Portfolio Media. Inc. | 111 West 19th Street, 5th Floor | New York, NY 10011 | www.law360.com
Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | customerservice@law360.com
Arbitration, Mediation Can Solve Cyber Insurance Disputes
By Daniel Garrie, Howard Miller and Yoav Griver (October 5, 2018, 3:34 PM EDT)
As the number of attempted and successful cyberattacks increase, interest in cyber
liability insurance increases as well. This is unsurprising. Cyber claims are increasing
every year,[1] and even one successful cyberattack could cause the exposure of
millions of confidential records and concomitant dollar losses. Many of these cyber
policies contain alternative dispute resolution provisions mandating that the parties
participate in binding or nonbinding mediation and/or arbitration in place of, or
prefatory to, litigation.[2] So, the question should be asked: When it comes to
cyber insurance claims, does ADR work? Should policyholders object to or fight the
inclusion of ADR clauses in policies of insurance covering cyber risks?
Litigation over ADR clauses in cyber policies is already happening, as policyholders
try to elide predispute ADR requirements contained in their cyber liability
policies.[3] Since such litigation may itself defeat the ADR goal of efficient
resolution of the dispute, it is useful to step back and consider some of the basic
policyholder objections to ADR provisions. In general, ADR features (1)
confidentiality protections that screen out media coverage; (2) no trial by jury; and
(3) restricted grounds for appeal.[4] Though often objected to by cyber
policyholders, these three factors may benefit them.
Consider for example, ADR’s confidentiality protections. Policyholders often think
that publicity benefits them, as negative publicity could spur settlement by the
insurance company. In cyber situations, however, this potential benefit will likely be
far outweighed by the many and varied disadvantages of a public airing of the
dispute between policyholder and insurance company. Cyber coverage disputes
often involve an exchange of sensitive or confidential information of the
policyholder,[5] including weaknesses in its systems and cyberdefenses[6] and
alleged failure of due diligence in choosing what systems to implement and
maintain.[7] Indeed, depending on the type of coverage defense asserted,
discovery could lead to the exchange of damaging information about internal
processes and procedures and cyberdefenses, adequacy of funding for
cyberdefense, quality of decision-making processes and existence of other system
vulnerabilities. A prudent policyholder may not want these facts, and coverage about the extent of its
available insurance, publicly available as it deals with the civil litigations, regulatory scrutiny and second-
guessing that often accompanies a cyberbreach.[8] Likewise, a policyholder may not want to risk a
public and precedential court ruling that its defenses are inadequate, or misrepresented or not properly
Daniel Garrie
Howard Miller
Yoav Griver
