Does your clients’ cyber policy cover phishing?

Cybersecurity liability insurance is not always comprehensive, and general fraud may not be covered under such a policy

Does your clients’ cyber policy cover phishing?

Cyber

By Lyle Adriano

Cybersecurity liability insurance distributors might want to check if their clients fully understand what their policy can and cannot cover; as it could save their clients a costly trip to court.

The US Court of Appeals for the 5th Circuit recently ruled in the Apache Corp. v Great American Insurance Company case that a seemingly narrow interpretation of a crime insurance policy held true. The circuit court found that the policy did not cover a loss resulting from a duplicitous email message directing money to be wired to an account because the scheme did not constitute “computer fraud” under the policy’s definitions, Mondaq reported.

Learn more about phishing insurance here.

In 2013, an employee of Apache Corporation received a telephone call from an individual identifying herself as a representative of one of Apache’s vendors, Petrofac. The caller then asked Apache to change the bank-account information for its payments to Petrofac, but the Apache employee replied that the request could not be processed without a formal request on Petrofac letterhead.

The accounts payable department of Apache then received an email with a “petrofacltd.com” address a week later. The sender of the email alleged that Petrofac’s bank information had been changed and even attached a fraudulent letter on Petrofac letterhead. The sender added that the “new” bank information was to take “immediate effect.”

An Apache employee verified the number provided on the letterhead and came to the conclusion that the request was authentic - a formal approval and change followed. Not long afterward, Apache transferred funds amounting to approximately $7 million to the new account. Petrofac later notified the company that it had not received the payments, which finally tipped off Apache that it had been swindled.

Want the latest insurance industry news first? Sign up for our completely free newsletter service now.

Although Apache was able to recover a portion of the money it had lost to the scam from its deductible, the company wanted to recover the balance from its insurer.

Great American Insurance Company (GAIC), Apache’s insurer, denied the company of its claim under the policy’s computer fraud coverage. The insurer explained the denial, saying that the loss did not directly result from the use of a computer nor did the use of a computer cause the transfer of the funds.

When the case was brought to the 5th Circuit, the court reversed a previous finding by the district court made in favor of Apache. The circuit court found that the loss was not the result of a “direct” use of a computer as considered under the “computer-fraud” provision of GAIC. The fraudulent email was simply a single step in a multi-step scheme, the court posited.

The question now is whether Canadian courts and insurers would interpret “computer fraud” provisions of policies in the same way when faced with the same circumstances.

A Mondaq report suggests that rather than wait before the worst happens, Canadian organizations should regularly conduct internal cyber risk assessment which would properly gauge the adequacy of their insurance policies in relation to the actual risks they face.


Related stories:
Latest Yahoo hack: Where is the cyber market heading?
This risk is four times higher than it was in 2015: Report

Keep up with the latest news and events

Join our mailing list, it’s free!