Crime insurance failing to keep up with cybercriminal innovation
Understanding how insurers fight and win computer fraud cases can help form stronger insurance policies.
While a pandemic continues to rage, it is understandable to lose focus on the continued scourge of computer-enabled theft. In fact, cybercriminals are counting on it. Hackers routinely rely upon a state of distraction and the craft of diversion to hack, scam and steal.
As such, it is useful for risk managers to keep in mind that insurance coverage regularly purchased by organizations to protect against crime losses can protect against computer fraud incidents.
The hacks keep coming
In the age of COVID-19, foreign cybercriminals have hacked pharmaceutical companies looking for a coronavirus cure, law enforcement databases have been hacked, criminals have sought to interfere in elections, and (to prove no one is immune), a cybersecurity firm was hacked as a means of revenge.
Most recently, a cyber scam involving Twitter and several of its high-profile users has revealed the way in which cybercriminals used hacked accounts to perpetrate fraud through a bogus cryptocurrency donor “match.”
Most commercial organizations purchase crime insurance. Although the terms of the crime insurance can vary, almost all modern commercial crime policies contain in the body of the form an express promise of insurance coverage for losses directly resulting from “computer fraud.”
Even with the prevalence of computer crime, your trusty crime insurance policy reduces cause to worry, right? Unfortunately, no.
Many crime insurance companies fight ‘computer fraud’ insurance claims regularly. Among the various arguments insurance companies have deployed to attempt to deny “computer fraud” coverage under crime policies, three have been focal points in multiple court contests.
Brute force hacking
First, insurance coverage has been denied where computers were used to commit fraud and steal, but where the computer system security itself was not compromised. Hacking, however, is not a prerequisite to coverage.
In American Tooling, the U.S. Court of Appeals for the Sixth Circuit found computer fraud coverage and held that “Travelers’ attempt to limit the definition of “computer fraud” to hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer is not well-founded.”
In a 2018 case, Medidata Sols., Inc. v. Fed. Ins. Co., the U.S. Court of Appeals for the Second Circuit, applying New York law, rejected a crime insurance company’s arguments concerning the scope of the Computer Fraud coverage that it had sold to the policyholder. Specifically, in that case, the cybercriminal had impersonated a senior executive of the company by sending fraudulent emails and telephone communications to dupe employees to wire transfer money to the cybercriminal.
The crime insurance company argued that because emails were used to defraud the policyholder, there was no actual “hacking” of the computer system — according to the insurance company, a prerequisite for coverage. In ruling against the insurance company, the court held that fraudulently encoded emails meant to cloak the identity of the true emailer, and entered through the computer system of policyholder, triggered computer fraud coverage.
Sophisticated schemes
Some insurance companies will contest insurance coverage where the cybercriminal perpetrates a sophisticated computer fraud against the policyholder.
In Interactive Communications International, Inc. v. Great American Insurance Co., for example, the insurance company argued that the loss was not a “direct” loss. The Eleventh Circuit, applying Georgia law, held that the insured’s loss did not directly result from computer fraud. The court held that the multi-step cyber scam prevented the loss from being deemed a covered direct loss.
In Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa., however, the Sixth Circuit ruled that the policyholder’s loss “directly resulted” from a hack. There, the loss included amounts due to fraudulent card transaction assessments and penalties, establishment of call centers for affected customers, and legal fees to address a regulatory consent decree arising from hacked credit card account information. (The author represented Retail Ventures in this case.)
Actions bar coverage argument
Some insurance companies will argue that the policyholder’s loss results not from cybercrime committed against the policyholder, but instead from the actions or omissions of the policyholder’s employees. For example, in State Bank of Bellingham v. Bancinsure, Inc., the insurance company argued that a bank’s employees’ “negligent actions” “played an essential role” in the loss and those actions rendered intrusion into Bellingham’s computer system by a “malicious and larcenous virus” a virtual certainty. The court found that the “overriding cause” of the loss the Bank “suffered remains the criminal activity of a third party.”
Policyholders should resist insurance company attempts to apply unduly narrow interpretations of direct loss coverage. Such arguments are unrealistic given the way in which most cybercrime is perpetrated.
We are a long way down the road from tellers dipping their hands into the till or the company petty cash box being raided. Most crimes worth insuring against today are complex and sophisticated. If certain insurance companies choose to restrict coverage to unreasonable levels, they should be avoided at all costs.
Joshua Gold is a shareholder in the New York office of Anderson Kill P.C. and chair of the firm’s insurance recovery group.
Related: