Cybersecurity is a constant evolving battle. The more refined security systems become, the more clever the attacks hackers use to gain access to information and finances. Most people are familiar with the tactic hackers will sometimes use of sending a legitimate looking email to try to induce a person to send money. Yet the specific nature of the attack can alter how and even whether such an attack is covered under a company’s insurance policy.
There are many possible outcomes of a successful phishing attack. The phisher could gain access to customer or client data. Alternatively, he could obtain your company’s financial information. Afterwards, the phisher could attempt to transfer money from your bank account to his; he might also try to use your company credit cards.
As phishing attacks become more sophisticated, hackers are imitating company or vendor emails to try and trick people inside the company to wire money to them.
Each of these scenarios may be covered by different parts of your insurance policy.
- Damages caused by a phisher accessing customer data would fall under a cyber liability policy.
- Fraudulent transfer instructions that appear to come from the insured company would fall under fraudulent transfer coverage as part of a crime policy.
Yet many policies do not cover fraudulent transfer instructions that come from a vendor or customer.
HERE'S WHAT HAPPENED TO BITPAY
This issue is at the heart of a $1.9 million lawsuit filed by BitPay against Massachusetts Bay Insurance Company. In this case BitPay received an email that appeared to be from one of their vendors, BTC Media.
The email was part of a phishing attack and sent BitPay’s CFO to a site that prompted him to enter his email information. Now in possession of the CFO’s email address and password, the phisher arranged three separate transfers of 1,000 bitcoins each.
After The Phishing Attack
BitPay submitted a claim to their insurance provider to recover the money lost to the attack. Massachusetts Bay denied the claim. They claimed BitPay had suffered an indirect loss rather than a direct loss, since the loss originated with the infiltration of BTC Media’s computer system.
As they stated in their denial letter, “The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured.” The suit is now pending in the U.S. District Court for the Northern District of Georgia.
WHAT CAN YOU DO?
Companies need to be aware of their various liabilities to different types of cyberattacks and review their coverages to make sure they are covered for all eventualities. Insurance companies do now offer coverage specifically for phishing attacks that result from infiltrations of vendor and customer computer systems. Speak with your broker to ensure you know your risks and your coverages.