Cyber insurance doesn't cover what you might think
Posted on 09/19/2016 at 09:24 AM by John Lande
This blog has been following a number of lawsuits between insurance companies and their insureds over who is responsible for covering cyber-attack losses. Yet another example comes from Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co. of America.
Whenever an organization is buying insurance it is important to make sure that the insurance covers the organization’s actual practices. Aqua Star had to learn this lesson the hard way when it learned payments it thought it was sending to a supplier were really going to a fraudster’s bank account.
Hackers monitored email between Aqua Star, a seafood importer, and Zhanjian Longwei Aquatic Porducts (“Longwei”), a vendor. After watching email between the two companies, hackers started to impersonate Longwei. The hackers eventually instructed Aqua Star to start sending Aqua Star’s payments to Longwei to a new bank account. Aqua Star ended up sending the fraudsters over $700,000 before the fraud was uncovered.
Aqua Star sought coverage under its insurance policy which provided coverage for “direct loss of, or direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud.” The insurance company denied Aqua Star’s claim by arguing an exclusion in the insurance policy applied to deny coverage.
Travelers argued that the policy excluded losses resulting from voluntary acts of employees who have access to Aqua Star’s computer system. According to Traveler’s the loss resulted from Aqua Star’s employee’s decision to reroute deposits to the fraudulent bank account.
The court agreed with Travelers. The court explained:
[T]he entry of Electronic Data into Aqua Star's Computer System was an intermediate step in the chain of events that led Aqua Star to transfer funds to the hacker's bank accounts. Because an indirect cause of the loss was the entry of Electronic Data into Aqua Star's Computer System by someone with authority to enter the system, Exclusion G applies.
Since the court concluded that there was no coverage based on the policy’s exclusions there was no need for the court to address whether Aqua Star’s loss was covered by the computer fraud policy provision.
This case is consistent with other cases where insurance companies have denied coverage for email “ghosting” attacks, previously covered by this blog, because authorized employee conduct was necessary for the fraud to occur. While there have been some rulings in favor of insureds in these cases, the trend appears to be toward holding insureds liable for the voluntary acts of employees.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
Categories: Cybersecurity Law, John Lande, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.