As you work to finalize your cyber insurance riders or supplemental policies, it’s important to pay attention to the language around what is specifically covered. To ensure you’re receiving the coverage desired, the first step is to understand the difference between hacking and phishing, and how this is being applied to your policy, and to ensure the language is mutually interpreted as clearly and uniformly as possible.
Hacking is the use of exploits and vulnerabilities to gain access to and extract information from, disrupt or tamper with a computer system. Hackers break into a system and take information.
Phishing is the use of social engineering via e-mail to trick the recipient into revealing personal or confidential information, or granting access to a computer system either directly or through the installation of malicious software. Phishers convince you to let them into a system or give them information.
Why is this so important to your cyber coverage? Because there’s been some fairly significant litigation around these differences that has supported both the upholding and denial of coverage. Here are 3 examples of cases where interpretation of the rider/supplemental policy language led to litigation:
Universal American Corp. v. National Union Fire Insurance Co., 37 N.E. 3d 78 (N.Y. June 25, 2015)
Universal’s insurance policy provided coverage for “fraudulent entry.“ The court found that fraudulent entry into a computer system was limited to outside hackers, not content submitted by authorized users, due to this language in the rider:
The attached bond is amended by adding an Insuring Agreement as follows:
Loss resulting directly from a fraudulent
(1) entry of Electronic Data or Computer Program into, OR
(2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System …
Universal’s claim was for $18M in losses due to fraudulent Medicare claims entered into their systems by authorized employees. These claims were submitted by fraudulent “providers” via an automated system that required Universal’s staff re-enter them for payment. Since outside parties never entered the fraudulent claims into Universal’s proprietary system, and the information was processed by Universal’s staff, the court upheld the denial of coverage.
Apache Corp. v. Great American Insurance Co., No. 4:14-cv-237 (S.D. Texas 2015)
Apache’s crime policy included computer coverage if loss resulted “directly from the use of any computer.” Apache received a call from an individual purporting to be one of its vendors, requesting that Apache change the payment/wiring instructions on its account. Apache asked that the request be made in writing on the vendor’s letterhead. The written request was thereafter emailed from an email address that appeared to be an email from their vendor, with forged letterhead. The secretary that received the fraudulent email then showed it to another employee, who then passed it to a supervisor. Apache then called the representative listed on the “letterhead” to confirm authenticity, and the person who was called at the number on the letterhead confirmed the change request. Thereafter, Apache wired approximately $2.4 million in funds before recognizing that the account was fraudulent.
While Apache’s policy covered loss “resulting directly from the use of any computer to fraudulently cause a transfer of [ ] property from inside the premises … to a person … outside those premises,” Great American argued that the loss was not directly caused by the computer, but rather by the intervention of three individuals who were using computers, and denied coverage.
The court felt that “Defendant’s reading would be to limit the scope of the policy to the point of almost non-existence. That is, if anytime some employee interaction took place between the fraud and the loss, or any fraud was perpetrated any way other than a direct ‘hacking,’ the insurance company could be relieved of paying under the Policy.” The court thus agreed with Apache and found coverage (Great American filed notice to appeal.)
Medidata Solutions Inc. v. Federal Insurance Co., case number 1:15-cv-00907 (ALC) (July 21, 2017, U.S. D.C. S.D. New York)
Federal’s “computer fraud” coverage protected Medidata against loss from “the unlawful taking or fraudulently induced transfer of money … resulting from a [c]omputer [v]iolation,” which it defines as “the fraudulent entry of [d]ata into … a [c]omputer [s]ystem” and “change to [d]ata elements or program logic of a [c]omputer [s]ystem.” The policy’s “funds transfer fraud coverage” protected against “direct loss of [m]oney” resulting from “fraudulent electronic … instructions” but did not cover Medidata for a voluntary funds transfer initiated by employees.
Mid-level employees at Medidata were deceived into transferring $4.8 million to a foreign bank account based on emails appearing to come from a Medidata executive. Since “fraudulent entry” into a computer system did not occur, Federal considered that funds transfer “voluntary” denied coverage.
The court noted that the theft occurred using spoofed emails, and that there are many methods that a criminal may use to hack a computer system – a technical attack was only one of them. In this case, the manipulated phishing message had code that tricked the Gmail computer system into populating the sent messages with the Medidata president’s real information and photo. The court referred back to Universal, agreeing that coverage should be denied for fraud caused by the submission of fraudulent data by authorized users, however because code in the phishing message violate the integrity of the Gmail computer system (a “change to data elements”), and “larceny by trick is still larceny”, the court found Medidata had demonstrated that its losses were a direct result of a “computer violation” and ordered Federal to honor the coverage.
Scrutinizing your policy language now and ensuring it is clearly providing the coverage you need will help minimize the risk that you’ll end up in litigation with your insurer later because something was left too open to interpretation.