23andMe Secures $16.5 Million from Unused Cyber Insurance

In an ongoing Chapter 11 bankruptcy filing, 23andMe Holding Co.—rechristened as Chrome Holding—has secured a settlement with its cyber insurers, allowing the carriers to buy back $16.5 million of the company’s unused cyber policy. These funds will be allocated to settle various creditor claims, which include those arising from cyberattack-related litigation.

The settlement agreement stipulates that Chrome will indemnify the cyber insurers for claims up to the agreed settlement amount while absolving the insurers from any subsequent claims related to these policies. This move follows 23andMe’s Chapter 11 filing in a Missouri federal bankruptcy court in March, where the court subsequently greenlit the buy-back settlement between the company and multiple cyber insurers, including several underwriters from Lloyds.

In July, the TTAM Research Institute, a California-based nonprofit led by Anne Wojcicki—the co-founder and former CEO of 23andMe—finalized its acquisition of the Personal Genome Service and Research Services divisions of 23andMe Holding for $305 million under U.S. bankruptcy statutes. This new ownership is expected to continue delivering personalized DNA health and ancestry tests while adhering to 23andMe’s existing privacy policies.

According to the settlement documents, Chrome’s cyber insurance policy covered events from May 1, 2023, to May 1, 2024, with a total liability limit of $25 million. The policy encompasses losses due to cyber extortion and other incidents related to network security and privacy events. It is noted that these are “wasting” policies, implying coverage diminishes dollar-for-dollar due to legal defense costs associated with claims or lawsuits linked to covered events.

To date, underwriters have approved nearly $8.5 million for defense costs related to litigation stemming from cyber incidents and alleged data privacy breaches affecting 23andMe. Among the significant legal challenges are a consolidated class action suit and separate litigation in Canada linked to a credential stuffing attack in October 2023 that impacted approximately 7 million consumers.

In October, the bankruptcy court preliminarily approved a $30 million settlement for the U.S. class action and a separate CAD 4.49 million agreement in Canada concerning the credential stuffing incident. Chrome also approached a $3.25 million settlement in litigation accusing its telehealth arm, Lemonaid Health Inc., of violating privacy norms through pixel tracking on its websites.

The agreement with the cyber insurers specifies that the $16.5 million settlement funds will exclusively cover claims that fall under the policies, including obligations arising from class action settlements and other claims linked to cybersecurity incidents. Notably, the deal also encompasses class members who opted out of earlier settlements to pursue independent legal actions.

Insights from industry experts highlight that insurers sometimes opt to buy back policies in complex and lengthy risk scenarios involving “long-tail” issues such as environmental or asbestos-related claims. These buy-backs can offer immediate financial liquidity to the insured while allowing insurers to forecast their liabilities and avert protracted litigation.

This settlement exemplifies the essential role cyber insurance plays in providing financial safeguards against evolving cyber threats and liability exposure. While specific tactics and techniques related to this incident have not been disclosed, it is plausible that the breach may involve initial access and persistence techniques as outlined in the MITRE ATT&CK framework.