Cyber Insurance

Subscribe to Cyber Insurance

This post originally appeared in our sister publication, Insurance Recovery Blog.

For the second time in ten days, a federal appeals court ruled a crime insurance policy provides coverage for losses arising from a business email compromise. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, No. 17-2014, 2018 WL 3404708 (Sixth Circuit July 13, 2018), the Sixth Circuit held that Travelers was obligated to provide coverage for a loss the insured suffered when it wired $834,000 to a thief’s bank account, believing that it was transmitting a payment to one of its Chinese subcontractors.

Losses arising from business email compromise exceeded $12.5 billion between October 2013 and May 2018. Business email compromise is a form of social-engineering fraud that targets both businesses and individuals who make payments by wire transfer. Thieves accomplish business email compromise by accessing e-mail accounts of vendors or customers of the insured or by invading the computer system of the insured. The thief then provides fraudulent instructions to the insured to wire funds to the thief’s bank account, usually for the stated purpose of paying legitimate invoices.Continue Reading Sixth Circuit Finds Coverage Under Crime Policy for Business Email Compromise

Many an unhappy modern tale arises when a cyber predator suggests to his victim that they transition their dealings from the virtual world to a meeting “IRL” – “in real life.”  But the perils that arise when the internet meets the “real world” are not limited to vulnerable individuals:  advances in technology, coupled with the ingenuity of malefactors, create the real risk that acts taking place wholly within cyberspace can have substantial impacts “in real life” – in the outside world – that go well beyond the loss of data or computer functionality.  The best-known example is the STUXNET virus, which seized control of Iran’s nuclear centrifuges and caused them, in effect, to commit mechanical suicide.  Nearly as well-publicized was the 2014 cyber-attack on a German steel mill, which prevented a blast furnace from properly shutting down, reportedly causing massive damage.  Any commercial entity who relies on internet-connected systems to control the operation of physical assets (such as manufacturing companies or utilities), and any entity that manufactures or distributes internet-connected products, is potentially at risk.

The risks go beyond the threat of damage to one’s own property: malicious computer activity could cause damage to third-party property or, worse yet, bodily injury or death. Many readers will recall the 2015 event (staged by “white hat” hackers) showing that a motor vehicle could be remotely disabled while traveling on a highway.  It is not hard to imagine that similar vulnerabilities could provide an entrée for hackers to precipitate catastrophic accidents.  Imagine what would happen, for example, if hackers remotely caused cardiac pacemakers to speed up patients’ heart rates to dangerous levels (this was the mechanism used, fictionally, to dispatch a victim in a 2013 episode of the TV show “Elementary”).  As the “internet of things” becomes more prevalent, the risk grows commensurately.  And the consequences of even minor disruptions (for example, the remote manipulation of an Internet-connected refrigerator that causes food spoilage) can be substantial when aggregated across thousands of products (through class action lawsuits or otherwise).

Faced with these sorts of losses, businesses and individuals would justifiably look to their insurance for coverage. After all, what is insurance for if it is not to protect against unexpected risks of damage or injury?  Unfortunately, but not surprisingly, insurance coverage for these risks – both first-party property insurance to cover loss to one’s own property, and third-party liability insurance to cover one’s legal obligations to others – remains unclear.

Continue Reading Cyber Risk “IRL”: Insurance Issues Arising from Cyber-Related Property Damage and Bodily Injury Claims

With policyholders facing increased losses from hacking and business email compromise, insurers are fighting hard to escape their obligations under financial institution bonds, crime policies and cyber insurance policies. In a case that  bolsters policyholders seeking coverage for digital fraud, the U.S. Court of Appeals for the Eighth Circuit held that a bank’s financial institution bond provided coverage for losses arising from the fraudulent transfer of $485,000 by computer hackers to a foreign bank, even though the bank’s employees were negligent in securing the bank’s computer network.

In its May 20 decision, issued in State Bank of Bellingham v. BancInsure, Inc., No. 14-3432, — F.3d —, 2016 WL 2943161 (8th Cir. May 20, 2016), the Eighth Circuit affirmed the District Court’s conclusion that the efficient and proximate cause of the loss was the criminal activity of the third-party hackers.

The Underlying Breach and Loss

In October 2011, an employee of the State Bank of Bellingham (the “Bank”) completed a wire transfer, which required several security steps, including the entry of the names and passwords of two Bank employees and the insertion of two physical tokens.  At the end of the work day, the employee left the two tokens in the computer and left the computer running.  Prior to the wire transfer, a Zeus Trojan horse virus had infected the Bank’s computer system.  This virus then allowed a computer hacker to access the Bank’s network and transfer funds to accounts in Poland (the “Loss”).

The Bank held a financial institution bond issued by BancInsure providing coverage for losses such as those arising from dishonesty and computer systems fraud.  The Bank submitted a claim and proof of loss to BancInsure seeking coverage for the Loss.  BancInsure denied coverage, relying on exclusions for (a) employee-caused losses, (b) theft of confidential information, and (c) mechanical breakdown or deterioration of a computer system.

The Litigation and the District Court Decision

The Bank filed suit seeking damages for the insurer’s breach of contract.  The U.S. District Court for the District of Minnesota granted the Bank’s motion for summary judgment, holding that the “computer systems fraud was the efficient and proximate cause of [Bank’s] loss,” and “neither the employees’ violations of policies and practices … the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the efficient and proximate cause of [Bank’s] loss.”

The Eighth Circuit Decision

Continue Reading 8th Circuit: Financial Institution Bond Provides Coverage for Fraudulent Wire Transfers

As cyber attacks increase at an unprecedented pace, more and more businesses are purchasing cyber insurance to protect against that risk. The insurance industry now faces an avalanche of claims, and those claims now are moving to the litigation phase.  In one of the first decisions interpreting a cyber insurance policy, an Arizona federal court

Much has been written about the increasing prevalence of, and need for, cyber insurance. At the same time, it is important that policyholders or prospective purchasers of cyber insurance keep their eyes open.  Ultimately, cyber insurance – like all insurance – is nothing more than a promise: In return for a (substantial) premium payment, the

On December 3, 2014, Sarah Raskin, Deputy Secretary of the U.S. Department of Treasury (Treasury), gave a speech before the Texas Banker’s Association Executive Leadership Cybersecurity Conference. Deputy Secretary Raskin’s remarks provide effective guidance for community bank chief executive officers, chief risk executives and boards of directors to consider when assessing their cybersecurity preparedness. According to Deputy Secretary Raskin, Treasury categorizes their thinking around cybersecurity and financial industry preparedness against cyber-attacks into three activities: (1) baseline protections, (2) information sharing and (3) response and recovery. When analyzing each activity, banks should enhance their cybersecurity risk assessment processes by asking the following questions:
Continue Reading Treasury: Ten Questions for Bank Executives and Boards of Directors