As first reported yesterday by my colleague Michael Levine, Tesco Bank (owned by Britain’s biggest retailer) stopped online transactions on Monday after hackers stole money from 9,000 accounts. Tesco Bank has begun refunds, the total cost of which will exceed $3 million. Experts estimate that the biggest hit to the bank will come in the form of reputational damage.
The bank’s financial and reputational losses should be covered under a comprehensive insurance scheme that addresses the risks most common to financial institutions: hacking, social engineering schemes, and ransomware. Many policyholders, however, have struggled to secure bargained-for coverage under similar circumstances.
For example, courts are divided on whether the emails that are commonly part of the social engineering schemes are the “direct” cause of loss necessary to trigger coverage. Compare State Bank of Bellingham v. BancInsure, Inc., 823 F.3d 456, 460 (8th Cir. 2016) (coverage where third-party criminal use of malware was the “direct” cause of the loss) with Apache Corp. v. Great Am. Ins. Co., No. 15-20499, 2016 WL 6090901 (5th Cir. Oct. 18, 2016) (no coverages where email was merely incidental part of scheme and, thus, was not a “direct” cause of the loss) and Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 25 N.Y.3d 675, 682, 37 N.E.3d 78 (2015) (third-party use of computer system to submit fraudulent claims not direct cause of loss); see also Medidata Solutions Inc. v. Federal Insurance Co., No. 1:15-cv-00907-ALC (S.D.N.Y. Sept. 9, 2015) (insurer arguing on summary judgment that policy did not cover social engineering losses where fraudulent emails induced a voluntary transfer of funds).
Also, losses assumed to be covered may not be. For example, we have reviewed popular cyber policies that lack coverage for ransom to restore system access, a growing concern in the financial sector.
And, even when there is coverage, the sector may risk suits for rescission by insurers based on representations made in insurance applications. Those applications frequently inquire about the applicant’s cyber protections. But, nearly 34% of financial businesses are unaware of whether they have been victim of a cyber-attack, and 22% have no sense for whether attacks against their businesses are increasing or decreasing. Lack of knowledge and inadvertent misrepresentations about cyber protections and attack history could be used against the insured to avoid coverage. See, e.g., H.J. Heinz Company v. Starr Surplus Lines Insurance Company, No. 15-cv-0631 (W.D. Pa. Feb. 1, 2016) (on appeal) (rescinding coverage for $25 million in business interruption losses on grounds that insured had made unintentional material misrepresentations about claims history in insurance application).
To protect against these risks, financial institutions should partner with knowledgeable brokers and experienced coverage counsel. With the right team, the insured has a better chance of finding the right policy, with the right coverages, to protect against cyber crime.