The “failure to patch” exclusion in cyber insurance policies typically denies coverage for losses resulting from vulnerabilities that could have been prevented by applying readily available software updates or security patches. Insureds have a responsibility to maintain reasonable security measures, which includes promptly installing patches released by software vendors. Neglecting to do so can be seen as a failure to exercise due diligence. Under Minnesota law, specifically the Minnesota Data Security and Breach Notification Act (Minn. Stat. § 325E.61), businesses are required to implement and maintain reasonable security procedures and practices to protect personal information. Failure to patch known vulnerabilities could be interpreted as a violation of this act, potentially leading to regulatory action and civil lawsuits, in addition to the denial of an insurance claim. The insured must demonstrate a proactive approach to security, including a documented patch management process, to avoid this exclusion.

The “war exclusion” in cyber insurance policies typically excludes coverage for losses arising from acts of war, including cyberattacks conducted by or on behalf of nation-states. Attribution of a cyberattack to a nation-state can be complex and often relies on intelligence assessments. If an attack is deemed an act of war, the exclusion may apply, potentially denying coverage. The legal precedents in Minnesota regarding the interpretation of war exclusions in insurance contracts are limited specifically to cyber incidents. However, general contract law principles would apply, requiring a clear and unambiguous definition of “war” in the policy. Ambiguity would likely be construed against the insurer. The insured bears the burden of proving that the loss falls within the policy’s coverage, while the insurer bears the burden of proving that an exclusion applies. The evolving nature of cyber warfare poses challenges in applying traditional war exclusions to cyber insurance claims.

“Betterment” in cyber insurance refers to improvements made to a system during restoration after a cyber incident that result in the system being more valuable or resilient than it was before the incident. Insurance policies generally aim to restore the insured to their pre-loss condition, not to provide a windfall. Therefore, insurers may deduct the cost of betterment from the claim payment. For example, if a compromised server is replaced with a newer, more powerful model, the insurer might only cover the cost of replacing it with a server of similar specifications to the original. The insured would bear the additional cost of the upgrade. The specific application of betterment clauses varies by policy. Insureds should carefully review their policy language to understand how betterment is defined and applied. Minnesota law generally favors clear and unambiguous contract terms, so the policy language will likely govern.

“Social engineering” coverage in cyber insurance policies typically covers losses resulting from the intentional manipulation of individuals within an organization to perform actions that compromise the organization’s security, such as transferring funds to a fraudulent account. Covered activities often include phishing, business email compromise (BEC), and other forms of deception. To mitigate the risk of social engineering attacks and ensure coverage is not jeopardized, insureds should implement robust security awareness training programs for employees, establish multi-factor authentication for critical systems, verify payment requests through multiple channels, and implement strict internal controls. Insurers often require insureds to demonstrate reasonable security measures to qualify for social engineering coverage. Failure to implement such measures could be considered a breach of the policy’s conditions, potentially leading to a denial of coverage. Minnesota Statutes Chapter 325E addresses deceptive trade practices, and social engineering attacks could fall under these provisions, potentially leading to legal action against the perpetrators.

“Incident response” coverage in a cyber insurance policy typically covers expenses associated with investigating and remediating a cyber incident. This can include forensic investigation, legal consultation, public relations, data breach notification costs, and credit monitoring services for affected individuals. Many insurers maintain a pre-approved panel of incident response vendors. While insureds may have the option to use their own vendors, using a panel vendor often streamlines the claims process and ensures that the insurer will cover the associated costs. Using a non-panel vendor may require prior approval from the insurer, and the insurer may limit the coverage available. The specific terms and conditions regarding vendor selection are outlined in the policy. Minnesota law requires insurers to act in good faith when handling claims, so insurers cannot unreasonably restrict the insured’s choice of vendors. However, insurers can impose reasonable requirements to control costs and ensure the quality of services provided.

“Cyber extortion” coverage in a cyber insurance policy typically covers ransom payments demanded by cybercriminals in exchange for restoring access to encrypted data or preventing the release of sensitive information. For a ransom payment to be covered, the policy usually requires the insurer’s consent before the payment is made. The insurer will typically assess the potential costs and benefits of paying the ransom versus other recovery options. Legal and ethical considerations associated with paying a ransom demand include the potential for encouraging future cybercrime, violating anti-money laundering laws, and funding terrorist organizations. The Office of Foreign Assets Control (OFAC) has issued advisories regarding the potential sanctions risks associated with facilitating ransomware payments to sanctioned entities. While Minnesota law does not explicitly prohibit ransom payments, businesses must comply with all applicable federal laws and regulations. Insurers may also require insureds to implement enhanced security measures after a ransom payment to prevent future incidents.

“Business interruption” coverage in cyber insurance policies typically covers lost profits and extra expenses incurred as a result of a covered cyber incident that disrupts the insured’s business operations. The “period of restoration” is the timeframe during which business interruption losses are covered. It typically begins on the date of the incident and ends when the insured’s business operations have been restored to their pre-loss condition, with reasonable speed and diligence. The definition and measurement of the period of restoration can vary by policy. Factors that can influence the duration of business interruption coverage include the complexity of the IT systems, the severity of the incident, the availability of replacement equipment or data backups, and the efficiency of the incident response and recovery efforts. Insurers may require the insured to provide detailed documentation of lost profits and extra expenses to support their claim. Minnesota law requires insurers to act in good faith when assessing business interruption claims, considering all relevant factors and providing a reasonable basis for their coverage decisions.

The potential enactment of the Minnesota Consumer Data Privacy Act (MCDPA) would significantly impact cyber insurance underwriting. Insurers would need to evaluate a prospective client’s compliance with the MCDPA’s data security requirements, including reasonable security measures to protect consumer data. This assessment would involve scrutinizing data governance policies, data minimization practices, and data breach response plans. The MCDPA grants consumers various rights, such as the right to access, correct, and delete their personal data. A failure to uphold these rights could lead to lawsuits and regulatory penalties, which cyber insurance policies may need to cover. Underwriters would need to assess the potential financial exposure related to these liabilities, influencing premium pricing and policy terms. Furthermore, the MCDPA’s enforcement mechanisms, including potential civil penalties, would need to be considered when determining coverage limits and exclusions. The MCDPA is modeled after other state privacy laws, such as the California Consumer Privacy Act (CCPA), and insurers can draw on experience with those laws to prepare for the MCDPA.

The Minnesota Information Security Act (MISA) establishes a general framework for data security within the state, requiring businesses to implement reasonable security measures to protect personal information. PCI DSS, on the other hand, is a contractual obligation for businesses that process, store, or transmit cardholder data. In a cyber insurance claim scenario involving a data breach at a Minnesota-based e-commerce business, the insurer would investigate the business’s compliance with both MISA and PCI DSS. Non-compliance with MISA could be considered a failure to implement reasonable security measures, potentially leading to a denial of coverage or a reduction in claim payment. Similarly, non-compliance with PCI DSS, such as failing to encrypt cardholder data or neglecting to regularly update security systems, could also impact the insurer’s obligations. Many cyber insurance policies contain exclusions for losses resulting from a failure to maintain minimum required security standards, which could include PCI DSS requirements. The insurer would assess the extent to which the business’s non-compliance contributed to the data breach and the resulting damages. The Minnesota legislature has also considered enacting stricter data breach notification laws, which could further complicate the claims process.

The Minnesota Uniform Trade Secrets Act (MUTSA) defines trade secrets and provides legal remedies for their misappropriation. Cyber insurance policies may offer coverage for losses resulting from the theft or misappropriation of trade secrets via cyberattacks. However, the policy definitions of “trade secret” and “cyber incident” are crucial in determining coverage. The policy definition of “trade secret” must align with the MUTSA definition, which requires the information to be confidential, derive economic value from not being generally known, and be subject to reasonable efforts to maintain its secrecy. If the information stolen does not meet this definition, coverage may be denied. The policy definition of “cyber incident” must also encompass the specific type of cyberattack that led to the trade secret theft. For example, if the policy only covers data breaches resulting from malware, a trade secret theft resulting from a phishing attack might not be covered. Insurers will also assess whether the insured took reasonable measures to protect its trade secrets, as required by MUTSA and potentially by the insurance policy itself. Failure to implement adequate security controls could be grounds for denying coverage.

The Stored Communications Act (SCA) protects the privacy of electronically stored communications. Cyber insurance policies may provide coverage for liabilities arising from violations of the SCA, such as unauthorized access to or disclosure of emails or other electronic communications. The “reasonable expectation of privacy” standard under the SCA is a key factor in determining liability and coverage. This standard assesses whether the individual or entity whose communications were accessed or disclosed had a reasonable expectation that those communications would remain private. Factors considered include the nature of the communication, the circumstances under which it was created and stored, and any applicable privacy policies or agreements. If a court determines that there was no reasonable expectation of privacy, there may be no violation of the SCA, and the cyber insurance policy may not provide coverage. Insurers will carefully examine the facts and circumstances surrounding the unauthorized access or disclosure to determine whether the “reasonable expectation of privacy” standard was met. This assessment will influence their decision on whether to provide coverage for the resulting liabilities. The SCA also contains exceptions, such as for lawful government access, which could further impact coverage determinations.

Vicarious liability refers to the legal principle where one party can be held liable for the actions of another party, even if they were not directly involved in the wrongdoing. In the context of cyber insurance, a Minnesota-based business could be held vicariously liable for a data breach or other cyber incident caused by an independent contractor or third-party vendor. This is particularly relevant if the business entrusted the contractor or vendor with access to its sensitive data or systems. Cyber insurance policies may provide coverage for such vicarious liability claims, but insurers often impose due diligence requirements on the insured to mitigate this risk. These requirements may include: conducting thorough background checks on contractors and vendors, implementing robust security protocols for third-party access to systems and data, requiring contractors and vendors to maintain adequate cyber insurance coverage, and including indemnification clauses in contracts with contractors and vendors. An insurer may deny coverage or reduce claim payments if the insured failed to exercise reasonable due diligence in selecting and managing its contractors and vendors. The level of due diligence required will depend on the sensitivity of the data and systems involved and the potential impact of a cyber incident.

Cyber insurance policies often grant the insurer the right to select and manage the incident response team following a data breach. While this can provide valuable expertise and resources, it can also create potential conflicts of interest. The insurer’s primary goal is to minimize its financial exposure, which may not always align with the insured’s best interests, such as preserving its reputation, complying with legal and regulatory requirements, and protecting its customers’ data. For example, the insurer might prioritize cost-effective solutions over more comprehensive remediation efforts. To mitigate these conflicts, several safeguards can be implemented. The insured should have the right to approve the incident response team selected by the insurer and to participate in the development of the incident response plan. The policy should clearly define the roles and responsibilities of the insurer, the incident response team, and the insured. An independent legal counsel should be retained to advise the insured on its legal and regulatory obligations under Minnesota law, including data breach notification requirements and compliance with privacy laws. The incident response plan should prioritize compliance with these obligations, even if it increases the cost of the response. Transparency and open communication between the insurer, the incident response team, and the insured are essential to ensure that all parties are working towards a common goal.

“War exclusions” in cyber insurance policies are designed to exclude coverage for cyber incidents that are considered acts of war. These exclusions are intended to prevent insurers from being liable for catastrophic losses resulting from large-scale conflicts. However, the application of war exclusions to cyber incidents is complex and often subject to legal interpretation. Typically, a war exclusion will deny coverage if the cyber incident is attributable to a nation-state or its agents, is directed against a nation-state, and is intended to cause significant harm or disruption. Determining whether a cyber activity constitutes an act of war is challenging, as it requires assessing the intent and attribution of the attack. Examples of cyber activities that might be considered acts of war include: a coordinated cyberattack on a nation’s critical infrastructure (e.g., power grid, telecommunications networks) by a hostile nation-state, a cyberattack intended to disrupt a nation’s military operations, or a cyberattack that causes significant physical damage or loss of life. However, even if a cyber incident is attributed to a nation-state, it may not be considered an act of war if it is primarily intended for espionage or economic gain. Courts have generally interpreted war exclusions narrowly, requiring a clear nexus between the cyber incident and a declared or undeclared war. The burden of proof is typically on the insurer to demonstrate that the war exclusion applies. The application of war exclusions to cyber incidents remains a developing area of law, and the specific facts and circumstances of each case will be critical in determining coverage.