As Benjamin Franklin said, “[o]ne ounce of prevention is worth a pound of cure.” Canada’s businesses are taking this to heart. According to the Canadian Survey of Cyber Security and Cybercrime, released on October 15, 2018, Canadian businesses spent an estimated $14 billion on cyber security and over one-fifth of Canadian businesses had been impacted by a cyber security incident in 2017 (earliest year data was available). Prevention, indeed. Canadian businesses are increasingly investing in upfront cyber security measures.
Despite an organization’s best efforts, a cyberattack is always lurking on the other side of human error. Organizations can mitigate the impact of a cyberattack by purchasing the right type of cyber insurance. Many organizations believe that cyber riders and add-ons to their existing insurance coverage are sufficient to protect against a cyberattack. This mistaken belief can be costly, leading to coverage gaps and significant uninsured losses.
Organizations are learning this lesson the hard way, as the case law covered below reveals. Forward-thinking businesses are turning to comprehensive standalone cyber insurance, which is tailored toward the particular risks associated with a cyberattack. The best policies take a targeted approach to cybercrime, providing thorough incident response and covering many harms caused by the latest criminal tactics.
Courts are only now beginning to wrestle with the contours of cyber coverage, and recent decisions demonstrate that the “add on” approach leaves businesses exposed.
Dentons v. Trisura
In Dentons Canada LLP v. Trisura Guarantee Insurance Company (“Dentons”), the Ontario Superior Court considered, but did not decide, whether social engineering fraud was covered by a computer fraud rider purchased by the insured. The facts reveal a common scam. A lawyer at the insured law firm fell victim to social engineering fraud and transferred $2.5 million to a fraudster impersonating an interested party to a real estate transaction. The lawyer, relying on fraudulent emails and letters of authorization from a mortgage company, wired the money to a bank account in Hong Kong. Only after later receiving inquiries from the mortgage company regarding the status of the funds did the lawyer realize he had been scammed.
The insured was able to recover just $784,000, which resulted in a net loss of over $1.7 million. The insured claimed this loss, and the insurer denied coverage, arguing that the computer fraud rider in the insured’s policy did not respond to losses from social engineering fraud. The insurer noted that the actual transfer of funds was not fraudulently caused, and no computer was used to fraudulently transfer the funds. Strengthening the insurer’s position, the insured had previously declined social engineering fraud coverage.
Justice Brown, finding a question of fact regarding the policy’s “other insurance” provision, declined to determine the advisory question of whether the loss fell within the computer fraud rider. The insurer was instead successful on the motion in converting the application to an action.
Dentons and the Cyber Coverage Case Law
Although the Court made no coverage determination in Dentons, a trio of recent decisions demonstrates that Courts are willing to strictly interpret narrow cyber coverage provisions.
The first, Apache Corporation v. Great American Insurance Company (“Apache”), is an American decision wherein the United States Court of Appeals, Fifth Circuit, interpreted a very similar computer fraud provision. In Apache, an employee was tricked into transferring millions of dollars to a fraudulent account. Apache made a claim against its computer fraud coverage contained in its crime policy. The insurer denied coverage, essentially arguing that a computer was not integral to the fraudulent scheme. The Court sided with the insurer, ruling that the use of a computer to send an email was incidental to the scheme, and allowing the mere use of email to trigger a computer fraud coverage would convert the provision into general fraud coverage. This rationale, if applied in to the facts in Dentons, would likely result in a denial of coverage.
The next case, though not directly on point, is The Brick Warehouse LP v. Chubb Insurance Company of Canada (“The Brick”). This Alberta decision concerns the scope of a funds transfer fraud provision (as opposed to a computer fraud provision). A Brick employee fell victim to a fraudster impersonating an existing Brick business affiliate. Over email, the Brick employee was tricked into knowingly transferring funds to the fraudster’s bank account. The insurer denied coverage because the funds transfer provision required that the transfer be without consent. The Court upheld the denial of coverage because the actual transfer of funds occurred with consent. The Court noted that informed consent may have been absent, but it held that the policy did not require it.
Finally, in the American decision of Medidata Solutions Inc. v. Federal Insurance Company (“Medidata”), the United States Court of Appeals, Second Circuit, considered the scope of both computer fraud and fraudulent funds transfer coverage. The fraudulent scheme in Medidata was slightly more sophisticated than the trickery employed in Dentons, Apache and The Brick. In Medidata, the fraudsters used malicious code to perpetrate a spoofing attack, whereby they manipulated Medidata’s internal email system to impersonate senior leadership at the organization. Once inside the system, they authorized fraudulent funds transfers. Again, the insurer denied coverage, employing arguments similar to those outlined in the cases above. However, the Second Circuit held that coverage was owed under both provisions. Specifically, the Court held that the use of malicious code to manipulate Medidata’s email system was sufficient to trigger the computer fraud provision. Further, in contrast to The Brick rationale, the Court held that consent to the transfer was vitiated because it was fraudulently induced.
Claims handlers should be cognizant of the courts’ willingness to strictly interpret limited scope insurance provisions, and brokers and underwriters should point to this legal landscape to demonstrate the prudence of purchasing comprehensive cyber coverage tailored to the types of risk outlined above.