Cybersecurity and insurance are increasingly intersecting as the number, frequency, and severity of cyber incidents rise. More businesses and individuals are transferring cyber risks to insurers. Insurers are improving special-purpose coverage options while limiting or excluding coverage under general liability policies. Consumers should assess needs and policies carefully to understand coverage limits and adequacy.
In terms of understanding available coverage, a recent post on First Reference Talks, entitled Vendor master file blunders caused a $2.7M loss, briefly touched on one company’s coverage conundrum. As the post explained, the insurer, Chubb, refused to cover over US$2.7M, which phishers had scammed from Future.
The court assessed three of Future’s policy coverages, namely, a:
- Computer Fraud by a Third Party Coverage (the “Computer Fraud Policy”)
- Funds Transfer Fraud by a Third Party Coverage (the “Funds Transfer Policy”); and
- Social Engineering Fraud Endorsement.
The computer fraud policy did not cover the losses
Future claimed that its Computer Fraud Policy should cover its losses. The court disagreed.
The Computer Fraud Policy allowed coverage for a direct loss resulting from a computer fraud by a third party.
The court explained that computer fraud meant the unlawful taking of money through the use of a computer system. Future believed that because the fraudsters used computers to email the fraudulent instructions, and the bank used computers to process the electronic funds transfer, the Computer Fraud Policy should provide coverage. On a simple read, Future may appear to be right.
But the court explained that coverage required a direct act of stealing using a computer. For instance, the fraudsters would have had to hack into the computer system to exercise control over and take the money. However, the fraudsters did not use a computer system, except in a minor and incidental way, to email the fraudulent instructions. In reality, what they did was induce or dupe Future’s employee or fraudulently caused the employee to transfer funds.
The funds transfer policy did not cover the losses
Future claimed that the Funds Transfer Policy should cover its losses. The court disagreed.
The Funds Transfer Policy provided coverage for a direct loss resulting from funds transfer fraud by a third party. The policy defined a funds transfer fraud as fraudulent written, electronic, telephonic, and other instructions to a financial institution to pay money without Future’s knowledge or consent.
In this case, Future knew and consented to the funds transfers; in fact, it initiated and authorized the transfers. The fact that the phishers duped the employees into making the transfers and the fact that Future did not know the transfers were fraudulent was irrelevant because: (i) a third party did not issue instructions that tricked the back into releasing funds (ii) based on instructions the bank believed to be Future’s (iii) and to which Future did not consent or have knowledge of.
The exclusion clause
The court also concluded that a specific policy exclusion for an insured who knowingly gives or surrenders money to a third party, not in collusion with an employee, would also bar any recovery under the Computer Fraud Policy or Funds Transfer Policy.
Only the social engineering coverage survives
The court agreed that the Social Engineering Fraud Endorsement, not the other two policies, unambiguously covered Future’s losses—albeit for a mere US$50,000.00. The Social Engineering Fraud Endorsement provided coverage for the transferring or paying of money as a result of social engineering fraud by someone purporting to be a client, vendor, or employee, whom the insured authorized to instruct other employees to transfer money.
The policy also defined social engineering fraud as the intentional misleading of an employee through misrepresentation of a material fact which that employee relies on, believing it to be genuine. This was precisely the type of loss that Future suffered, and this was the coverage to which it was entitled.
Coverage options for individuals
In terms of the options available for individuals, a July 7, 2021 article from the print issue of the Wall Street Journal, entitled Help Against Online Bullies, focused on cyberbullying insurance available to adults, teens, and tweens. As the article makes clear, there are non-insurance solutions to cyberbullying, and other general coverage under health plans, for example, may cover mental healthcare and other costs which cyberbullying policies also cover.
Nonetheless, cyberbullying coverage is an option for individuals, and businesses looking to offer more robust benefit packages to employees.
Cyberbullying coverage is available for specific damages from cyberbullying, including wrongful job termination and false arrest for adults, unfair disciplining by a school, or the inability to attend work or school because of psychological reasons.
Cyberbullying coverage is not very widespread. According to one study that the article cites, only 10% of the sample had coverage. Chubb, Arbella (New England-based), and AIG underwrite such policies, according to the article. The article quotes costs varying from US$5.00 per month for up to $10,000.00 in coverage to US$20.00 per month for up to $100,000.00 in coverage. In Canada, visit Chubb’s website at www.chubb.com/ca-en/individuals-families/products/cyber/cyber-insurance.html.
Meeting your duty of care
There are two critical takeaways for risk management, and specifically, risk transference as a risk management strategy. Assess coverage needs with a broker or other professionals to determine what coverage is enough and not redundant. Understand exclusion clauses and the limits of policy coverage. It may be disastrous to think that multi-million dollar computer fraud or funds transfer policies apply, only to discover that a $50,000.00 endorsement or add-on is the only recourse.
Policies and procedures are essential, but the work required to create and maintain them can seem daunting. Finance and Accounting PolicyPro, Not-for-Profit PolicyPro, and Information Technology PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada), contain sample policies, procedures, checklists and other tools, plus authoritative commentary to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request free 30–day trials of Finance and Accounting PolicyPro, Not-for-Profit PolicyPro, and Information Technology PolicyPro, here.