Seth is editor of The Northwest Policyholder, the firm's insurance coverage blog, where portions of this article previously appeared.
Surveys of C-suite executives continually rank cyber-related risks near the top of risk-management concerns. "Phishing," hacking, and cyber-ransom events are constantly in the news and are affecting companies of all sizes. Regulators are increasingly focusing on what companies are doing to protect themselves from these risks, including what insurance has been procured in case frontline defenses fail. The banking industry is no different and, as a result, cyber-security and cyber-risk management are becoming board-level concerns.
At the same time, bankers are rightly concerned about the resiliency of their customers and business partners from cyber-events. A key component of that resiliency is, of course, insurance. The insurance industry, for its part, is concerned about the scope of financial exposure from cyber-events, and has responded by creating specialized coverage forms to channel the risk toward products that are written specifically for cyber-risk and are underwritten and priced accordingly. Insurers are also pushing back at attempts to obtain coverage for new risks under traditional products.
With cyber-losses becoming a regular occurrence in the business world, litigation between policyholders and insurers about those losses is helping to illuminate some particular areas where vigilance is needed.
Social engineering fraud: make no assumptions about coverage. Social engineering fraud is perhaps the most common form of cyber-fraud today. This form of fraud usually involves a criminal sending an email that appears to be authentic from someone high-up in the company (such as the CFO or CEO) to someone inside the company who has the ability to wire funds, directing them to make a transfer for a legitimate-seeming purpose. The scammers sometimes create the fake email by hacking into the company's system, but often they merely create a dummy email using publicly available source information. The payment is made, usually to an offshore bank account, and once the funds are sent they are immediately transferred away and the account closed, erasing the criminal’s trail.
This may seem like a cyber-risk because of the use of email and wire instructions transmitted by computer, but if there is no actual hacking, the insurer will usually argue that it is not covered under typical cyber-coverage language. Crime policies (and in particular "Computer Fraud" coverage) also may seem like a sensible source of coverage for this kind of fraud, but insurers routinely contest such claims, arguing that exclusions for loss caused by an employee with authority to enter data, or exclusions for loss caused only "indirectly" by fraud, preclude coverage. For example, in a recent case a community bank in Minnesota had to go all the way to a federal appeals court to get coverage under a Financial Institution Bond for a phishing event. The insurer argued that it was the employees' failure to follow procedures, and not the criminal's deceptive e-mail or hacking, which caused the loss; fortunately the appeals court disagreed, holding that the "proximate cause" of the financial loss was indeed the criminals.
The lesson is not to assume that current policies will provide coverage for a social engineering fraud loss. Insurers are offering endorsements to crime policies that are tailored to these risks, and it also may be possible to negotiate changes to existing policies to remove problematic exclusions.
The cyber policy may not cover the biggest risks. We have been closely following P.F. Chang's attempt to get coverage for a massive data breach involving customer credit-card data. In that breach, hackers stole and then sold hundreds of credit card numbers, resulting in extensive credit-card fraud. The restaurant did not pay the costs to reissue the cards or cover the fraudulent charges itself–that was taken care of by a merchant services vendor, and then by Visa and MasterCard–but the merchant services vendor was by contract entitled to charge all of those costs back to P.F. Chang's.
P.F. Chang's looked to its cyber-insurer for coverage. The insurer paid most of the costs, but denied coverage for the fees levied by the merchant services vendor, relying on a provision in the policy excluding payments made because of a contractual obligation. The federal trial court hearing the dispute agreed with the insurer that the exclusion barred P.F. Chang's recovery of the fees that it had to pay the merchant servicer under the contract, even though the charges were levied expressly because of a data breach, which was otherwise covered.
The lesson is that all cyber policies are not the same, and must be evaluated very carefully against all aspects of the risks to the policyholder. For example, P.F. Chang's cyber policy did not contain coverage for PCI-DSS fees and assessments, which is available as an add-on to some policies and within the body of some other policies. But even adding coverage for PCI-DSS fees, or coverage for any specific risk, may not be enough, because of sub-limits applicable to the specific risk or because of how the coverage is defined. Also, the most significant liability risks facing many businesses come from suits or claims arising out of contractual relationships. Broad contract liability exclusions, if not amended, can seriously undermine the value of coverage, as demonstrated in the P.F. Chang's case.
Cyber-ransom coverage concerns are a lesson in the importance of the fine print: the definitions. Cyber-ransom (or cyber-extortion) is another increasingly common way for cyber-criminals to make a quick buck. A cyber-ransom event typically involves malicious code (malware) being installed on an individual computer or a system, typically through a phishing e-mail that contains an innocent-looking link (often to a legitimate site, such as Dropbox). The link however actually allows an executable file to run that loads malware onto the user's machine or system. Once inside, the malware encrypts the system, shutting it down or hobbling it significantly. The malware then sends a ransom demand to the affected user, offering to restore access to the system in exchange for payment ranging from a few hundred to thousands of dollars. But payment is usually demanded in bitcoins, the payment method of choice for those who operate in the "dark web."
Most cyber-insurance policies offer coverage for cyber-ransom events, but a recent ruling may give insurers an opening to deny coverage. In a money-laundering case in Florida state court, a trial judge recently held that bitcoin is not "currency" or "money," but is instead a currency substitute more akin to a commodity.
Why would that matter for coverage? According to Rick Zelinski, a broker at PayneWest Insurance in Spokane, the definitions in some cyber policies define "cyber-extortion costs" as payment of "money." The implication is that an insured that pays the ransom in bitcoins may encounter an insurer who argues that bitcoins are not "money," and refuses to pay benefits. The solution is to tailor the definitions language of the policy–the finest of the fine print–to make it clear that the intent is that payment of ransom in anything of value (including bitcoins) will trigger coverage.
Pay careful attention to the application. Many insurers require applicants for cyber-coverage to fill out a detailed questionnaire about their cyber-security practices, including vendor management, and then will incorporate that application into the policy as a "warranty" that the insured will continue to abide by those practices or risk losing coverage entirely. In a recent case, a hospital that had failed to monitor its IT vendor's cyber-security practices found itself in litigation with its insurer over such a "warranty." The insurer defended the hospital against a class-action for breach of privacy after medical records were made publicly accessible on the internet. After settling, however, the insurer turned around and sued the hospital to get all defense costs and settlement payments back, based on the hospital's breach of a "warranty" in the application that the hospital's vendors would comply with security best practices. That is not a situation that any policyholder would enjoy. Applications for insurance are serious business, and particularly so with regard to cyber-risks.
Conclusion. With cyber-risk, as with any evolving risk-management issue, prevention must be accompanied by attention to insurance. Monitoring the evolving world of insurance may lack the excitement of new software or yield the immediate benefits of training or heightened security procedures, but it is a critical part of the business landscape. Taking proactive steps to make sure that cyber-insurance fits the risks as much as possible will avoid headaches down the road.