Send this article to your legal team, and your CEO. This is an important issue, because you may have insurance, and even perhaps a specific cyber insurance policy, but that does not mean you automatically have coverage if you lose large sums due to social engineering. This article shows the risks and you should follow the developments. First though, a definition you should know.
Shawn Tuma is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas.
In two very short videos, he explains what the courts view as “Reasonable Cybersecurity” and what your organization needs to have in place. Take 3 minutes and watch these two videos. You are going to be glad you did, because they have fantastic ammo to get budget. See them at the KnowBe4 Blog:
Fool Me Once: Insurance Coverage for Social Engineering Scams Under Judicial Review
How the trial courts decided recently
On July 21, 2017, the U.S. District Court for the Southern District of New York issued a decision in Medidata Solutions, Inc. v. Federal Insurance Co., holding that a wire transfer of nearly $4.8 million in connection with a social engineering scheme was covered under the Funds Transfer Fraud and Computer Fraud insuring agreements of a commercial crime policy. Federal has appealed this decision to the Second Circuit.
On Aug. 1, 2017, the U.S. District Court for the Eastern District of Michigan issued a ruling in American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, finding no coverage under the Computer Fraud insuring agreement of a commercial crime policy for a wire transfer of approximately $800,000 in connection with a similar fraudulent impersonation scheme. American Tooling has appealed this decision to the Sixth Circuit.
Impact on availability of coverage
Aside from issues of policy construction and interpretation, an ultimate finding of coverage in either of these cases could gravely impact the availability of insurance coverage for those situations intended to be covered under a Computer Fraud insuring agreement (that is, a hacking situation whereby the fraudulent input of data or computer programs into an insured’s computer system directly causes the debit of money from the insured’s account) or a Funds Transfer insuring agreement (that is, when a fraudulent instruction is issued to a financial institution, purportedly by the insured, but in reality unbeknownst to and without the consent of the insured).
As many courts have noted, if coverage is triggered simply because a computer was used in the commission of a fraud, essentially all commercial fraud would be covered because computers are used in nearly every transaction in modern commerce. The scope of the Computer Fraud insuring agreement would become virtually limitless. That’s a result neither side of the debate should want.
Insurers would be forced to alter their wordings in the marketplace, significantly reduce available limits of liability, or perhaps not offer certain coverage at all, while policyholders would be faced with far fewer choices, astronomical premium costs, and uninsured risk.
I suggest you follow the Medidata and American Tooling cases with close scrutiny. A favorable outcome for the carriers in this litigation means a favorable outcome for all issuers and buyers of insurance in the future. Read the article here (registration required):