Silent Cyber: The Case for Stand-Alone Cyber Insurance
In the past few years, we’ve seen an increase in insurance coverage disputes involving non-affirmative cyber insurance, including General Liability (GL) policies, Business Owners’ Policies (BOP) and Commercial Crime policies, for cyberattacks involving phishing or spoof emails also known as business email compromise (BEC) used to trick recipients into wiring money to fake bank accounts.
This month, the FBI’s Internet Crime Complaint Center (IC3) released its 2019 Internet Crime Report, highlighting 23,775 BEC complaints filed with the agency and a staggering $1.77 billion in estimated losses to organizations in 2019.
What We Know
The fraudsters are tricking employees by accessing email accounts, compromising email addresses, and sending fake emails that appear to be authentic. Individuals carry out the instructions (which appear to be from their senior executive, manager, colleague, client, or third-party vendor) to change wiring instructions, bank account numbers, routing numbers, and addresses.
Typically, the new bank account is closed upon receipt of the funds. In some cases, the banks have retrieved some of the funds based on the timing of the transaction. In other cases, the fraudsters managed to recoup multiple wire transfers before the sender realized what had occurred over the past few days or even weeks.
What are the precautionary practices to help companies prevent these losses?
How can we fight our human nature? Reports indicate that only four percent of users click on phishing emails, yet those four percent can have a devastating impact on your company.
Making your employees aware of the risks of changing practices and procedures involving your financial accounts is time well spent.
This year, we are feeling the impact of two-factor authentication in more aspects of our lives, from changing our profile or password on an online account to adding users to our credit card accounts. Yet, imposters find ways to reach out to us by email or phone (e.g., an imposter taking a follow-up phone call from an email recipient – see Apache case below).
Double-checking, or using multi-authentication (e.g., call, email, visit) will help prevent some, if not all, fraudulent wire transfers.
Companies should activate their Microsoft Office 365 security functions, moving beyond default settings to include unique, safe passwords with regular updates.
Discussions with your Bank
If you are a US-based company that does not have international business transactions, discussions with your bank about changes requesting international wire transfers could prevent these losses or at least help in recovering the funds.
Insurance Coverage Assessment
As indicated below, companies would do well to assess their insurance portfolio to determine coverage and any restrictions applicable to BEC losses.
Historically, stand-alone cyber insurance policies have excluded fraudulent funds transfer and the loss of money or securities. However, some insurance carriers are expanding coverage (with negotiated sub-limits) for BEC, social engineering, invoice manipulation, or e-crime.
If the policyholder makes a claim under a stand-alone cyber insurance policy that provides BEC, social engineering, invoice manipulation, or e-crime, the insurance company anticipates such claims and it proceeds accordingly.
However, when a policyholder seeks coverage for BEC under a policy that the insurance carrier did not foresee providing such coverage, such as a crime policy, the matter may be decided by a court in a coverage dispute. If the court finds coverage, this amounts to silent cyber. In other words, the insurance carrier will be paying for a cyber claim that it did not intend to cover at the time it wrote the insurance policy.
That means insurance companies are taking notice of coverage litigation involving fraudulent wire transfers. Ideally, cyber coverage should be clear and unambiguous to avoid disputes – this is best addressed in a stand-alone cyber insurance policy.
Coverage Litigation – Recent Federal Appellate Court Rulings
In 2015, the Firth Circuit ruled in favor of the insurer, finding social engineering to be general fraud, rather than computer fraud required under the crime policy:
- In Apache Corp. v. Great American Ins. Co., No. 15-20499 (5th Cir. 2016), the Fifth Circuit ruled that the Apache Corporation is not covered for losses stemming from a fraudulent scheme that caused Apache to wire $7 million in vendor invoice payments to a bogus bank account, reversing a Texas federal district court’s decision. Apache recovered $2.4 million of the lost money, but GAIC denied their claim for coverage under their crime policy arguing the scheme’s success hinged on Apache calling the imposter to confirm the bank account change over the phone (i.e., the email was merely part of a process) and that their wording covered computer fraud, not any general fraud.
In 2018, the Sixth and Second Circuits, the Vermont Supreme Court, and the Maryland federal district court ruled in favor of policyholders, indicating that the tide may be turning, finding coverage for social engineering schemes under crime policies and Business Owner Policies (BOP):
- In Medidata Solutions, Inc. v. Federal Ins. Co., No. 17-2492 (2nd Cir. 2018), in a much-anticipated decision on payment instruction fraud, the Second Circuit affirmed a district court ruling that the computer fraud provisions of a crime policy covered losses incurred when a Medidata employee transferred $4.77 million in funds in response to two spoofed emails and a call from an imposter.
- In American Tooling Center, Inc. v. Travelers Casualty & Surety Co., No. 17-2014, 2018 WL 3404708 (6th Cir. 2018), shortly after the Medidata ruling, the Sixth Circuit reversed the federal district court finding that the $834,107 wired to imposters posing as a third-party vendor in China amounted to computer fraud directly causing the insured’s direct loss and that no policy exclusion applied to prohibit coverage.
- Rainforest Chocolate, LLC v. Sentinel Insurance Company, 2018 VT 140, 2018 LEXIS 240 (Vt. Dec. 28, 2018), the Vermont Supreme Court held that the “false pretense” exclusion in a BOP did not exclude the loss when an employee wired $19,875 based on a manager’s email sent by an imposter. The court reversed the lower court, criticizing the policy drafting and finding the exclusion was ambiguous (i.e., the use of physical loss and physical damage in the exclusion versus the use of loss and damage throughout the policy). The case has been sent back to the trial court to address the forgery and money and securities coverage provisions.
- Beyond BEC, a Maryland federal district court ruled in National Inks and Stitch, LLC v. State Auto Insurance Companies, No. 1:2018cv02138 – Document 39 (D. Md. 2020) that an insurer must indemnify a screen-printing business under its BOP for costs incurred in a ransomware attack (four years after the attack, far from real time). After the insured paid the initial ransom, the hacker demanded an additional ransom payment. Software replacement led to decreased efficiency, creating the need to either wipe the entire system and reinstall or purchase a new server and install it. Upon choosing the latter, the insurance company disputed whether the insured suffered a “direct physical loss of or damage to” the computer system as provided in the BOP and that lost data amounted to an “intangible asset.” The court granted the insured’s claim determining that the “intangible asset” or data could suffer “physical loss or damage” and the computer system’s inefficiency counted as “physical damage.”
- Precautionary best practices in human behavior and insurance coverage assessments are recommended as the frequency and severity of cyberattacks increases.
- Silent Cyber under non-cyber insurance policies will not respond to cyberattacks in real time.
- A dedicated cyber policy clearly and affirmatively provides cyber coverage (both first party and third party) in real time.
- Insurance markets are explicitly excluding cyber coverage from non-cyber policies, making a more pronounced shift to affirmative cyber insurance.
- Cyber Armada’s advocacy helps companies meet and fulfill reasonable security protocols and cyber hygiene as part of their cyber risk management.
Watch for our next article on Silent Cyber, highlighting some of the cyber exclusions being used in the insurance market.