April 1, 2017 by Hershel Sahian, Partner; and Andrew Cottreau, Student-At-Law, Hughes Amys LLP
Cyber crime is on the rise. A study released by Juniper Research in mid-2015 projected that by 2019, the global cost of cyber crime will reach more than US$2 trillion, increasing to almost four times the estimated cost of breaches in 2015.
Is there coverage for cyber-related losses? Recent decisions in the United States confirm that some cyber-related losses may not attract coverage under computer fraud or cyber insurance policies. To date in Canada, there is a paucity of court decisions on cyber-related coverage. As such, for companies and organizations purchasing cyber insurance, it is important to carefully examine policy wording to understand what types of cyber-related losses may be covered under a policy.
TYPES OF CYBER CRIME
When discussing cyber crime, it is helpful to distinguish between a cyber attack and a cyber breach. Cyber attacks involve an attempt to directly gain access to information possessed by an individual, corporation or government, such as hacking into an organization’s computer system. Conversely, cyber breaches involve an incident in which the confidentiality, integrity or availability of data is compromised without directly accessing a computer system.
Common examples of this include an employee losing a hard drive containing client information or when an employee is tricked into releasing confidential information.
Generally, many cyber insurance and computer fraud policies may cover cyber attacks. For example, it has been reported that, as a result of the 2013 hacking of personal information collected by the U.S. retailer, Target, about US$90 million of the company’s losses, including legal, critical communication and forensic costs, will be covered by cyber insurance.
When it comes to cyber breaches, however, coverage will depend on the policy wording. Consider the 2015 case from the California Central District Court. After a hospital’s patient records were negligently released, the hospital’s insurer denied the claim based on the exclusion focusing on the hospital’s failure to “follow minimum required practices.”
Specifically, two types of cyber breaches that may not attract coverage are “phishing” and “whaling” schemes. Both are conducted primarily through email.
Phishing emails attempt to dupe the recipient into disclosing confidential information by purporting to be from a reputable source. Spear phishing, which are emails designed to deceive specific employees at a business, rose 55% in 2015, notes the 2016 Internet Security Threat Report released by Symantec.
Whaling, however, is a new concern for businesses. It involves a fraudster pretending to be a high-level executive, such as a chief executive officer or chief financial officer, who has requested that an employee release information or conduct a financial transaction on his or her behalf. In such cases, the fraudster does not directly access an organization’s computer system.
As the following court decisions indicate, not directly accessing a system is an important distinction that may negate coverage.
The following decisions on cyber crime coverage are limited to the United States, but, nonetheless, raise important coverage issues. In the following, the courts found that organizations are not covered for losses that do not arise from direct cyber attacks. The policies are designed to cover cyber attacks, but not the indirect cyber breaches.
In Aqua Star (USA) Corp. v. Travelers Casualty and Surety Company of America, a July 2016 decision of the United States District Court, Western District of Washington, the fraudster used a spoofed email domain to identify itself as a vendor of the seafood company, Aqua Star. The fraudster instructed Aqua Star to change bank account information for future wire transfers. The treasury manager for Aqua Star changed the bank account information, which, consequently, ended in defrauding the company of more than US$700,000.
The U.S. company was covered under a policy providing coverage for computer fraud. The policy states that it covers “…the Insured’s direct loss of, or direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud.”
However, it also contains the exclusion that the policy “…will not apply to loss resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.”
The court found the exclusion applied because the loss was an indirect result of an authorized person, the treasury manager, inputing the new fraudulent information into the computer system. As a result, the court found no coverage under the policy.
In Universal American Corporation v. National Union Fire Insurance Company of Pittsburgh, a June 2015 ruling by the Court of Appeals of New York, Universal American is a health insurance company. It has a computerized billing system that allows healthcare providers to enter claims into the system. The company sustained a US$18 million loss after authorized healthcare providers entered fraudulent claims.
Universal American claimed under a rider that provides coverage for “… losses incurred from fraudulent entry of data into the insured’s computer program.”
The Court of Appeal, however, found no coverage under the policy as the “fraudulent entry” referred to unauthorized access to the computer system and not to fraudulent content submitted by authorized users.
The most recent decision is Apache Corporation v. Great American Insurance Company, an October 2016 decision of the United States Court of Appeals, Fifth Circuit. The decision interprets a computer fraud provision under a crime protection insurance policy. Apache Corporation is an oil production company.
The company received a call from a fraudster pretending to be one of its vendors. The fraudster instructed a company employee to change the bank account information. When the employee asked for the request to be made on official company letterhead, it was subsequently received by email.
Apache Corporation responded by changing the bank account information and forwarded US$7 million to the fraudulent account.
The crime protection policy provides coverage when a breach results “directly from the use of any computer to fraudulently cause a transfer” of money or property. The court found no coverage under the policy.
The court noted that while email is used in the scam, the use of email is “incidental.” The U.S. court found it is difficult to envision any fraudulent scheme today that does not involve computer-facilitated communication.
If the computer fraud provision covers any fraud that involves email, it would become a general fraud provision.
Two recently filed claims are examples of insurers denying claims arising from whaling schemes. In Medidata Solutions Inc. v. Federal Insurance Company, a New York Southern District Court decision released in February 2015, fraudsters sent finance department employees an email pretending to be a company executive. The email requested the employees transfer approximately US$4.8 million to a Chinese bank account. The employees completed the request.
The insurer responded by denying coverage. Since the policy provides coverage for computer fraud, forgery and funds transfer fraud, the insurer argued “the policy provides coverage against involuntary transfers effected by hackers, forgers and imposters; not voluntary transfers effected by authorized signatures.” In March 2016, the New York federal judge dismissed duelling motions for summary judgment because of insufficient facts.
Similarly, at the Texas State Court, in February 2016, Ameriforge Group Inc. v. Federal Insurance Company was heard. Fraudsters sent fraudulent emails to the company’s director of accounting, posing as the company’s chief executive officer, and instructed the director to transfer US$480,000 to a Chinese bank account.
The insurer denied coverage for the loss, arguing that the policy’s computer fraud coverage requires direct hacking and that the funds transfer fraud coverage does not cover funds that are knowingly transferred by an employee.
In Canada, there are few decisions on cyber coverage. Aldo Group Inc. c. Chubb Insurance Company of Canada, a 2016 decision of Quebec’s Cour d’Appel, does not involve a cyber policy, but is instructive as to the importance of policy exclusions when dealing with cyber attacks.
After Aldo’s computer system was hacked, its credit card processor, Moneris, charged the company $4.8 million in penalties and costs. The Quebec court, however, found that Aldo’s policy contains an exclusion for liability assumed by contract and, therefore, there is no coverage under the policy.
Cyber criminals and fraudsters are increasingly targeting employees with sophisticated schemes as an alternative to direct hacking. Many cyber and computer fraud policies only cover direct cyber attacks and not cyber breaches.
The policies may not cover losses that are caused by employees, who voluntarily, albeit unwittingly, release confidential information or transfer funds. Moreover, many assume that because a fraudulent scheme uses email, it is cyber-related and will be covered.
As illustrated by Apache, however, fraud is not necessarily computer fraud merely because email is used in the scam.
Coverage for phishing and whaling schemes are now offered by some insurers in the form of Social Engineering Fraud Endorsements, which are specifically designed to cover occurrences where a fraudster impersonates vendors or executives and tricks employees into releasing funds. In Canada, insurers are now offering coverage of as much as $250,000 per occurrence for social engineering fraud.
Depending on policy wording, such endorsements may be needed to ensure coverage for such cyber crime. It remains to be seen how such endorsements are applied and are interpreted, and how they interact with other cyber coverages.
-Hershel Sahian, Partner; and Andrew Cottreau, Student-At-Law, Hughes Amys LLP