Canadian Underwriter
News

Is your client properly insured for computer crime?


November 22, 2018   by Greg Meckbach



Print this page

Brokers placing commercial insurance for the risk of theft should pay close attention to exclusions.

Exclusions on some policies covering crime losses for financial institutions may be leaving a gap in cover computer crime, a new paper from Marsh Inc. suggests.

Financial institution bonds are first-party insurance policies that protect commercial clients “from a myriad of theft-related exposures” – such as employee dishonesty, forgery, vendor-related fraud and theft through computer systems – AIG Canada notes.

But financial institutions “should pay specific attention to potentially broad exclusionary language” to make sure their insurance adequately covers theft of funds, Marsh said in a recent report, commenting in general and not on any particular carrier.

A coverage dispute south of the border is raising discussions around hacking attacks on banks’ computer systems and stealing money from customers accounts, Marsh said in Protecting High-Value Assets: Insurance Implications of Cybercrime for Financial Institutions, a report released Nov. 16.

Marsh was referring to computer attacks in 2016 and 2017 in which the victim was National Bank of Blacksburg, situated in Virginia’s Appalachian mountains.

Beginning two years ago, hackers were able to get user names and passwords of employees of the National Bank of Blacksburg, reports the Roanoke Times newspaper. Using those stolen computer login credentials, hackers were able to steal money from customers’ accounts.

The bank’s insurer is Everest National Insurance Company. The bank’s loss was over $1 million. But Everest says the portion of the policy that covers the loss is one that deals with misuse of debit cards, which has a $50,000 sub-limit, the Roanoke Times reports.

“The coverage dispute arising from this loss does not involve a cyber policy,” Marsh said in Protecting High-Value Assets. Instead the issue is whether the loss triggers coverage under the computer and electronic portion of the financial institution bond that Everest wrote for National Bank of Blacksburg. The C&E portion has an exclusion for loss arsing from “the use, or purported use, of credit, debit, charge, access, convenience or other cards.” The bank says that exclusion does not apply.

“Insurance – while effective at reducing the financial impact of cyber events, has also raised questions for banks – as well as disputes with insurers – about how coverage should respond to a cyber event involving multiple types of loss,” Marsh said.

A “big trend” in insurance these days is social engineering, says Brian Kelly, Montreal-based managing partner for risk management at BFL Canada Risk and Insurance Services. One example of social engineering is when a criminal impersonates someone. In some cases, criminals have used social engineering to fool employees into thinking they are paying suppliers when in fact the employees are unwittingly sending money to the criminals.

“Normally that is provided under a crime policy but for smaller and medium sized organizations, we see a benefit to actually including that under a cyber policy as well,” Kelly told Canadian Underwriter earlier.

One such incident resulted in a coverage dispute in Alberta, notes Ryan Burgoyne, managing partner of law firm Cox & Palmer’s Fredericton office.

The Brick Warehouse LP v. Chubb Insurance Company of Canada was released in 2017 by the Court of Queen’s Bench of Alberta. That court ruled that a Chubb commercial crime policy did not cover a loss resulting from social engineering fraud, Burgoyne reported earlier in a paper titled A New Realm: Cyberspace, Cyber Liability and Cyber Liability Insurance.

In that case, The Brick lost $200,000 because money owed to computer maker Toshiba – a legitimate vendor – was sent to the wrong bank account. A fraudster purporting to be a Toshiba worker had called The Brick’s accounting department giving a false bank account for Toshiba. As a result, The Brick paid the criminal, not the vendor.