Many organizations are surprised to learn in the wake of a cyber-incident that their “cyber” insurance does not cover their losses. Very often this is because fraudsters’ method for committing fraud may not have been the type of risk that a particular policy covers. A case involving National Bank of Blacksburg (“NBB”) in Virginia illustrates how fraudsters’ method for committing fraud can create serious coverage issues for insured organizations.
NBB experienced two related cyber-incidents several months apart. Both incidents occurred because fraudster phishing emails tricked employees into allowing fraudsters to install malware on NBB’s network. The first incident occurred over Memorial Day weekend in 2016. Fraudsters used malware to obtain access to NBB’s STAR Network account, and used that access to disable anti-fraud mechanisms on NBB customer debit cards. Over the long holiday weekend, fraudsters caused hundreds of ATMs to dispense cash debited from NBB customer accounts. NBB lost over $500,000.
NBB engaged a computer forensic firm to identify how fraudsters gained access, and to remediate security flaws. NBB implemented additional security to try to prevent any future attack from occurring.
Unfortunately for NBB, the fraudsters came back just eight months later, in January 2017. Fraudsters again gained access to NBB’s STAR Network account. Fraudsters also gained access to NBB’s internal systems that allowed them to manipulate credits and debits in accounts. Fraudsters transferred $2 million to customer accounts prior to causing ATMs to again dispense cash, again over a weekend. This time, fraudsters received over $1.8 million. After they took the cash, fraudsters used their access to delete the debits and credits in customer accounts to cover their tracks.
NBB made a claim under a computer and electronic crime rider to its financial institution bond. The policy provided coverage for:
Loss resulting directly from an unauthorized party (other than an Employee) acting alone or in collusion with others, entering or changing Electronic Data or Computer Programs within any Computer System . . . operated by the Insured . . . [p]rovided that the entry or change causes: (1) property [e.g. money] to be transferred, paid or delivered, (2) an account of the Insured [National Bank], or of its customer, to be added, deleted, debited or credited, or (3) an unauthorized account or a fictitious account to be debited or credited.
At first glance, the policy appeared to cover this loss. Under this coverage clause, NBB had up to $8 million of coverage. However, NBB’s carrier denied the claim. Instead, the carrier asserted that the loss was only covered by a debit card rider that had a $250,000 coverage limit.
NBB filed a lawsuit against its insurance carrier in the United States District Court for the Western District of Virginia. The parties eventually mediated and reached a confidential settlement in January 2019.
This case follows numerous examples, covered by this blog, of insurance companies denying coverage for cyber-incidents, because of the specific type of insurance the organization carried. In one case, the insurer denied coverage when fraudsters manipulated a company’s email to falsely display internal employee email addresses. In another case, the insurance company denied coverage for a claim that arose after fraudsters intercepted a company’s email, and impersonated a vendor in order to obtain payments meant for the real vendor. In a similar case, an insurance company denied coverage when fraudsters tricked an employee into wiring funds to fraudsters meant for a vendor. In all of these cases, the insurance companies argued that a particular fraud scheme that caused a loss was not covered by the particular cyber-insurance policy.
At least one carrier is also looking at whether state-sponsored cyberattacks fall within so-called “war exclusions” that typically exclude coverage for “hostile and warlike actions” by state-sponsored actors. Given how difficult it is to definitively attribute malware strains and cyberattacks to state or non-governmental actors, insurance companies denying coverage under war exclusions could create serious problems for insureds. If a coordinated state-sponsored cyberattack causes large-scale losses, then it is possible that insurance carriers may deny claims on the basis of the war exclusion. Insureds need to keep in mind that purchasing insurance does not always protect against future loss.
NBB’s fate is a cautionary tale for organizations of all kinds. NBB thought it had adequate insurance coverage, but found out after the incident that its insurance provider had a different view. Organizations can draw several lessons from NBB’s experience.
First, organizations should make sure to closely review their insurance policies to identify whether they have coverage for their greatest risks. Second, organizations should work closely with knowledgeable attorneys early in the process of responding to an incident. Organizations need to consider whether their incident may lead to a dispute with their insurance company, and take appropriate actions early in the incident response process. Third, fraudsters exploited a holiday and weekends to delay discovery of their scheme. Organizations should assume that fraudsters will select inconvenient times for an attack, and make sure their incident response plans are designed accordingly. Finally, organizations should make sure they have robust procedures and controls in place to minimize the risk that a fraudulent email will lead to a multi-million dollar loss. This means more than just plugging in new hardware and installing new software. Organizations should spend time identifying potential legal liability and loss that might result from a cyber-incident, and make sure they have adequate policies in place to minimize the risk.