Financial institutions are one of the entities most threatened by cyber crisis events. As data breaches and cyber threats become more inventive, the risks to financial institutions and their clients continue to grow. However, as recent studies have established, no commercial area is free from a data breach or cyber attack. Policyholders and insurers must be proactive in regard to understanding the threats and risks involved with data breach.

Background First Commonwealth Bank’s (FCB’s) client was the victim of malware that allowed a hacker to gain access to the client’s computer systems. The hacker was able to obtain a senior vice president’s online banking user name and password and accessed the client’s bank accounts with FCB. During three unauthorized wire transfers ($2,158,600, $76,520 and $1,350,000), monies were sent to Krasnodar, Russia; Upper Darby, PA; and Belarus, respectively. An intermediary bank caught the Upper Darby transfer and FCB was able to recover the $76,520. Unfortunately, the Russian and Belarusian transfers went through undetected.

Two days after the Upper Darby transaction was detected, FCB’s client demanded an immediate refund/credit of the withdrawn funds. Within four days of the detected transfer, FCB refunded its client the amount of $3,508,600. FCB subsequently notified its general liability insurer about a month after the events took place.

After receiving a denial of coverage based on the voluntary payment condition under the general liability policy at issue (the Policy), FCB and its parent corporation commenced a declaratory judgment coverage action in the U.S. District Court for the Western District of Pennsylvania, First Commonwealth Bank v. St. Paul Mercury Insurance Company (W.D. Pa, Civil Action No. 14-19, Oct. 6, 2014).

Findings of the Court In response to the complaint, St. Paul filed a motion to dismiss. The basis of the motion to dismiss was that FCB voluntarily reimbursed its client for the unauthorized transfers without first obtaining St. Paul’s consent as required under the Policy. After reviewing the Policy’s Defense and Settlement provision, which contained the voluntary payment condition, the court denied the motion to dismiss. The court found that FCB did not allege that it had made a voluntary payment. Rather, the complaint’s allegations asserted that FCB was required by law to refund their client pursuant to one of Pennsylvania’s anti-fraud statutes, 13 Pa. C.S.A. § 4A204(a). Additionally, in response to the motion to dismiss, FCB argued that the payment was not a voluntary effort but demanded by the client and required under Pennsylvania law.

The court further found that the mandate of the state’s statute was an “outside influence that interfered with the restrictions imposed” on FCB by the general liability policy. Based on its findings, the court was unable to agree that FCB’s payment to its client was voluntary. Additionally, the court distinguished previous decisions enforcing the voluntary payment provision finding that the cases cited did not “involve a bank’s legal and statutory obligation to refund a client when an unauthorized wire transfer has been made or any other situation where the insured’s act of paying a claim was compelled by law or other outside influences.”

Practice Pointer The FCB decision will be closely scrutinized as it raises complicated issues regarding coverage for cyber risks under general liability policies. As companies, brokers and insurers continue to develop a better understanding of the risks and exposures involved with data breaches, whether malicious or accidental, standard insurance portfolios must be reviewed and developed to provide proper protection. Moreover, as the regulatory environment quickly changes and develops responses to data breach risks, companies, brokers and insurers must be prepared to properly and quickly respond to cyber crisis events.