ADVENTURES IN CYBER LITIGATION: FROZEN CRYPTO-ASSETS AND THE ROLE OF CYBER INSURANCE
For some time, cyber exposure has been at or near the top of every major company’s risk register. And with good reason: IT infrastructure is fundamental to business in the digital age, there is a high frequency of major cyber attacks, large organisations invariably hold large quantities of personal data in electronic form, and substantial fines and civil claims are increasingly commonplace for data breaches.
To protect against this exposure and mitigate the impact of adverse cyber incidents, insurance companies have developed cyber cover – a modular insurance product covering a range of losses such as liability for damages, legal and PR costs, as well as ransom payments. From a litigation perspective, this means that there may be insurance available to meet defence costs and awards of damages following group litigation order (GLO) claims (as in Various Claimants v WM Morrison Supermarkets plc) or representative actions (as in Lloyd v Google LLC).
Similarly, a cyber insurer may step in to pay a ransom in return for a decryption key, where a victim’s system is compromised by ransomware or similar malware. However, whether they are standing behind insureds (in a defence situation) or meeting ransom payments (in an extortion situation) insurers are important players in the growing prevalence of cyber litigation.
Until recently, there had not been an example of a cyber insurer actively participating in a recovery action. Although CMOC v Persons Unknown provided a very clear demonstration of the steps which a cyber attack victim may take in order to recover stolen assets, in that case there was no insurer involvement (as far as can be seen from the judgment).
However, following AA v Persons Unknown & Ors, there is now an equivalent example of a cyber insurer making new law and extending the limits of English civil procedure to achieve a similarly positive result.
Apr-Jun 2020 issue
Norton Rose Fulbright LLP