The University of California has taken legal action against Lloyd’s of London, accusing the insurance marketplace of refusing to reimburse the university system for the costs incurred from data breaches covered in a cyber insurance policy. The dispute stems from a cyber attack that occurred between 2014 and 2015, which resulted in the exposure of personal information of patients at UCLA Health.
According to a complaint filed to the Los Angeles Superior Court, the university claims that underwriters at Lloyd’s have repeatedly denied coverage for losses stemming from the incident. The university had to spend millions of dollars to address the attack, including notifying affected individuals, mitigating the breach, and defending and settling lawsuits filed by patients.
The dispute centers around the statute of limitations for filing claims. While the underwriters argue that the university failed to comply with the cybersecurity provisions of the policy, the university disputes this claim. The lawsuit, titled Regents of the University of California v. Certain Underwriters at Lloyd’s, is currently pending in the California Superior Court (Los Angeles).
The university argues that the underwriters’ assertion that the statute of limitations expired in June 2021 is incorrect. In its complaint, the University of California also accuses the underwriters of refusing to follow the alternative dispute resolution procedure required by their own policy, citing a “meritless statute of limitation defense.”
This lawsuit between the University of California and Lloyd’s of London sheds light on the evolving cyber insurance market. In recent years, the frequency and severity of cyber attacks, such as ransomware, phishing, and denial-of-service attacks, have significantly increased. As a result, the demand for cyber insurance coverage has risen, leading to changes in coverage conditions.
Cyber insurance policies have become more diverse, complex, expensive, and difficult to qualify for. This poses new challenges for cybersecurity professionals, including Chief Information Security Officers (CISOs), who are responsible for optimizing their organization’s cyber insurance investment.
The outcome of the University of California’s lawsuit against Lloyd’s of London could have implications for the interpretation of limitation legislation in the cyber insurance context. It will also shed light on the interpretation of contract terms relating to claims in such cases.
Paul Watts, a distinguished analyst at the Information Security Forum, believes that this case will set precedents and provide insights into how limitation legislation is interpreted and contract terms are applied. The cyber insurance landscape is constantly evolving, and legal disputes like this one serve as indicators of the challenges faced by organizations seeking cyber insurance coverage.
As the threat landscape continues to evolve, organizations must stay vigilant in their cybersecurity measures and carefully consider their cyber insurance policies. The case between the University of California and Lloyd’s of London exemplifies the need for organizations to thoroughly understand and comply with the provisions of their cyber insurance policies. Additionally, they must be prepared to navigate potential disputes to ensure they receive appropriate reimbursement in the event of a cyber attack.