Coverage Disputes Over Online Attacks Grow

cyber coverage

A federal court has ruled that an insurer’s professional liability policy must pay out $6 million for a company’s losses from a business e-mail compromise scam, even though the business lacked cyber coverage.

The ruling is part of a growing trend of businesses that haven’t purchased cyber insurance seeking coverage for cyber-related losses from other policies they do have, such as business liability, professional liability, and directors & officers (D&O) coverage.

Seeking coverage for cyber losses and for e-mail compromise scams from other than cyber policies is not often successful, and whether the insurer will pay out can depend on the nature of the loss.

In this latest case however, a judge in the U.S. District Court in the Southern District of New York ruled that American International Group must cover $5.9 million that a company had been duped out of by Chinese hackers in 2016.

AIG had disputed the claim saying that the professional liability policy the business had does not cover “criminal acts,” adding that it had never sold the company a cyber policy.

These disputes are becoming more common and you should pay attention to your policy exclusions, as well as consider cyber insurance, if you have assets that could be exposed through a cyber attack or fraud.

How was the business scammed?

SS&C Technologies received spoof e-mails that purported to come from one of the company’s clients, Tillage Commodities Fund, a commodities investment firm. The e-mails instructed the company to make six wire transfers to a bank account in Hong Kong.

The scammers masqueraded as Tillage employees with e-mail addresses that spelled “Tillage” as “Tilllage.”

But according to court documents, there were telltale warning signs that the e-mails were fishy:

  • One e-mail asking SS&C to wire $3 million contained only the words “How was your weekend?” and then the wire transfer details.
  • E-mails included grammatical errors and unusual syntax like “Let’s round up business today.”

Based on the above, staff at SS&C were not too diligent in looking out for possible

business e-mail compromise scams involving a third party hacker posing as someone else (a client, a vendor or even a manager or president of the targeted company) via e-mail and requesting a wire transfer into a bank account.

This type of scam, which cost organizations $300 million every month in 2018, according to the U.S. Department of Treasury, is covered by a standard cyber insurance policy.

SS&C did not have a cyber policy, so it sought coverage under its professional liability policy for the losses it sustained when transferring those funds. AIG did pay for SS&C’s legal defense costs after Tillage Commodities sued, but refused to cover the $5.9 million in stolen funds.

According to court documents, AIG’s policy included a clause that it would not provide indemnity coverage for losses arising from “dishonest, fraudulent or criminal acts.”

What this means for your firm

While this case worked out for the insured party, businesses should not rely on their non-cyber insurance policies to continue paying claims. As costs for cyber attacks like ransomware, malware, stolen data and business e-mail compromise scams grow, insurers are increasingly including clauses that explicitly exclude coverage for those risks.

If you have any important company assets in digital form and/or make or receive payments online, it would be wise to secure a cyber insurance policy.

If you don’t, you can try to seek coverage under other policies. That it may be difficult to obtain, but not impossible.

For example, if your company has D&O liability insurance and/or crime insurance, it may be able to seek coverage for any ransomware events since those policies will typically include coverage for kidnapping and ransom.

Some insurers are now providing — either deliberately or unintentionally — kidnapping and ransom coverage that applies to ransoms paid in response to cyber extortion. Among the events that these policies may consider cyber extortion are:

  • Threats to poison a computer system with malware.
  • Threats to change, damage or destroy programs or data stored on a system if the owner does not pay a ransom.

That said, many insurers who provide this coverage likely did not anticipate covering ransomware losses and have started changing their D&O and crime policies to specifically exclude ransomware.

Other insurers have added deductibles to the coverage, mirroring the terms of cyber policies, while others have capped the amount of business interruption coverage they will provide for cyber-extortion losses.

As Cyber Threat Mounts, More Companies Take Measures

cyber attack protection

As attacks on businesses’ networks continue increasing at unprecedent levels, cyber risks have become the top concern among organizations of all sizes for the first time, according to a new survey.

The “Travelers Risk Index” found that 55% of executives surveyed said they worry “some” or “a great deal” about cyber risks. That’s more than they worry about medical cost inflation (54%), employee benefit costs (53%), the ability to attract and retain talent (46%) and legal liability (44%).

And the most common types of attacks, and which pose the biggest security threat to businesses, are phishing and fake e-mails. They are the hardest to combat because of the human factor involved, according to another survey, the “2019 Cyber Security Breaches Survey” published by the U.K. government.

In phishing e-mails, the cyber criminals will pose as colleagues or vendors to dupe an unsuspecting employee to hand over a password or click on a malicious link that will give them access to the company’s network.

In addition, ransomware has brought many businesses and government agencies to a standstill as the same technique is used to freeze an entire network and render it unusable until the company pays a ransom for a key to unlock the network.

As concerns about cyber threats have grown, more businesses say they are taking proactive measures to safeguard against cyber risks – even though a large percentage have not implemented preventive best practices.

The steps that companies are taking, according to the Travelers survey, are:

  • Purchasing a cyber insurance policy (51% of survey participants, up from 39% in the 2018 survey the insurer conducted).
  • Creating a business continuity plan in the event of a cyber attack (47%, up from 38%).
  • Taking a cyber-risk assessment for themselves (49%, up from 45%).
  • Taking a cyber-risk assessment for their vendors (41%, up from 37%).
  • Updating computer passwords (74%, up from 71%).

The fact is that a single cyber attack can put a company out of business. Taking the threat seriously and implementing a risk management program that addresses possible exposures can help a business not only avoid an attack, but also recover from one as quickly as possible.

How to lower the chances of an attack

The insurance company Chubb recommends the following steps to reduce the chances of a cyber attack on your organization:

Identify your sensitive data – Credit card and personally identifiable information is often the target of cyber attacks.

Educate your staff – Instruct your employees about cyber attacks and how to protect the network. The most important thing for them to remember is to not to open attachments from people they don’t know or in e-mails they don’t expect.
You should also post procedures for encrypting personal or sensitive information, and require them to change their passwords regularly.

Have security in place – You should have a web application firewall in place to protect your website, in addition to a firewall for your company’s network. If you accept credit card payments, you should have an e-commerce platform that is compliant with payment card industry data security standards Level 1.

Secure your hardware – Data breaches can be caused by physical property being stolen, too. If your servers, laptops, cell phones or other electronics are not secure and easy to steal, you are taking a big risk. Physically locking down computers and servers is a good idea.

Cyber insurance

As the cyber threat becomes more sophisticated and changes, cyber-insurance policies have evolved to meet businesses’ needs. There are many types of policies in the marketplace that are tailored for specific types of businesses. The key is getting a policy that best fits your organization and covers any eventualities that you may encounter.

Some coverages you may want to consider for inclusion in your cyber insurance are:

  • Business interruption – Covers the loss of business income due a cyber attack.
  • Computer fraud – Covers theft of money, securities and other forms of tangible property through computer fraud and social engineering schemes.
  • Data breach – Covers claims of failure to protect personally identifiable information and protected health information of clients.
  • Property damage – Covers replacement cost of computers damaged by a cyber attack.
  • Identity theft expenses – These are related to the business owner or their employees after identity theft.
  • Advertising and personal injury – Covers damage caused by defamation on website or social media.
  • Transmission of virus or malicious content – Covers failure to stop the transmission of a computer virus or malicious content.
  • Errors and omissions – Covers loss caused by failure to provide proper network security.

Some policies are stand-alone products, while others are endorsements to existing polices like a business owner’s policy.