Earlier this year, the Tokyo fish market grabbed headlines when a blue fin tuna sold for a record $3 million. Less well publicized was a phish that reeled in $2 million for fraudsters from the city of Farmington, Connecticut in 2016.
News stories about cybersecurity incidents involving phishing are routine. However, just because phishing schemes are a well-known attack vector does not lessen the risk that organizations face from these schemes. The town of Farmington, Connecticut learned that lesson when city coffers lost over $2 million to fraudsters.
The scheme began like so many others covered by this blog. Fraudsters sent a key town employee emails disguised so they appeared to come from a vendor for an ongoing sewer project. Fraudsters convinced the employee to send electronic funds transfers worth $2,042,448 to fraudsters. The employee thought the funds were going to pay off the town’s real vendor. The town discovered the fraud when the real vendor inquired about its unpaid invoices. The town was only able to recover $891,386 from intermediary banks.
The town submitted a claim for over $1 million to its insurer under a computer and funds transfer fraud coverage clause. Argonaut, the insurance company, denied the claim. The town then filed a lawsuit against the carrier and its insurance agent. The town disputed the insurance company’s claim that the policy did not provide coverage, and argued that if the insurance company was right then the insurance agent should be liable for failing to inform the town about coverage limits.
On December 27, 2018, the Connecticut state court issued a preliminary ruling dismissing the town’s claim that the insurance agent owed the town a fiduciary duty. The court explained that simply because a professional possesses greater expertise in a particular area does not necessarily create a fiduciary duty. The insurance agent could, however, still be liable under the town’s negligence and breach of contract theories. Moreover, the insurance company could still be liable to cover the losses.
This case is yet another example of the risks involved with purchasing insurance for cyber-incidents. This blog has covered numerous cases involving disputes between insureds and their carriers after phishing attacks. These cases demonstrate that organizations need to look beyond the word “cyber” in a policy’s name to determine if the policy actually covers the organization’s risks. Organizations should make sure to work with a knowledgeable insurance agent when purchasing “cyber” insurance, or have knowledgeable legal counsel review existing policies for potential gaps in coverage. The town of Farmington, Connecticut will no doubt do so after its $2 million phish.