ECBM's Blog: Information To Protect What You Grow

Given the relative newness of cyber insurance policies, comparatively little case law exists interpreting these policies in the context of claims. Courts have sometimes struggled with how to interpret unique policy provisions in the context of variations of computer fraud. While some courts have taken highly technical approaches to the language contained in the policy, other courts have taken a more relaxed approach based on the understanding of the parties. A recent case out of the Eleventh Circuit Court of Appeals highlights these issues. Principle Solutions Group, LLC v. Ironhorse Indemnity, Inc. tackled a claim dispute between an insured business and an insurance company involving a cyber claim.

Given the relative newness of cyber insurance policies, comparatively little case law exists interpreting these policies in the context of claims. Courts have sometimes struggled with how to interpret unique policy provisions in the context of variations of computer fraud. While some courts have taken highly technical approaches to the language contained in the policy, other courts have taken a more relaxed approach based on the understanding of the parties. A recent case out of the Eleventh Circuit Court of Appeals highlights these issues. Principle Solutions Group, LLC v. Ironhorse Indemnity, Inc. tackled a claim dispute between an insured business and an insurance company involving a cyber claim.

Ransomware attacks have increased in frequency over the past few years.  They now rank as the second most frequent type of claim against cyber insurance policies.  Experts estimate that a new business is hit with a ransomware attack every fourteen seconds.  For 2019, early information is showing that the frequency of ransomware attacks may be decreasing.  This seemingly positive trend comes with two significant drawbacks however.

The problem of Social Engineering techniques called Phishing, Whaling, Spear Phishing, Pharming, or Impersonation Fraud has become significant and widespread in recent years. The insurance industry has made efforts to keep these risks in mind for cyber liability policies. Sometimes there is language added that will protect a company, but sometimes communication is added to a basic policy that would not protect a business against these specific risks. 

The clash between the stringent privacy requirements of HIPAA and the known vulnerability of most cyber systems creates a host of anxieties for most modern medical care providers. The Health Insurance Portability and Accountability Act requires that medical providers and insurers take reasonable precautions to ensure that the medical information of their patients remains private. At the same time, it is increasingly apparent that almost all cyber information systems have at least a few vulnerabilities, even if only through their users, and few systems can withstand a dedicated, concentrated cyber assault.

Wire transfer fraud claims resulting from cyber attacks have increased dramatically over recent years, and companies are losing millions of dollars in these attacks. As is common when a new business risk develops, organizations look to their insurance policies to help cover their losses. As we have shared in previous examples, the coverage is not always adequate.

The extent of coverage for a company that has been a victimized may be sparse, and the costs of any breach are ongoing. Consequences of a fraudulent wire transfer depend not just on the specific wording in the policies a business has purchased, but as seen in the following instances, also being upheld differently in different states.

Social engineering attacks continue to represent a significant attack vector on U.S. businesses.  The frequency and cost of these attacks keep increasing.  Businesses need to protect themselves or they could be facing large losses.  While people tend to view hackers as computer whizzes exploiting technical flaws in software code, the reality is that over 95% of attacks focus on exploiting human weaknesses, not technological ones.

 Social engineering scams continue to see reported increases in the number of claims filed and the damages suffered.  These scams, also known as “The President’s Letter”, involve clever impersonation over email to trick employees into wiring money to the wrong bank account.  A recent forecast estimated that damages suffered due to social engineering attacks would surpass $9 billion in 2018.  With losses that high, businesses need to review their procedures and exposures as it relates to protecting themselves from social engineering scams.

Lots of people these days are talking about cybersecurity.  To many people, this conjures images of hackers delving deep into computer code to unearth and exploit systematic weaknesses.  The reality is that many of the most successful cyberscams rely not on the weaknesses within a computer system but on the weaknesses of human beings. For example, the John Podesta email hack was a social engineered spear phishing attack.

Lots of people these days are talking about cybersecurity.  To many people, this conjures images of hackers delving deep into computer code to unearth and exploit systematic weaknesses.  The reality is that many of the most successful cyber scams rely not on the weaknesses within a computer system but on the weaknesses of human beings.