Coverage Disputes Over Online Attacks Grow

​Coverage Disputes Over Online Attacks Grow

A federal court has ruled that an insurer's professional liability policy must pay out $6 million for a company's losses from a business e-mail compromise scam, even though the business lacked cyber coverage.

The ruling is part of a growing trend of businesses that haven't purchased cyber insurance seeking coverage for cyber-related losses from other policies they do have, such as business liability, professional liability, and directors & officers (D&O) coverage.

Seeking coverage for cyber losses and for e-mail compromise scams from other than cyber policies is not often successful, and whether the insurer will pay out can depend on the nature of the loss.

​In this latest case however, a judge in the U.S. District Court in the Southern District of New York ruled that American International Group must cover $5.9 million that a company had been duped out of by Chinese hackers in 2016. 

AIG had disputed the claim saying that the professional liability policy the business had does not cover "criminal acts," adding that it had never sold the company a cyber policy.  

These disputes are becoming more common and you should pay attention to your policy exclusions, as well as consider cyber insurance, if you have assets that could be exposed through a cyber attack or fraud.
 
How was the business scammed?

SS&C Technologies received spoof e-mails that purported to come from one of the company's clients, Tillage Commodities Fund, a commodities investment firm. The e-mails instructed the company to make six wire transfers to a bank account in Hong Kong.

The scammers masqueraded as Tillage employees with e-mail addresses that spelled "Tillage" as "Tilllage."

But according to court documents, there were telltale warning signs that the e-mails were fishy:

• One e-mail asking SS&C to wire $3 million contained only the words "How was your weekend?" and then the wire transfer details.
• E-mails included grammatical errors and unusual syntax like "Let's round up business today."

Based on the above, staff at SS&C were not too diligent in looking out for possible business e-mail compromise scams involving a third party hacker posing as someone else (a client, a vendor or even a manager or president of the targeted company) via e-mail and requesting a wire transfer into a bank account.

This type of scam, which cost organizations $300 million every month in 2018, according to the U.S. Department of Treasury, is covered by a standard cyber insurance policy.

SS&C did not have a cyber policy, so it sought coverage under its professional liability policy for the losses it sustained when transferring those funds. AIG did pay for SS&C's legal defense costs after Tillage Commodities sued, but refused to cover the $5.9 million in stolen funds. 

According to court documents, AIG's policy included a clause that it would not provide indemnity coverage for losses arising from "dishonest, fraudulent or criminal acts."
 
What this means for your firm?

While this case worked out for the insured party, businesses should not rely on their non-cyber insurance policies to continue paying claims. As costs for cyber attacks like ransomware, malware, stolen data and business e-mail compromise scams grow, insurers are increasingly including clauses that explicitly exclude coverage for those risks.

If you have any important company assets in digital form and/or make or receive payments online, it would be wise to secure a cyber insurance policy. 

If you don't, you can try to seek coverage under other policies. That it may be difficult to obtain, but not impossible.

For example, if your company has D&O liability insurance and/or crime insurance, it may be able to seek coverage for any ransomware events since those policies will typically include coverage for kidnapping and ransom. 

Some insurers are now providing - either deliberately or unintentionally - kidnapping and ransom coverage that applies to ransoms paid in response to cyber extortion. Among the events that these policies may consider cyber extortion are:

• Threats to poison a computer system with malware.
• Threats to change, damage or destroy programs or data stored on a system if the owner does not pay a ransom.

That said, many insurers who provide this coverage likely did not anticipate covering ransomware losses and have started changing their D&O and crime policies to specifically exclude ransomware.

​Other insurers have added deductibles to the coverage, mirroring the terms of cyber policies, while others have capped the amount of business interruption coverage they will provide for cyber-extortion losses.