Should insurance companies be on the hook to cover losses for cyberfraud?
If you are the victim of a business email compromise (BEC) and are induced to wire-transfer a client’s funds to the wrong account, who pays for the damages? And if you have insurance, can you force your insurer to pay the claim? A New York federal judge ruled on Jan. 29 that a general liability insurance policy covered losses to an investment adviser who relied on spoofed emails and wire transferred virtually all of the funds of their client to some unknown entity in Hong Kong. This reflects two recent trends: the use of spoofed emails with fraudulent wire transfer instructions to commit massive frauds and the refusal by insurance companies to pay claims related to electronic fraud and thefts. As a result, companies doing business online are hit by a double whammy—they get ripped off first by scammers and then by their insurer. It also demonstrates that you need to both secure and authenticate your email (inbound and outbound) and read your insurance policies. Carefully.
SS&C Technologies Holdings, Inc. (“SS&C”) is a New York-based investment adviser who manages investments for a lot of different companies, including Tillage Commodities Fund, L.P.
In March 2016, unknown third parties used stolen credentials to initiate a series of fraudulent wire transfers from a bank account owned by Tillage but managed by SS&C. Criminals used “spoofed” e-mail addresses to send forged transfer requests to SS&C. SS&C received the wire transfer requests and, believing them to be from Tillage, processed them according to the terms of its contract with Tillage. Over 21 days, six fraudulent requests for transfers were made in this fashion, with SS&C transferring approximately $5.9 million of funds from Tillage’s account to third-party bank accounts in Hong Kong.
Although SS&C ultimately discovered the fraudulent scheme, alerted authorities, worked with the Hong Kong police to foil an additional transfer attempt and cooperated with Tillage in an effort to recover the stolen funds, Tillage filed suit against SS&C in New York Supreme Court, styled Tillage Commodities Fund, L.P. v. SS&C Technologies, Inc., No. 654765/2016 (Sup. Ct., N.Y. Cnty.) Tillage alleged that SS&C was grossly negligent in handling Tillage’s funds and consequently breached its services contract. The parties ultimately settled in a confidential settlement for breach of contract.
We’ve Got You Covered?
But wait. SS&C had insurance from AIG. Within a few days of learning of the spoof, SS&C notified AIG of the case and ultimately filed a claim for reimbursement of the amount of the settlement with Tillage.
AIG refused to pay. AIG asserted that the policy with SS&C didn’t cover things such as “any negligent act, error or omission, misstatement or misleading statement in the Insured’s performance of Professional Services for others,” and since Tillage alleged that SS&C’s performance of the contract was “grossly negligent,” it wasn’t covered.
AIG also asserted that the policy didn’t cover any claim “alleging, arising out of, based upon or attributable to a dishonest, fraudulent, criminal or malicious act, error or omission, or any intentional or knowing violation of the law[.]”
In addition, AIG asserted that the coverage did not apply to claims “alleging, arising out of, based upon or attributable to . . . deceptive business practices [and] . . . false advertising and misrepresentation in advertising,” respectively.
But wait, there’s more: AIG also asserted that the brokerage had no coverage for losses relating to “the monetary value of any electronic fund transfer or transaction by an Insured or on an Insured’s behalf, which is lost or diminished during transfer into, out of or between an Insured’s [SS&C’s] accounts.”
AIG also refused to pay claims “for amounts SS&C agrees to pay pursuant to a contract, such as liquidated damages, setoffs, or penalties.” Since SS&C agreed to settle the claim of negligence and entered into a confidential settlement agreement (a contract) and since the liability arose out of a breach of another contract, AIG asserted that they did not have to pay the claim.
We’re not done yet—AIG had even more reasons not to pay the claim, asserting that the coverage did not apply to any claim “alleging, arising out of, based upon or attributable to the exercise of any authority or discretionary control by an Insured with respect to any client’s funds or accounts. Provided, however, that this exclusion shall not apply to any Claim arising out of your performance of Professional Services. Notwithstanding the foregoing sentence, it is expressly understood and agreed that there shall be no coverage for the monetary value of any funds lost due to the Insured’s exercise of such authority or discretionary control.”
Since the company lost client funds over which it had “authority and discretionary control,” it had no coverage, right?
No soup for you!
Ultimately, the New York federal court ruled that AIG had to pay the claims and that these “exclusions” did not apply to the losses. But it involved several lawsuits and many innocent trees gave their lives.
The Lord Giveth and Taketh Away
An insurance policy, whether a general casualty and liability policy, a cyber fraud policy, a data breach policy, a kidnap ransom and extortion policy or whatever, is intended to assign risk for certain “covered losses.” Insurance is a critical part of security and risk mitigation, which is often overlooked by cybersecurity professionals who focus on things such as pen testing, access control and other technological security measures. But security is only one part of defining and mitigating risk. Risk is broader than security. In encompasses examination of vulnerabilities (technological, physical and human), impact (likelihood of exploitation of the vulnerabilities and likely harm of damage—including regulatory and legal damage if exploited), criticality (a subset of impact) and mitigation, including technical mitigation, contractual (limitations of liability, assigned risk) and of course, insurance. The key is that you effectively identify risk, determine business impact, and mitigate some of that risk by assigning it to others, partly through insurance.
But insurance policies—particularly as they apply to “cyber”—are a Swiss cheese of coverages, riders and exclusions. So you may be “covered” for physical damage to computers or data, but not covered if the data is not “physically” damaged. And what does that mean, anyway? You may or may not be covered for things such as reputational damage resulting from the public exposure of personal information about key personnel resulting from a hack, but have coverage for the same acts as they apply to corporate trade secrets. You may have coverage for the impact of ransomware but have no coverage if you decide to actually pay the ransom. Or vice versa. If you suffer a data breach that causes harm to consumers, you may have coverage for your own losses (cost of investigation and repair) but not for the losses of the consumers that you ultimately may have to pay for.
Reading and understanding insurance policies is a fine art. Unfortunately, it’s also a much-lost art. There are many traps in insurance policies for the unwary. For example, as part of the application process for insurance, the insurer may inquire whether you have an effective information security program/policy in place and may ask some questions about the program. If years later you have what would otherwise be a covered claim, they may deny coverage because you falsely told them that your information security program was “effective” and the fact that you had a loss proves that it wasn’t. Isn’t that special?
I Will Gladly Pay You Tuesday for a Hamburger Today
The whole point of having insurance is that you pay premiums today to cover possible losses at some later date. When insurers refuse to pay claims, as they are increasingly doing for cyber-related losses, this messes up the balance. One problem is that the definitions in these policies don’t always neatly fit within the facts of what later happens in the claim. When the Hong Kong hackers spoofed the client’s email and induced the broker to wire transfer the funds, was this a “fraudulent” or “criminal” act? Sure was. But not a fraudulent or criminal act of the broker. Was it a “negligent” act of the broker? Maybe, but not in connection with handling the decisions of how or where to invest. If a burglar broke into the offices of the company and stole the client’s money (effectively that’s what happened), would that loss not be covered because the broker was “negligent” in not having better security to prevent the burglar from breaking in?
Insurers under a policy typically have two separate duties: a duty to defend (if you get sued because of a covered loss, they represent you) and a duty to indemnify or insure (to pay covered claims). When reading insurance policies, particularly with respect to duties to defend, courts typically will read the policy broadly to cover claims and read exclusions narrowly in favor of providing coverage. They don’t like picking nits. If it looks like the loss is covered, the court will likely cover it.
The problem is uncertainty. Even if you think you have coverage (and are paying for it), your carrier may not think you have coverage (or may decide that you don’t only when you file a claim). In fact, insurance carrier Lloyds of London has mandated that all of its policies issued after Jan. 1, 2020, address what is called “silent” cyber risks. As the company explains: “Lloyd’s is mandating that all policies provide clarity regarding cyber coverage by either excluding or providing affirmative coverage.” It continues: “All first party property damage risks incepting on or after 1 January 2020, regardless whether written on an ‘All Risks’ basis or as ‘Named Perils’, must contain policy language which is explicit as to whether coverage exists or is excluded in respect of losses caused by cyber risks.” This is what passes for “clear language” in the insurance industry.
Lloyds goes on to define or attempt to define “cyber” as “losses [which] are cyber-related, arising from either malicious acts (e.g. cyber-attack, infection of an IT system with malicious code) or non-malicious acts (e.g. loss of data, accidental acts or omissions) involving either tangible or intangible assets.” Well, I’m glad we straightened that out.
In the Room Where It Happens
The problem is exacerbated by the fact that insurance purchasers, like insurers themselves, are unschooled in cyber-risk. The risk officer, lawyer or other person in the company buying the policy has little experience in the kinds of losses that happen in the cyber world. DDoS? Is that an operating system? SIM swaps? A video game. Ransomware? A new clothing trend? Account takeover? A 1980’s movie with Michael Douglas? That’s why we need to get cybersecurity people in the room with lawyers, risk managers and insurers to read over the policies and fill in relevant gaps.
The worst thing you can do is to think you have coverage and only find out that you don’t when you file a claim—well, that and wire transfer a couple of million bucks of your client’s money to Hong Kong.