Given the relative newness of cyber insurance policies, comparatively little case law exists interpreting these policies in the context of claims. Courts have sometimes struggled with how to interpret unique policy provisions in the context of variations of computer fraud. While some courts have taken highly technical approaches to the language contained in the policy, other courts have taken a more relaxed approach based on the understanding of the parties. A recent case out of the Eleventh Circuit Court of Appeals highlights these issues. Principle Solutions Group, LLC v. Ironhorse Indemnity, Inc. tackled a claim dispute between an insured business and an insurance company involving a cyber claim.
The problem of Social Engineering techniques called Phishing, Whaling, Spear Phishing, Pharming, or Impersonation Fraud has become significant and widespread in recent years. The insurance industry has made efforts to keep these risks in mind for cyber liability policies. Sometimes there is language added that will protect a company, but sometimes communication is added to a basic policy that would not protect a business against these specific risks.
Cyber coverage remains a hot topic in the insurance world. The coverage is relatively new and complicated questions of claims handling are still working their way through the court system with often unforeseeable results. Now, a novel defense is one cyber coverage lawsuit may throw a major wrench in the extent of protection these policies provide.
Wire transfer fraud claims resulting from cyber attacks have increased dramatically over recent years, and companies are losing millions of dollars in these attacks. As is common when a new business risk develops, organizations look to their insurance policies to help cover their losses. As we have shared in previous examples, the coverage is not always adequate.
The extent of coverage for a company that has been a victimized may be sparse, and the costs of any breach are ongoing. Consequences of a fraudulent wire transfer depend not just on the specific wording in the policies a business has purchased, but as seen in the following instances, also being upheld differently in different states.
Managing cyber risk in the current atmosphere requires constantly staying abreast of new threats. Every new technological advancement creates new opportunities for criminals to turn your systems against you. Companies rightly concern themselves most with cyber crimes like data theft or extortion. Yet even seemingly minor crimes can cause lost revenue for companies not paying attention.
Another major data breach at an American company worth billions of dollars has served to heighten cyber security concerns in businesses of many sizes in many countries. Equifax announced in September 2017 that a massive theft of data from their system had occurred. The failures of Equifax's cybersecurity team resulted in hackers obtaining the personal information of over one hundred and forty-five million of the people whose credit history Equifax tracked.
In the popular imagination, major cybersecurity events involve an elite hacker (or a group of them) employing a singular genius to crack complex computer codes and steal vital secrets or millions of dollars. The reality is that most hackers use a set of tools available for sale for shockingly small amounts of money. “Hacker schools” in places like Brazil and Russia can train someone who is relatively computer illiterate to use those simple tools to exploit vulnerabilities and gain access to sensitive information, whether it be trade secrets or personally identifiable information useful for committing identity theft.
An emerging area of cyber liability for small businesses centers around the concept of third party risk. Third party risk means damages resulting from the security breach of a connected party - normally vendors or customers. Small businesses can face third party cyber risk on a number of fronts. They can face liability from a breach of their own systems infecting a vendor; they can also face damages caused when the breach of a vendor causes a breach of their own systems. Franchisee relationships have also caused increasing concerns of cyber risk.
Hardly a day goes by in the current news cycle without some new cyber-security story breaking. The end of 2016 included a disclosure of 500 million hacked Yahoo! email accounts, concerns raised over the security of U.S. election systems, and a formal announcement by the U.S. government that Russians had hacked into the emails of the Democratic National Committee and the New York Times. A Report from industry experts this past month pegged the expected value of cybercrime in 2021 at $6 TRILLION a year.