Many companies that have both commercial crime and cyberliability insurance policies are learning, to their surprise, that they may not be fully covered if their employees fall for social engineering scams.
While the horror stories of data breaches are reported on a near-daily basis, many companies are struggling to keep up with the types of breaches, and whether they are adequately insured in the event their company suffers a breach. One of the more worrying developments has been a steady increase in social engineering scams. In particular, phishing and spear phishing scams—when criminals target the trust of a company’s employees and trick the employees into transferring the company’s money, bank account or other financial information to the criminal—have gained momentum in recent years. Experts estimate that phishing and related identity theft attacks have a $5 billion impact worldwide.
In a common phishing scenario, an employee receives an email that appears to be from an individual or business that the employee would know and trust. The employee is then deceived into transferring the company’s money to a malicious third party. In addition to tricking innocent employees to disclose confidential information, phishing attacks may be used to steal electronic credentials for or insert malware into a company’s network that may allow criminals to access, damage or assert control over the network. In recent surveys, one in three companies reported that their executives fell for a scam email that appeared to come from the company’s CEO. In 2016, 85 percent of companies reported being the victim of some type of phishing attack. Estimates put the average value of a successful attack at about $1.6 million. More and more it appears that the question is not whether we will suffer a phishing attack, but when and how large?
Generally, commercial crime and fidelity bond policies insure against direct first-party losses of property (such as money and securities) caused by specified criminal, fraudulent or dishonest activity. Cyberliability policies generally insure against first-party breach-response, investigatory losses, and third-party legal liability as a result of data security breaches and any related disclosure of private information.
But as companies face increasing losses because of cyber attacks, insurers are pushing back more aggressively against claims for financial and property losses caused by phishing scams. For companies that have both commercial crime and cyberliability coverage, insurers are attempting to exploit gaps, broadly interpret exclusions, and narrow coverage to limit their exposure.
Although phishing losses look a lot like a traditional theft of property, crime and bond insurers have contested coverage, asserting that the payments were “authorized” by the innocent employee and therefore not covered. In addition, first-party coverage under a cyberliability policy may not include replacement of lost money or property. In some instances, courts have agreed, differentiating covered data breaches from non-covered phishing schemes, even where the employees were misled into making the payments. Companies may believe that a theft as a result of phishing is the kind of loss that their crime policy or broad cyberliability policies are intended to cover, but many are surprised to learn that there is a potential gap in coverage.
This very issue is currently being litigated in the U.S. Court of Appeals for the Ninth Circuit between Aqua Star Corporation and its insurer, Travelers Casualty and Surety Co. According to documents filed in the litigation, Aqua Star’s vice president received an email, purportedly from a vendor, informing Aqua Star that, as a result of tax issues with the Chinese government, all payments to the vendor should be made through a Japanese bank account held by one of the vendor’s subsidiaries. Aqua Star wired four payments to the fraudulent Japanese account and another phony account before learning of the fraud. Then Aqua Star tendered a claim to Travelers under its crime insurance policy, but Travelers denied coverage. Litigation followed.
The district court ruled in favor of Travelers, finding that coverage was barred by an exclusion for losses “resulting directly or indirectly from the input of electronic data” by a person with authority to enter the insured’s computer system. Aqua Star appealed, arguing that the exclusion is not meant to apply to “routine, innocent” entries of electronic data into its computer systems. Aqua Star also argued that coverage should be available where a policyholder is duped into making voluntary transfers to a fraudulent enterprise. How the Ninth Circuit will rule remains to be seen.
This coverage gap could become the Mariana Trench of cybercrime loss coverage, but there may be ways to bridge the gap. For instance, some crime and bond insurers are offering specific “social engineering loss” endorsements intended to cover losses that arise if an employee falls for a phishing scam and authorizes a transfer of money to a fraudulent account. This coverage may not be available from all insurers and may vary in scope. The first-party coverage available under cyberliability policies—which continue to evolve rapidly—varies widely, and companies should review their policies carefully to determine the potential scope of coverage in the event of a loss. In addition, companies may already have limited forms of first- and third-party cyberliability insurance, via endorsements to other traditional insurance policies (such as first-party property insurance).
Finally, companies that have, or intend to purchase, commercial crime and/or cyberliability insurance should undertake a holistic review of all of their insurance policies and consult with coverage counsel to make sure they are specifically insured against losses from phishing and other social engineering attacks. A comprehensive coverage review can spot these and other gaps in corporate insurance programs.