Accidental Cyber Coverage

02 February 2023 Keaoleboga Molefe, Norton Rose Fubright

A US appeals court reversed a judgment of the lower court which had declined to read-in cyber coverage in a commercial general liability policy.

The insured operated retail properties and took out a commercial general liability policy (“the CGL Policy”) with the insurer.

During the periods of May 2014 and December 2015 the insured’s credit card system was breached by hackers who obtained unauthorised access to customers’ information from their Visa, MasterCard, and the bank (point-of-sale-system service providers) which issued the customers’ credit cards. This occurred across 14 of Landry’s locations. The credit cards became unusable in the hands of its customers because the information on the cards was compromised. The hackers published the information and used same for illicit activity.

The insured was sued by the point-of-sale-system service providers for $20 million for breach of contract. The insured had failed to follow all programs that protected the service providers from incurring direct liability from any data-breach-related losses.

The insured lodged a claim with its insurer and the claim was rejected by the insurer on the basis that the cyber loss was not covered. The court found that the CGL policy included indemnification for the cyber breach. In interpreting the CGL policy the panel considered the following wording:
“the insurer will pay those sums that the insured becomes legally obligated to pay as damages because of personal and advertising injury” for loss arising from “oral or written publication, in any manner, of material that violates a person’s right of privacy”

The court held that the inclusion of cover for losses resulting from “publication” should be read to include exposing or mere transmission of information even by third-parties (hackers). The court embraced the broadest possible plain meaning of “publication”.

Any ambiguity in the CGL policy was deemed to be resolved in favour of the insured and the claim was payable by the insurer.

The decision is based on an older policy and the latest CGL policies of the insurer have adequate exclusions to prevent cyber liability coverage.

How cyber proof is your policy wording?

Landry’s, Inc. v. The Insurance Company of the State of Pennsylvania, No. 19-20430 (5th Cir. 2021) the U.S. Court of Appeals for the Fifth Circuit

First published by: Financial Institutions Legal Snapshot

Quick Polls


In navigating the dynamic landscape of financial intermediaries in 2024, which strategy do you believe is most crucial for success?


Prioritising client needs
Embracing technological advancements
Staying abreast of regulatory developments
All of the above
fanews magazine
FAnews February 2024 Get the latest issue of FAnews

This month's headlines

On the insurance industry’s radar in 2024
Insurers, risk managers unsure of AI’s judgement credentials
Is offshore the place to be in 2024?
Gap claims: erosion of medical benefits, soaring specialist fees
Investments and retirement… is conventional wisdom under threat?
Subscribe now