Law360 published an excellent article, The Insurance Landscape For Phishing Claims Is Shifting,1 written by Jason Rubinstein and Jasmine Chalashtori. Their summary about the importance of coverage for these computer fraud claims and the need for brokers to discuss these risks with their business clients was highlighted at the end of their article:

[G]iven the growing risk posed by business email compromise scams to companies whose business models include large-dollar transfers, in addition to implementing protective best practices, companies should proactively review their insurance coverage with an eye toward business email compromise losses.

Policyholders should consult with their brokers about potentially obtaining coverage intended to cover business email compromise risks, either as a standalone policy or as an endorsement to other policies. Should a policyholder fall victim to a business email compromise scam, it should work with coverage counsel to review all potentially applicable lines of coverage.

If coverage is pursued, an insurer denial should not be taken at face value given the developing legal landscape and fact-specific nature of coverage related to business email compromise claims, under which policyholders may have strong arguments for coverage even where the subject policies do not expressly address business email compromise claims.

A recent article in the Louisiana Bar Journal, headlined the following quote and statistics:

In 2012, former FBI Director Robert Mueller said, ‘[T]here are only two types of companies, those that have been hacked and those that will be.’ Such vulnerability is evidenced by the Equifax hacking in 2017 that affected the data of 143 million Americans and exposed them to the threat of identity theft and fraud; the 2013 data breach of Target which resulted in the leak of tens of millions of credit and debit cards; and the record breach at Anthem in early 2015.2

One problem for policyholders is getting the right type of coverage and making certain that between traditional property coverage and traditional coverages, there is indeed cover for these losses. An article in the Consumer Finance Law Quarterly Reporter, Looking For Coverage In All The Right Places: Financial Institutions Should Keep An Open Mind When Seeking Coverage For Cyber Losses, made this warning:

There is not a form or set of form policies for cyber coverage. This means there are inconsistencies between the different insurance companies’ cyber policies and between the cyber policies a given insurance company sells. The breadth of coverage can vary widely and not all of the coverages….will be in every cyber policy. Like any other policy, cyber policies also contain exclusions.

Due to the variance among cyber policies, it is particularly important to understand what coverage traditional policies could provide if a cyber event took place. The particular electronic assets and vulnerabilities of a given business drive the analysis and conclusions on this issue, but there are some common themes.

Getting coverage for property damage to non-tangible property would be most likely accomplished through a cyber policy. However, coverage for damage to tangible property or ‘physical damage’ to property may need to be sought under a property policy, or a general liability policy, depending on whether the loss is first-party or third-party. But getting a claim for such coverage paid would be made significantly more difficult if there is a broad exclusion for losses from computerized or electronic occurrences. While some cyber policies provide coverage for tangible property, sometimes that coverage is limited by the definition of the policyholder’s ‘network’ (i.e., computers and servers) and is sub-limited to an amount below the limits on the face of the policy. Accordingly, care should be taken to identify gaps in coverage for losses to property.

Other gaps may exist and could include financial losses because of exclusions tagged onto crime policies or errors and omissions (E&O) policies. Many of these gaps can be fixed by working with an experienced broker when renewing coverage.3

The bottom line is that computer fraud and cyber-crime are major risks for businesses. Every insurance agent and risk manager should be having discussions with their clients about these risks and how to properly get coverage for the various losses that occur.

Similarly, insurance claim professionals must keep abreast of these types of losses and understand the applicable coverages as the losses increasingly occur and coverage issues are presented.

Thought For The Day

For most smart devices being made, there’s likely someone in the world reverse engineering it to see how to get in.
—Rebecca Herold
1 Jason Rubinstein & Jasmine Chalashtori, “The Insurance Landscape For Phishing Claims Is Shifting,” Law360, Jan. 2, 2020, (subscription required).
2 “Cybersecurity—How Safe Are You?” 67 La. B.J. 246, 247.
3 “Looking For Coverage In All The Right Places: Financial Institutions Should Keep An Open Mind When Seeking Coverage For Cyber Losses,” 72 Consumer Fin. L.Q. Rep. 234, 240.