This month, when many are working with inspiration towards their New Year’s resolutions, we urge each business policyholder to set a goal fitting of our modern high-tech age: checking its cyber insurance.

Cyber insurance is something of a fluid catch-all term, but insureds generally seek it to provide coverage for computer-based perils, such as those arising from unauthorized computer access (“hacking”), malicious software (“malware”), email fraud (“phishing” or “spoofing”), network failure or inaccessibility (“ransomware”), and the resulting breach or disclosure of protected data. Such insurance can be either first-party (covering the insured’s own losses arising from, say, a computer system malfunction, a disgruntled employee, or a cyber criminal) or third-party (covering the insured’s liability to, say, its consumers for a data breach or the government for regulatory fines).

Standalone cyber insurance policies are still in their infancy, with varying policy language and pricing, setting them in rather stark contrast to the standardized forms and pricing models characteristic of some other types of insurance. Perhaps because this market is still maturing, reports indicate that only half of U.S. businesses have standalone cyber insurance policies,[1] with the percentage almost certainly lower among small- and medium-sized businesses that may be least able to survive the large expenditures associated with a cyber event.

Last year, a consortium of major risk and tech companies – Aon, Apple, Cisco, and Allianz – teamed to offer discounted cyber insurance, seeking to provide a holistic approach to cyber risk management that benefits from each partner’s expertise.[2] Under this bundled arrangement, a prospective insured undergoes a cybersecurity assessment by Aon, uses secured tech products and services from Apple and Cisco, and obtains a cyber insurance policy issued by Allianz. The goal is to encourage more business to sign-up for cyber coverage, including by providing incentives such as discounts for security enhancements and access to tech consulting and incident response services.

As of this writing, it appears this first-in-industry offering has not been tested in the courtroom. But perhaps even more surprising is the absolute dearth of cyber-specific case law. In one of the few reported cases, a federal district court denied coverage under a cyber policy for credit card industry fees imposed due to a consumer data breach, parsing the policy’s language with the type of analysis commonly applied to other more traditional insurance.[3]

This leads to an important point: Given the novelty of cyber insurance, insurers and courts will interpret them according to the familiar legal cannons, and insureds should consider whether coverage might exist under their existing traditional insurance policies. This blog has previously advised you about an insured who unsuccessfully sought coverage under a crime-protection policy for an email spoofing fraud.[4] But thankfully, other insureds have been successful. For instance, both the Second and Sixth Circuits have found coverage for a spoofing fraud under a crime or business policy’s computer fraud provision.[5]

Considering all of this, we encourage all businesses to check again their cyber security risks and coverage needs, under both cyber-specific and more generalized insurance policies. Lathrop Gage’s insurance recovery team is experienced in these matters and stands ready to assist policyholders at each step of the process, from conducting proactive policy analysis to litigating high-value coverage disputes at trial and on appeal.

[1] “Why 27% of U.S. Firms Have No Plans to Buy Cyber Insurance,” Insurance Journal, https://www.insurancejournal.com/news/national/2017/05/31/452647.htm (last accessed January 2, 2019).

[2] “Cisco, Apple, Aon, Allianz introduce a first in cyber risk management,” Apple press release, https://www.apple.com/newsroom/2018/02/cisco-apple-aon-allianz-introduce-a-first-in-cyber-risk-management/ (last accessed January 2, 2019).

[3] P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016), https://docs.justia.com/cases/federal/district-courts/arizona/azdce/2:2015cv01322/934023/45 (last accessed January 2, 2019).

[4] “Social Engineering Cyber Coverage: Protecting Your Company from the Human Factor,” https://www.roadtoinsurancerecovery.com/2018/08/social-engineering-cyber-coverage-protecting-company-human-factor/.

[5] Medidata Sols. Inc. v. Fed. Ins. Co., 729 F. App’x 117 (2d Cir. 2018), https://www.insurancejournal.com/app/uploads/2018/07/Medidata-v-Federal-Insurance.pdf (last accessed January 2, 2019); Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 895 F.3d 455 (6th Cir. 2018), https://law.justia.com/cases/federal/appellate-courts/ca6/17-2014/17-2014-2018-07-13.html (last accessed January 2, 2019).

Remember those spam emails from Nigerian royal family members needing to transfer millions of dollars out of Nigeria, requesting the recipients provide banking and personal information to “hold” the funds or otherwise front money to the fraudster to pay taxes and fees?  While most people have (hopefully) wised up to that scheme, a more insidious and devastating fraud has taken hold in the corporate world – the “social engineering” scheme.

“Social engineering” schemes are shades of the Nigerian letter scams, except the fraudster pretends to be someone affiliated with your company, such as a contractor or vendor.  The emails are convincing even to sophisticated employees, often instructing the recipient to follow “corporate procedures” to complete the money transfer.

Typically, this is how the scheme works:

(i)         Your employee receives a phishing email from a spoofed address where the fraudster pretends to be affiliated with your company and requests a transfer of an (often substantial) amount of money;

(ii)        Your spoofed employee follows in-house protocols with respect to the requested transfer, sometimes even getting approval from more senior level management;

(iii)       Your employee makes the transfer to the fraudster’s account; and

(iv)       Your company discovers the fraud only after the transfer.

Many companies are shocked to find only after the fact that their insurance carriers do not cover these losses.  Unfortunately, not having appropriate cyber coverage can be a devastating mistake.  The National Cyber Security Alliance found that as much as 60 percent of hacked small and medium-sized businesses go out of business within six months after being hit with a cyber-attack.

Businesses can greatly reduce the threat by mitigating cyber risks through managerial and technical processes, including implementing security measures such as firewalls, duo layer computer access, limiting employee access to sensitive data information, analysis of third party vendor’s security procedures, and regular and thorough training of employees.  However, even the best measurers cannot fully neutralize cyber threats.  Businesses remain vulnerable because of the “human factor” associated with these schemes; a skilled fraudster executes a social engineering scheme with the (unwitting) help of an innocent employee.

Recent court decisions highlight the importance of closely reviewing cyber policies to ensure that “social engineering” scams are fully covered.  In Apache Corporation v. Great American Insurance Company, 662 F. App’x 252 (5th Cir. 2016)[1], for example, the court held that the policyholder was not covered for social engineering attack despite having “computer fraud” coverage providing coverage for “loss of … money … resulting directly from the use of any computer to fraudulently cause a transfer of that property….”   The Apache employee received a spoofed email with a signed letter on the vendor’s letterhead, instructing the employee to change the vendor’s account information and submit future payments to the new (fraudulent) account.  The employee even called the telephone number provided on the (forged) letterhead and verified the request, while still another employee approved the transaction.  Apache thereafter submitted payments to the new account.  The Fifth Circuit held that the $2.4 million loss was not covered because the computer use was not the direct result of the loss, but “merely incidental” to the fraud.

This case highlights how critical it is to companies to transfer the risk of all cyber-attacks through comprehensive cyber coverage, particularly to cover risks that cannot be fully mitigated by security measures because of the “human factor.”  For this reason, it is important to review policy terms to assess the scope of coverage with your broker before your company is attacked.

[1] http://www.ca5.uscourts.gov/opinions/unpub/15/15-20499.0.pdf

In a recent webinar, Lathrop Gage Partner Mike Abrams and Hays Companies Vice President and Cyber Liability Practice Leader Dave Wasson covered several common pitfalls to avoid in buying cyber liability risk policies. In summary, the cyber insurance market is not a mature one, and policies differ significantly. It’s important to be working with a broker or lawyer who is familiar with potential issues and terms that can be negotiated.

Continue Reading Cyber Insurance – What You Don’t Know COULD Hurt You!