There is a growing precedent within the global insurance industry for insurers to back away from their cyber insurance policies, usually in the face of potentially massive losses. The latest insurance company to dispute the legal definition of terms included in its cyber insurance policies is insurance giant AIG, which is disputing a breach of contract lawsuit filed in August in the Southern District of New York. The company says its cyber insurance plans do not cover “criminal acts,” which is the way that it is characterizing a cyber incident involving nearly $6 million in losses at multi-billion-dollar financial technology company SS&C Technologies. As a result, the insurance giant wants the lawsuit tossed.
When is a cyber attack not really a cyber attack?
In many ways, the case involving SS&C Technologies and AIG should be black and white, and not gray. In 2016, SS&C Technologies was involved in a major cyber attack in which Chinese hackers managed to dupe the company out of $5.9 million. Spoof emails purporting to come from one of the company’s clients – Tillage Commodities Fund – instructed the company to make six wire transfers to an unknown bank account holder in Hong Kong. This is the classic type of business email compromise (BEC) scam, in which a third party hacker poses as someone else via email in order to ensure that funds move into the hacker’s bank account. So, theoretically, this is exactly the type of incident that should have been covered under the AIG cyber insurance policy.
But there’s just one little problem here – SS&C Technologies acknowledged that the funds were “stolen” and not “lost,” and that automatically transformed the cyber incident into a criminal act. In short, says AIG, Chinese criminals stole the $5.9 million from a client account, and therefore, the cyber insurance policy no longer applies. According to AIG, the cyber insurance policy only covers losses from traditional cyber attacks (e.g. a DDoS attack taking down the company’s servers for days), and not from brazen criminal attacks. Thus, as AIG eventually told a court in the Southern District of New York, it should not be found guilty of “breach of contract.” An event involving a company victimized by suspected Chinese criminals simply is not covered by a cyber insurance policy.
Which is not to say that AIG has not been making payments as part of its cyber insurance policy, which covered losses up to $10 million. Ever since Tillage Commodities Fund took legal action against SS&C to recover its funds (which were wired to a hacker’s account in Hong Kong), AIG has been paying for legal costs, including a discretionary and confidential payment between SS&C and Tillage. However, as AIG saw it, asking the insurance company to go the next step and pay for the full amount of the losses was simply too much. That led to AIG filing a motion in court to dismiss the case: the company says there is no breach of contract for failing to cover losses.
The problem of lax cybersecurity defenses
Moreover, as more details of the case emerge, it’s clear that SS&C Technologies failed to have even the most basic form of cybersecurity defenses in place. For example, one request from the hackers to wire $3 million into a Hong Kong bank account simply included a brief introduction (“How was your weekend?”), followed by details of where to wire the money. Other emails appeared to be coming from a clearly spoofed email address, with the name of the client misspelled as “Tilllage” instead of “Tillage.” Other emails included awkward syntax, grammatical errors, and nonsensical sentence construction. In short, it was the sort of shoddy, second-rate phishing email that is all too common these days. Surely, anyone with a modicum of common sense would have seen through this scam, right?
Before you continue reading, how about a follow on LinkedIn?
And, to make things even more damaging from the perspective of AIG, was the fact that SS&C failed to comply with its own internal policy, which clearly stated that any wire bank transfer needed to be authorized by four different people. This is exactly the sort of basic cyber defense that could have prevented the fraudulent transaction from taking place – at some point, wouldn’t a senior executive or top manager see through these obvious cyber shenanigans and stop the wire transfer from taking place? Thus, from the perspective of AIG, SS&C Technologies failed to exercise even a modicum of care and responsibility. How could SS&C Technologies even argue that the funds were “lost” and not “stolen”?
Cyber insurance companies look for new ways to avoid paying claims
While AIG’s position certainly has some legitimate claim, it’s also part of a more disturbing trend in which major insurers sell expensive cyber insurance policies to multinational companies, but with no intention of ever paying if something really bad happens. Sure, a cyber insurance policy might cover a minor business continuity issue if computer systems go down due to a digital glitch, but if millions of dollars are at stake, you can rest assured that the legal definition of every word in the cyber insurance contract will be carefully scrutinized, to see if there might be some way to avoid paying a claim.
Case in point: Zurich Insurance has been embroiled in a massive legal scandal with Mondelez International, in which the company was thrown offline as a victim of NotPetya ransomware. Mondelez argues that this was exactly the sort of business continuity event that was originally envisioned as being covered by its cyber insurance policy. The company wanted a safety net in the event that a virus, bug or bit of malicious code ever took the company offline. Not so fast, said Zurich, which claims that the NotPetya cyber attack should be treated as an “act of war” because it was originally designed by Russian attackers to take down the Ukrainian power grid. And, as you might have guessed by now, the Zurich cyber insurance policy didn’t cover “acts of war” – just like the AIG cyber insurance policy didn’t cover “criminal acts.”
Is cyber insurance really worth it?
All of this raises a fundamental question: Is cyber insurance really worth it? If any major claim is going to be denied under some legal pretext, then it really weakens the case for paying for the cyber insurance in the first place. Moreover, as we can see in the example of SS&C Technologies, putting a cyber insurance policy in place actually introduces a potential element of “moral hazard.” Instead of beefing up its cyber defenses, training its employees how to recognize phishing scams, and installing antimalware software, SS&C Technologies simply coasted on the idea that anything bad that happened would be covered by cyber insurance.
AIG claims its #cyberinsurance policy does not cover criminal #cyberattacks and thus not paying for SS&C Technologies’ loss of $5.9 million. #respectdata
Going forward, it will be interesting to see what happens in the global cyber insurance market. At some point, there will need to be some sort of standardized definition of how to classify each type of cyber attack, and under what conditions an insurance policy is valid. Until that happens, it looks like insurance companies will continue to wiggle out of their obligations.