Insurance companies don't want to pay for your cyber losses

John Lande Iowa Banking Law Iowa Cybersecurity LawDickinson Law Des Moines, Iowa

Posted on 08/30/2016 at 12:00 AM by John Lande

This blog has been following litigation between insurance companies and their insureds over who is responsible for paying for losses from cyber-attacks. In one case, the court ruled that a financial institution’s bond covered cyber-attack losses, while in another case a court ruled that a “cyber policy” did not cover cyber-attack losses.

There has been a flurry of other lawsuits between insureds and their policy providers over cyber-attack losses. Many of the cases involve a threat that this blog has previously covered known as email ghosting. In an email ghosting scheme fraudsters will mimic emails from members of an organization to convince employees to provide confidential information or transfer money to the fraudsters.

One recent example involved Medidata Solutions, Inc., a New York based company that works with biotechnology companies. Employee’s in Medidata’s accounts payable department received a series of emails from someone who claimed to be an executive at Medidata asking the employees to transfer money. The email put the employees in contact with someone who claimed to be a Medidata attorney. The fake attorney actually spoke on the phone with a Medidata employee and instructed the employee to send approximately $4.7 million to a bank account in China. After some initial reservation, three Medidata employees cooperated to initiate the transfer of funds. When the fraudsters made a second request for $4.8 million the employees finally called the executive the fraudsters were impersonating and the fraud was revealed.

Medidata made a claim against Federal Insurance Company under the “Computer, Fraud, Funds Transfer Fraud, or Forgery” clause of the insurance policy. Federal Insurance denied coverage.

The foundation of Federal Insurance’s argument is that the loss was not the result of a computer breach and that Medidata’s employees’ voluntary transferred money to the Chinese Bank. Federal Insurance primarily relies on two clauses of the policy for its argument.  

First, the policy provides that Federal Insurance is not liable for losses resulting from computer fraud committed by any of Medidata’s employees. Federal Insurance argues that if any fraud did occur in this case it was fraud committed by the employees because the employees were the ones to make the transfer.

Second, Federal Insurance argues that the employee’s conduct was an intervening cause of the loss. While the fraudsters were responsible for starting the events that led to the loss the employees could have stopped the fraud before it actually resulted in any loss. This argument is very similar to the argument made by the bond carrier in a case previously covered by this blog—State Bank of Bellingham v. BancInsure, Inc.

The case between Medidata and Federal Insurance is still in the early stages of litigation. However, it is a good example of the issues that can arise between an insured and an insurance company even when it looks like the insurance policy covers cyber-attack losses.  

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.


Questions, Contact us today.

Contact Us


The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm.  Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys.  If specific legal information is needed, please retain and consult with an attorney of your own selection.

There are no comments yet.
Add Comment

* Indicates a required field