November 27, 2023

Judge rejects Crum & Forster’s bid to toss cybersecurity coverage lawsuit

A Washington state judge denied a bid by insurer Crum & Forster to terminate a lawsuit over cybersecurity event at a Seattle logistics company.

In the Nov. 17 ruling denying summary judgement, Judge David S. Keenan wrote that “there are genuinely disputed issues of material fact” over the insurer’s response to a 2021 ransomware attack at Radiant Logistics.

According to Radiant’s lawsuit filed in Washington Superior Court, Crum & Forster Specialty Insurance Co. underwrote a cyber and multimedia liability insurance policy. Radiant claimed its losses from the ransomware attack exceeded $1 million.

“C&F failed to honor the contractual promises it made in its marketing materials, claiming that its policies only provide a tiny fraction of the $1 million policy limits—regardless of whether the costs fall inside or outside the aggregate limits,” Radiant said in a court response. “And now, after Radiant retained the C&F-recommended vendors and C&F ‘approved’ hundreds of thousands of dollars in breach response services, C&F claims Radiant should foot the bill.”

Founded in 2005, Radiant is a publicly traded, non-asset-based global transportation and supply chain management company. Through “organic growth” and acquisitions, Radiant has developed into “a global network trusted and depended on by both our customers and partners,” the company says on its website.

Crum & Forster denied Radiant’s claim based on “a clear sublimit of liability for First Party Loss and Breach Costs for Malware Events,” the insurer said. The insurer paid $25,000 towards the ransomware payment that the attackers demanded and another $25,000 in vendor costs incurred to respond to the Incident, court documents say.

“After C&F paid these amounts ($50,000 in total), the sublimit was exhausted,” the insurer’s petition for summary judgement reads.

Experts say cybercrime is transforming the insurance industry, as insurers learn new coverage responsibilities on the fly.

Cyber takeover

On Dec. 7, 2021, Radiant discovered that the majority of its servers and workstations had been encrypted with ransomware, court documents say. Radiant reported the incident to C&F that same day, court documents say, and the insurer’s cyber response team took control of the breach response.

Lewis Brisbois Bisgaard & Smith was hired to handle the legal response and Tracepoint hired to lead the computer security response, court documents say.

“Despite initially claiming that the Policy’s limits ‘appear likely to be exhausted,’ over the next few days C&F continued to control the response and approve hundreds of thousands of dollars more in work,” Radiant said in court documents. “On Dec. 8, 2021, C&F approved an additional $140,000 in Tracepoint services for ‘on-site assistance with restoration and evidence gathering’ and for ransom negotiations.”

As costs continue to pile up, Tracepoint negotiated a $100,000 settlement with the attackers, court documents explain. Over the ensuing seven months, C&F oversaw and approved $556,000 in Tracepoint computer forensic work and $33,000 in Lewis Brisbois legal services, court documents say.

Radiant is questioning why the insurer continued to oversee the cyber response for months when the coverage sublimit was supposedly exhausted the first day, according to court documents.

“C&F inexplicably treated Radiant’s claim as a ‘Malware Event,’ instead of a ‘Cyber Event,’ in an attempt to invoke the $25,000 sublimit that would only be a small fraction of the policy limits advertised and sold to Radiant,” the company said in court documents.

Discovery is expected to continue well into 2024, Radiant said in its response to Crum & Forster’s request for summary judgement.

InsuranceNewsNet Senior Editor John Hilton covered business and other beats in more than 20 years of daily journalism. John may be reached at john.hilton@innfeedback.com. Follow him on Twitter @INNJohnH.

The post Judge rejects Crum & Forster’s bid to toss cybersecurity coverage lawsuit appeared first on Insurance News | InsuranceNewsNet.