The recent ruling in T-Mobile USA, Inc. v. Steadfast Insurance Companysignals several good indicators for policyholders. A straight-up win for the policyholder, the case held that the insurance company could not reap the benefits of the policyholder's successful efforts to recover part of its loss from third parties. That holding alone clarifies that cyber insurance policies are meant to protect policyholders. Further, it indicates that policyholders should be made whole before insurance companies can recoup monies paid as coverage.

In the case, T-Mobile had suffered a $17.3 million loss from a cyber-security breach that was covered under its cyber insurance policy. The policy had a $10 million retention or "SIR" that T-Mobile absorbed before the policy paid the remaining $7.3 million in coverage. By pursuing its vendor for indemnity, T-Mobile recovered $10.75 million. The insurance company then claimed that it did not owe any coverage, arguing that T-Mobile's "loss" did not exceed the retention. The court disagreed and held that the recovery from a third party could be applied to the retention and did not eliminate T-Mobile's "loss."

The case indicates that cyber policies are covering losses and, when an insurance company refuses to provide coverage, the policies can be enforced in court. The facts of the case illustrate the growing complexity of cyber incidents, that increasingly involve numerous parties with different losses. T-Mobile was able to hold a vendor liable by relying on and enforcing contractual indemnity obligations. Policyholders should pay attention to such indemnity provisions in their contracts. These provisions may help make higher deductibles more palatable, because they can be enforced as first-dollar obligations from vendors or other business partners. The contractual insurance requirements that go hand-in-hand with those indemnity provisions-requiring the vendor or business partner to have responsive insurance in place-can be of equal importance. Often the expectation is that such insurance policies will pay for the contractual indemnity obligations.

As the cyber insurance market continues to harden, policyholders can expect insurance companies to dispute coverage. Policyholders also can help spread or transfer their risk by looking to the indemnity provisions in their commercial contracts and, potentially, to the insurance policies backing up those contractual obligations. The T-Mobile case is an excellent, if hard-fought, example of those protections the policyholder put into place being enforced to provide the expected recoveries.

According to Steadfast, that recovery "absolved" T-Mobile from paying $10.75 million because Experian indemnified T-Mobile .... The policy excludes from its definition of "loss" "any amount for which the Insureds are absolved from payment." The policy does not define the word "absolve." But the dictionary defines "absolve" as "to set free or release from some obligation, debt, or responsibility." Webster's Third New International Dictionary 7 (2002). But the Experian recovery did not "absolve" T-Mobile from payment because it did not set free or release T-Mobile from its obligation to pay the costs and expenses it incurred from the data breach. T-Mobile remained directly liable for those obligations and paid them in full. Experian then reimbursed T-Mobile for some .... We conclude that the policy does not exclude as a covered loss the $10.75 million T-Mobile recovered from Experian.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.