In a high-profile legal battle that underscores the complexities of modern cyber insurance, media giant Sinclair Broadcast Group has filed suit against two of its cyber insurers, Continental Casualty (CNA) and Starr Indemnity & Liability, over unpaid claims stemming from a ransomware attack in 2021. The lawsuit was originally filed on September 13 in the Circuit Court for Baltimore County, Maryland, and was moved to the U.S. District Court in Maryland on October 16, according to reporting from The Wall Street Journal.
The 2021 Ransomware Attack and Its Aftermath
Sinclair, which owns or operates 185 television stations and 21 regional sports networks, fell victim to a ransomware attack on October 17, 2021. The company managed to recover by mid-November, but the damage was significant, with Sinclair estimating the total cost of the attack at $70 million.
To mitigate such risks, Sinclair had purchased up to $50 million in coverage through a series of layered insurance policies. The structure of these policies was designed to pay out sequentially, with CNA managing the fourth layer and Starr covering the fifth. While the first three insurers met their obligations and paid Sinclair’s claims, CNA and Starr have yet to do so, according to the lawsuit.
Policy Details and Disputed Payments
The primary insurance policy, valued at $10 million, was issued by Axis Insurance and covered various aspects such as crisis management, fraud response, and forensic investigations. The remaining coverage came from excess policies issued by QBE Insurance, Philadelphia Indemnity Insurance, CNA, and Starr, each providing $10 million in follow-form policies linked to the terms set by Axis.
Sinclair claims that CNA initially indicated it would pay out under the policy. However, in October 2023, CNA presented a revised forensic report that reduced the business interruption claim for one of Sinclair’s two affected units from $42 million to $10.8 million. This adjustment, Sinclair argues, effectively placed the claim outside the scope for payout under CNA’s policy. Since March 2024, when Sinclair submitted further requested information, CNA has not provided an update on its decision, according to the lawsuit. Sinclair believes that Starr will issue payment once CNA does, as Starr’s policy is contingent on CNA’s payout.
The Changing Landscape of Cyber Insurance
Sinclair’s situation highlights the evolving nature of the cyber insurance market, which has grown significantly in response to an increase in cyberattacks on businesses of all sizes. According to data from the National Association of Insurance Commissioners (NAIC), insurers saw an average loss ratio of 66.4% in 2021, driven by the surge in cyber-related claims. This led to stricter underwriting practices and reduced coverage offerings in subsequent years, with the loss ratio falling to 43% in 2023.
To protect against extensive financial losses, many companies, including Sinclair, are forced to assemble coverage through multiple, layered policies. These policies may include specialized cyber policies and excess insurance that covers specific incident response costs.
Broader Implications and Industry Trends
Disputes over cyber insurance payouts, particularly for claims tied to ransomware and business interruption, have become more common as insurers attempt to manage risk and protect profitability. However, nonpayment disputes like Sinclair’s are rarer than coverage denials for broader policy terms. Notable past cases include a prolonged battle between food conglomerate Mondelez and its insurer Zurich over the 2017 NotPetya attack, which centered on whether the incident qualified as an act of war. The case was ultimately settled in 2022. In another instance, a North Carolina radiology practice sued its insurer in 2023 after a cyber policy lapsed just before an attack due to procedural errors.
Sinclair’s spokesperson expressed disappointment in CNA and Starr’s refusal to pay, stating, “We aren’t going to comment on ongoing litigation; however, we are disappointed that these insurance companies are refusing to honor their coverage obligations unlike other insurers on the same program who covered their portion of our loss.” Neither CNA nor Starr provided comments to The Wall Street Journal.
As the case progresses, it will be closely watched by businesses and insurers alike for its potential impact on how cyber policies are interpreted and honored. This ongoing legal matter highlights the necessity for clarity in policy language and the importance of due diligence when structuring layered insurance coverage to address emerging risks.