Cyber Case Scenarios
Understanding different types of insurance claims and how they relate to various insurance products can be helpful. Being able to identify possible exposures or gaps in coverage can be useful information when assessing coverage needs.
The information below is a general summary of the cited claim. Please refer to the citation itself for a complete copy of the cited claim. Additionally, the Claims Summary is not an affirmative statement as to the availability of insurance coverage for a particular Client or insured. Please refer to the actual terms of your policy or quotation regarding definitive terms and conditions of coverage.
CLAIMS SUMMARY 1
A title services company had secured a title professional liability errors and omissions policy and sought coverage under its E&O policy when it incurred losses from an email spoofing scheme. The mortgage lender transferred the loan proceeds to the title services company prior to the initial closing date. After the closing was postponed, arrangements were made for the title services company to return the loan proceeds. An employee of the title services company received an email from an unknown party posing as the mortgage lender, directing transfer of the funds to another bank account. As a result of the scheme, the title services company was tricked into transferring real estate proceeds totaling $480, 751 to a fraudulent bank account. Once the mortgage lender and the title services company became aware of the fraudulent transfer, the title services company alerted its bank, the insurer that issued the title insurance for the real estate transaction, the FBI, and the bank where the funds had been transferred. The funds were never recovered, but the mortgage lender was indemnified by the insurer that issued its title insurance. In turn, the mortgage lender’s insurer sought payment from the title insurance company. The E&O insurer denied the claim from the title insurance company, citing multiple policy exclusions, including one for theft, conversion, and/or misappropriation of funds. The Court found that the E&O policy excluded coverage for the cyber spoofing incident that resulted in the loss of the loan proceeds. The policy was found to be unambiguous and to apply to third-party conduct. View Citation >
DID YOU KNOW: Cyber insurance can include a variety of different coverages to help safeguard businesses against a range of technology-related risks. Electronic theft costs are just one coverage option available in cyber liability policies. However, it’s important to review the policy terms and examine any coverage limitations under the policy.
CLAIMS SUMMARY 1
A home improvement retailer had secured commercial general liability (“CGL”) policies and separate cyber insurance policies. The retailer experienced a data breach of its payment card system. Both payment card data and customers’ personal information were compromised. Following the breach, financial institutions sought reimbursement from the retailer for having to cancel and reissue payment cards after the breach. Ultimately, the home improvement retailer settled the claims involving the financial institutions for approximately $170 million. The retailer’s cyber insurers covered all required losses up to the aggregate coverage limit of $100 million. Because the settlement exceeded this limit, the retailer sought indemnification for card reissuance and lost interest/transaction fees and defense coverage under its CGL policies. The CGL insurers denied coverage, arguing that electronic data was not tangible property, and that electronic data was also excluded in the policy. Under the CGL policies, the payment card data would fall under the category of electronic data, but the Court explained that the electronic data exclusion precluded coverage for the card reissuance and the reduced usage claims. Indemnification and defense costs were unavailable due to the CGL policies’ electronic data exclusion. View Citation >
DID YOU KNOW: Cyber insurance can help address a variety of technology-related costs incurred when a business entity falls victim to a cyber-related incident. Here, the home improvement retailer carried both CGL and cyber insurance policies. While coverage under the CGL policies was unavailable due to an electronic data exclusion, losses up to the aggregate limits were covered under the cyber policy secured by the retailer.
CLAIMS SUMMARY 1
A fruit and vegetable receiver-distributor had secured an insurance policy that included commercial crime coverage. While there were multiple coverage options available, such as forgery or alteration, funds transfer fraud, and computer fraud coverage, the receiver-distributor selected the forgery or alteration coverage option. This forgery and alteration coverage limited coverage to circumstances where losses were incurred from forged/altered checks, promissory notes, drafts, and similar documents that involved directing a payment. Hackers were able to access the receiver-distributor’s email system, sending fraudulent wire transfer instructions to the company’s bank. This resulted in approximately $1,462,000 being directed to the hackers from this account. A forensic investigation was initiated when this cyber breach was discovered. Eventually, the company and its bank negotiated a settlement, but the settlement did not cover the full losses suffered by the company. The business sought coverage under its commercial crime coverage policy, arguing that its officers’ names were forged on the wire transfers and should be covered under its forgery and alteration coverage. The Court determined that transfer authorization forms did not constitute a written promise, order or direction that would be covered under the forgery or alteration coverage, resulting in coverage not being available under the policy. The wire transfer instructions were non-negotiable, and the company decided to not purchase coverage for fraudulent instructions. View Citation >
DID YOU KNOW: The cyber risk environment is ever-changing. When the company’s email system was compromised, fraudulent wire instructions were directed to the company’s bank. When the breach was discovered, a forensic investigation was initiated. Just some of the coverage options available in a cyber insurance policy are recovery for breach forensic costs and electronic theft.
CLAIMS SUMMARY 1
A data security services provider had secured a commercial general liability (“CGL”) policy, requiring the insurer to defend claims under the terms of the policy that pertained to either bodily injury or property damage. The data security services company provided services to a hotel and resort group, and a potential credit card breach was detected at one of the hotels. After a forensic analysis initiated by the hotel, the source of the breach was malware that had been installed on its payment network. This resulted in customer credit card information being potentially exposed, and the affected customers were notified of the breach. The data services company sought coverage from its CGL insurer when the hotel argued that the breach was due to negligence on the part of the data services provider. The CGL insurer argued that it had no duty to defend based on the notice of claim and the hotel’s demand letter. The Court found that the insurer had no duty to defend under the personal injury provisions of the CGL policy. Even though credit card information was released as part of the data breach, third-party data breaches were not covered under the CGL policy here because the data services company did not publish the private information. View Citation >
DID YOU KNOW: Cyber insurance can help to cover notification expenses and breach forensic costs. After the breach was discovered here, the source of the breach was investigated, and the affected customers were notified that their credit card information was potentially exposed due to the data breach.
For more information on how a claim may relate to your specific risk, connect with a member of our team.
