Insurance Coverage for Phishing and Scamming
Losses: Policy Interpretation, Circuit and State
Law Splits
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
WEDNESDAY, MAY 6, 2020
Presenting a live 90-minute webinar with interactive Q&A
Michael S. Levine, Partner, Hunton Andrews Kurth, Washington, DC
Harry J. Moren, Attorney, Orrick Herrington & Sutcliffe, San Francisco
Eric B. Stern, Partner, Kaufman Dolowich Voluck, Woodbury, N.Y.
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-877-447-0294 and enter your Conference ID and PIN when prompted.
Otherwise, please send us a chat or e-mail [email protected] immediately
so we can address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the ‘Full Screen’ symbol located on the bottom
right of the slides. To exit full screen, press the Esc button.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the link to the PDF of the slides for today’s program, which is located
to the right of the slides, just above the Q&A box.
• The PDF will open a separate tab/window. Print the slides by clicking on the
printer icon.
FOR LIVE EVENT ONLY
Strafford WebinarsInsurance Coverage for Phishing & Scamming Losses: Policy Interpretation, Circuit and State Law Splits
Michael S Levine, Partner
Hunton Andrews Kurth [email protected]
Harry J. Moren, Partner
AGENDA
I. Potential Phishing and Scamming Liabilities▪ Types of Common Attacks ▪ Examples of Notable Breaches
II. Managing Phishing and Scamming Risks Through Insurance▪ Inadequacy of legacy insurance products in addressing cyber liabilities ▪ Coverage under a cyber-insurance policy
IV. Coverage Positions Under Existing Policies▪ Case-law update
6
• Global Average Total Cost of a Data Breach: $3.92 million USD
• US Average Total Cost of a Data Breach:$8.19 million USD
• Highest Industry Average Cost of a Data Breach:$6.45 million USD (Healthcare)
• Average Size of a Data Breach:25,575 records
*According to IBM Security’s Cost of a Data Breach Report 2019 (https://www.ibm.com/security/data-breach)
2019 Data Breach Statistics*
7
Wannacry and
NotPetya
© 2019 Hunton Andrews Kurth
Rash of Cybersecurity Incidents
Strictly Confidential
8
• Government enforcement has increased dramatically
– Google: $170 million FTC settlement (August 2019)
– Facebook: $5 billion FTC settlement and $100 million SEC settlement (July 2019)
– Equifax: $700 million settlement with FTC and 48 states (July 2019)
– British Airways: $230 million fine by the UK ICO (July 2019)
– Marriott: $124 million fine by the UK ICO (July 2019)
– Yahoo: $117.5 million consumer class action settlement (June 2019)
– Google: $57 million fine by the French CNIL (January 2019)
– Uber: $148 million settlement with all 50 states (September 2019)
• Class action lawsuits – massive settlement amounts
• PCI fines
• And more is on the horizon once the CCPA compliance date arrives
– Up to $750 per consumer recoverable in connection with certain data breaches
• Reputational risk arising from data protection issues can be significant
9
Quantifying the Risk – Data Breaches
Phishing and Scamming Threat LandscapeIt’s not a matter of if, it’s a matter of when
10
11
Cyber Threats – Threat Actors
• Social Engineering and Phishing
• Social Media
Cyber Threat Landscape: Types of Common Attacks
12
The Long Game
13
Intel Collection
• Hacking
• Trolling
Impersonation
• CEO
• Customer
• Vendor
• Vendor
• Lawyer
Execution
• Urgent
• Uses email and other mediums
• Uses accurate and/or confidential company and/or employee info
Employee Response
• “I better do this now!”
• “This request is consistent with how we do business.”
• “This request is consistent with stuff only a few people in our company know.”
Damage
• Lost money
• Lost data
• Malware
Result
• Money unrecovered
• CEO fired
• CFO fired
• Litigation
• Regulatory investigation
• Reputation and Trust Losses
Example of Execution-Stage Communications*
14* PhishMe.com
No Industry is Immune*
15
Percentage of users who click on phishing links or attachments, by industry.
* Verizon, 2017 Data Breach Investigations Report.
$2.3 Billion Lost to CEO
Email Scams
Cyber Threats – Tactics
16
Mitigating Risk Through Insurance
17
Cyber risks, including phishing and scamming, may fall through gaps in traditional liability and first-party policies, most of which now have potentially applicable exclusions.
CGL
D&O
Crime
Cyber Liability Coverage: Falling Through the Gaps
18
• Traditional first-party policies may cover cyber-related liabilities
– Property policies
– Policies providing business interruption coverage
• Contingent business interruption coverage
– Crime / Fidelity Policies
• Employee dishonesty
• Vandalism and theft
• Computer fraud
• Kidnap, ransom, or extortion
– Many traditional policies issued today attempt to exclude coverage for cyber-related liabilities
Coverage For Cyber Liabilities Under Traditional First-Party Policies
19
Data/Electronic Information Loss Business Interruption or Network Failure Expenses
Cyber-ExtortionReputational Harm
What Does Cyber Insurance Cover?First Party Coverage
20
Covered Claims
• Security Event (e.g. breach, DDOS, use of code)
• Privacy Event (involving PII or Confidential Business Information)
Covered Costs
• Forensics to determine existence, cause & scope
• Legal & PR
• Mandated (sometimes voluntary) breach notification
• Call Centers
• Credit/Identity Monitoring
• Data Restoration
What Does Cyber Insurance Cover?Hybrid Coverage
21
• Network security and privacy
• Digital asset protection
• Breach event expenses
• Business and network interruption and extra expense
• Media liability
• Tech errors and omissions
• Reputation
• Ransom or cyber extortion
• Fraudulent transfer
• Social engineering
22
Cyber Insurance Coverages
Coverage Issues
23
• Mississippi Silicon Holdings v. Axis Ins., No. 1:18-cv-00231 (N.D. Miss. Feb. 21, 2020) (limiting coverage for fraudulent email scheme to social engineering fraud sublimit under management liability policy)
• Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., No. 17-11703 (11th Cir. Dec. 9, 2019) ($1.7M phishing losses covered under commercial crime policy’s fraudulent instruction coverage)
• SS&C Technology Holdings, Inc. v. AIG Specialty Ins. Co., No. 19-cv-7859 (S.D.N.Y. Nov. 6, 2019) (denying AIG’s motion for summary judgment and finding criminal acts exclusion did not apply to fraudulent transfer cyber incident)
• The Children’s Place, Inc. v. Great Am. Ins. Co., 2019 WL 1857118 (D.N.J. Apr. 25, 2019) (permitting TCP to seek coverage for social engineering scheme under computer fraud coverage grant of crime policy)
Recent Cases
24
• Medidata Solutions, Inc. v. Fed. Ins. Co., No. 17-2492 (2d Cir. 2018) (finding coverage for computer fraud, forgery, and funds transfer for $4.8 million that employees were deceived into transferring to a Chinese bank account)
• American Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., No. 17-2014 (6th Cir. July 13, 2018) (emails sent by fraudster that prompted wire transfer payments of $800,000 were covered under policy as computer fraud directly caused by loss)
• Rainforest Chocolate, LLC v. Sentinel Ins. Co., No. 2018-095, 2018 VT 140 (Vt. Dec. 28, 2018) (insurer’s “false pretense” exclusion was ambiguous because there were two reasonable interpretations of what constituted “physical loss or physical damages”)
• State Bank of Bellingham v. BancInsure, Inc., 823 F.3d 456 (8th Cir. 2016) (affirming district court’s decision finding coverage for hacking incident under a financial institution bond, which is similar to a crime insurance policy)
Recent Cases
25
KDVLAW.COM135 Crossways Park Drive, Suite 201Woodbury, New York 11797
Telephone: 516.681.1100Fax: 516.681.1101
New York | New Jersey | Pennsylvania | Florida | Illinois | California
Insurance Coverage for Phishing and Scamming Losses
Eric B. Stern, Esq. Partner
26
Introduction
Companies have tried to trigger coverage for Social Engineering losses through their Computer Fraud coverage rather than Social Engineering coverage, which has been available since 2015.
This approach has been rejected by insurers and several courts.
We will discuss the issues with this approach as found by the courts and the insurance-based solutions.
27
Introduction
▪ Cyber CrimeCoverage for an attack on the system that enables the attacker to use access to the system to transfer funds or steal data.
▪ Social Engineering FraudSocial engineering fraud involves a party impersonating an individual or company through fraudulent emails (phishing) to deceive the insured into giving away private information or funds.
28
IntroductionFidelity and crime insurance policies, which may contain computer fraud coverage, provide financial compensation for loss of goods or cash through theft, fraud, forgery or other crimes committed by the insured’s own employees.
Crime Policies cover losses which are:
▪ Direct, such as theft of the insured’s money or securities;
▪ Tangible loss, such as a loss of securities, money, or merchandise; and
▪ First-party, such as losses the insured incurs
29
Taylor Lieberman v. Federal Ins.The Ninth Circuit in Taylor & Lieberman v. Fed. Ins. Co., 681 Fed. Appx. 627 (2017) explained the distinction between covered losses due to a hacking incident and uncovered losses arising from the knowing transfer of funds.
In Taylor, an insured-accounting firm was sent e-mails from a bad actor, who spoofed the e-mail address of one of the insured’s clients. The e-mails requested wire transfers to a fraudulent account by the insured.
Eventually, the insured caught on, recovered some of the wired money, but lost nearly $100,000.
30
Taylor Lieberman v. Federal Ins.Insured sought coverage under its Crime Policy, which included computer fraud coverage, which provided:
The Company shall pay the Parent Corporation for direct loss sustained by an Insured resulting from Computer Fraud committed by a Third Party.
Insured argued that “the emails constituted an unauthorized (1) ‘entry into’ its computer system, and (2) ‘introduction of instructions’ that ‘propogate[d] themselves’ through its computer system.”
31
Taylor Lieberman v. Federal Ins.The Ninth Circuit found no coverage, reasoning:
• The emails do not constitute an unauthorized entry into the recipient's computer system.
• The emails were not an unauthorized introduction of instructions into the system.
• The instructions did not, as in the case of a virus, infect the computer system. They were simply part of the text of three emails.
32
Pestmaster v. Travelers
In Pestmaster Services, Inc. v. Travelers Casualty & Surety Company of America (2016), the Ninth Circuit found no coverage where the insured transferred funds to its payroll vendor, who would then retain the funds.
The computer fraud policy covered the insured for the fraudulent loss of money caused by the use of a computer to transfer funds.
33
Pestmaster v. TravelersThe Ninth Circuit interpreted the crime-policy wording as requiring a direct-loss through an unauthorized transfer consistent with the computer fraud jurisprudence requiring an element of unauthorized access or a hacking incident.
The court noted that the use of a computer was merely incidental to, and not directly related to, the insured’s losses.
Importantly, the court interpreted the phrase “fraudulently cause a transfer” in the crime policy to require an unauthorized transfer of funds.
34
▪ Employee of the insured received a call from a bad actor claiming to be a representative of a legitimate vendor of the insured.
▪ The caller instructed the employee to change its bank account information for payment.
▪ The employee demanded a formal change request on company letterhead.
Apache v. Great American5th Cir. 2016
35
▪ Later, the insured received an email from an address, which was similar to the vendor’s address but fraudulent. The email attached a letter on fraudulent letterhead.
▪ The insured called the fraudulent phone number on the letterhead to confirm authenticity.
▪ Eventually, the error was discovered after approximately $7 million was incorrectly sent.
Apache v. Great American
36
Apache v. Great American
The Computer Fraud coverage provided:
▪ We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:a) to a person (other than a messenger) outside
those premises; orb) to a place outside those premises.
37
Apache v. Great American
The Fifth Circuit held that the policy required a direct loss through “an unauthorized transfer of funds”, rather than simply any transfer which involved a computer.
“The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. ”
38
Direct Loss – More ExamplesIn Kraft Chemical Company, Inc. v. Federal Insurance Company the court held that under Illinois law (2016) the Computer Fraud insurance provisions did not apply to payments made pursuant to a fraudulent e-mail.
The court held that the transfer of funds was knowingly effectuated by the insured.
The fraudulent email did not “directly” cause the loss because, after receiving it, the insured voluntarily took steps to cause the transfer.
39
Cincinnati Ins. Co. v. Norfolk Truck Ctr., Inc., (2019) under Virginia law, word “directly,” in computer fraud provision required straightforward or proximate relationship between use of a computer and resulting loss.
Miss. Silicon Holdings, LLC v. Axis Ins. Co., (2020) underMississippi law, district court similarly held that because the insured’s employees, not the fraudulent emails, initiated the transfer, the fraudulent act did not “directly” cause the transfer.
Direct Loss – More Examples
40
Daewoo America v. AllnexIn Daewoo (2018), the court held under NJ law that there was no coverage under a computer fraud section of the policy.
A bad actor posing as an employee of the insured sent emails requesting that payments be sent to “new” accounts.
Insured sought coverage under its computer fraud policy for amounts it never received claiming the amounts owed to it constituted owned tangible property.
Different than typical social engineering case because the insured did not make the transfer of funds.
41
Daewoo America v. AllnexInsured failed to meet the ownership condition as the term “own” is commonly understood or any legal definitions.
The court also found that the accounts receivable failed to constitute “tangible property.” Before the insured actually received the monies due, it owned a receivable, or a right to payment, as well as a potential cause of action for payment if it was not made, which, while valuable, are not tangible.
42
Conclusion
Courts have generally interpreted computer crime coverage as being intended to cover loss due to unauthorized entry into the insured’s computer system by third parties.
Coverage for an employee’s authorized entry of data or payment instructions, induced by external fraud, has become a mixed-question for the courts.
43
Policy Drafting Solutions
44
Computer Fraud – Exclusion
▪ To avoid reliance on a split of authorities, insurers can add exclusions to computer fraud policies to specifically address social engineering coverage.
45
Aqua Star v. TravelersThe Ninth Circuit in Aqua Star v. Travelers Casualty & Surety Company of America (2018) found there was no coverage under the Computer Fraud coverage in its commercial crime policy for a phishing scheme.
The Policy also contained Exclusion (G), which provided that there was no coverage for:
▪ Loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.
46
Aqua Star v. Travelers
The Ninth Circuit held that the loss resulted from a duly authorized employee changing the account wiring information and sending four payments to the bad actor’s account.
Because the employees “had authority to enter” the information into the computer system when they inputted the changed wiring information, the conduct “fit squarely within the exclusion” and coverage was not afforded.
47
Social Engineering CoverageSample Endorsement
▪ The Insurer will pay for loss…resulting directly from the payment…of Money…to a person, place, or account beyond the Insured Entity's control by:
a) an Employee acting in good faith reliance upon a telephone, written, or electronic instruction that purported to be a Transfer Instruction but, in fact, was not issued by a Client, Employee or Vendor; or
b) a Financial Institution as instructed by an Employee…
Miss. Silicon Holdings, LLC v. Axis Ins. Co., 2020 U.S. Dist. LEXIS 29967
(N.D. Miss. 2020)
48
▪ Phishing is more common and likely not covered. Phishing schemes go to wide-number of recipients and are designed to deliver a sense of urgency to trick users.
▪ Spear Phishing is a targeted attack. A bad actor selects specific organizations and sends custom message based on other contacts. The scam appears to come from someone known to the insured.
Social Engineering CoverageTypes of Phishing
49
▪ A recent common-phishing example is an email purporting to be from the CDC asking recipients to download malware, provide information or transfer money for Covid-19 related reasons.
▪ Loss arising from such a phishing attack would likely not be covered under the endorsement discussed because the CDC and WHO are “unknown” to the insured.
Social Engineering CoverageTypes of Phishing
50
Social Engineering CoverageSub-Limits
Some insurers apply sub-limits for Social Engineering Coverage.
In Miss. Silicon Holdings, LLC v. Axis Ins. Co., the parties all agreed that social engineering coverage applied. The dispute over the computer fraud coverage arose because the social engineering limits were insufficient to cover the loss.
51
Policy in Children’s Place, Inc. v. Great Am. Ins. Co., (2019) required:
• that before forwarding [a] payment order to a financial institution or issuing [a] check, you verified the authenticity and accuracy of the [payment] instruction received ..., including routing numbers and account numbers by calling, at a predetermined telephone number, the [person] who purportedly transmitted the instruction to you.
Social Engineering CoverageInsured’s Obligations
52
▪ The insured argued that the condition precedent rendered coverage illusory, reasoning that full compliance with the condition precedent would prevent any need for the social engineering coverage.
▪ The court ruled that the insured need only “attempt to verify” the authenticity and accuracy of the instruction.
Social Engineering CoverageInsured’s Obligations
53
▪ Is it a request for a transaction such as electronic funds transfer?
▪ Does it request personal details such as banking information?
▪ Is it an unsolicited communication?▪ Is it a request with an atypical sense of urgency?▪ Does the link match-up?▪ Did you independently verify legitimacy?
Social Engineering CoverageInsured’s Obligations
54
Conclusion
▪ Insureds should be aware that procuring a social engineering endorsement does not guarantee that they will be fully covered every time an employee falls prey to a social engineering scheme.
▪ Insureds should make sure they have controls in place to avoid such schemes and train employees on those protocols.
55
New York | New Jersey | Pennsylvania | Florida | Illinois | California
KDVLAW.COM135 Crossways Park Drive, Suite 201Woodbury, New York 11797
Telephone: 516.681.1100Fax: 516.681.1101
Questions?Please Contact:
Eric Stern, [email protected]
56