The University of California has filed a lawsuit against insurance marketplace Lloyd’s of London. It claims that the company has refused to reimburse the university system for the costs of data breaches covered in a cyber insurance policy, with Lloyd’s of London asserting that the statute of limitations applying to the claims had expired. The dispute relates to a cyberattack from 2014/15 that exposed personal information of patients at UCLA Health.
The university paid millions of dollars to notify targets of the attack, limit it, and to defend and settle lawsuits filed by patients. However, 26 Regents of the University of California state that underwriters at Lloyd’s have “repeatedly denied coverage” for losses from the incident, according to a complaint filed to the Los Angeles Superior Court. This is based solely on a “supposed” condition to coverage that is not referenced in either of the insuring agreements under which the university seeks most of its losses, the complaint read. The story was earlier covered by the Wall Street Journal.
Underwriters argued University of California failed to comply with policy provisions
The defendants named in the suit are associations of underwriters, known as “syndicates,” operating in the Lloyd’s of London insurance market in the UK. The underwriters have previously argued that the University of California did not comply with cybersecurity provisions of the policy, which the University has denied. The case is Regents of the University of California v. Certain Underwriters at Lloyd’s, 238TCV14642, California Superior Court (Los Angeles).
The University of California claimed the underwriters’ argument that the statute of limitations for any coverage claim expired in June 2021, is incorrect, according to the complaint. “Defendants have also refused to follow the alternative dispute resolution procedure required by their own policy based on a meritless statute of limitation defense,” the complaint read.
Lawsuit reflective of a changing cyber insurance market
The cyber insurance landscape that has seen significant change recently. As the frequency and severity of ransomware, phishing, and denial-of-service attacks have increased, demand for and conditions relating to coverage have evolved. Policies are becoming more diverse, complex, expensive, and harder to qualify for, presenting CISOs and their organizations with new challenges and considerations for optimal cyber insurance investment.
The University of California/Lloyd’s of London case will be interesting in terms of setting precedents on how limitation legislation is interpreted in this context, along with the interpretation of contract terms upon any claim, Paul Watts, distinguished analyst at the Information Security Forum, tells CSO.