By now, there is little question that the cyber insurance market can be confusing. Cyber claims typically involve complex and novel technological issues.The risk from hackers and negligence with private data is continuing to evolve. The policy language is unique and there appears to be no concerted effort to develop cyber insurance forms. The best strategy continues to be coordination [1] between, insureds, insurers, brokers and underwriters. In addition to all these factors, it has recently become clear that cyber insurance litigation can add to the confusion in the marketplace.
A recent cyber insurance case filed this summer and pending in the United States District Court for the Western District of Virginia is attracting more attention than most litigation involving cyber insurance. In her July 30, 2018 article entitled What Does Cyberinsurance Actually Cover? [2] in Slate, Josephine Wolff tackles an insurance coverage case entitled The Nat’l Bank of Blacksburg v. Everest Nat’l Ins. Co., 18 CV 310 GEC. While it is great to get people thinking about these issues, this article draws a number of conclusions that may over simplify insurance coverage issues related to cyber claims. Based on only the allegations in the complaint [3] filed by the National Bank of Blacksburg, Wolff concludes the following about cyber insurance:
“To understand the mess that National Bank now finds itself in, it’s helpful to know three things about the cyber insurance market. First, while it’s still a relatively small market, it’s growing rapidly (unlike many sectors of the insurance business), and many insurers are eager to sell these policies in order to grow their business. Second, many insurance firms pitching the policies are also concerned about whether they have sufficiently robust models to predict and characterize cybersecurity incidents—they worry they may end up paying too many of these claims to stay profitable in the event of widespread cyberattacks. Third, there’s considerable (and increasing) overlap between cyber-related incidents and the types of events covered by other kinds of insurance. For instance, as cars and buildings incorporate more automated computer-controlled systems, the line between what types of incidents are covered by cyber insurance as opposed to by auto insurance blurs; ditto the line between cyber insurance and property insurance coverage.”
From an initial standpoint, the allegations in National Bank’s complaint for declaratory judgment are fairly-typical claims for an insured seeking a declaratory judgment against its insurer. National Bank asserts that Everest National issued an insurance policy (a financial institution bond) to National Bank, which was modified by a Computer & Electronic Crime Rider. The complaint provides details on two separate attacks by hackers which are summarized as:
“…coordinated unauthorized intrusions into National Bank’s computer systems and network, to change customer account balances, monitor network communications, remove critical security measures such as anti-theft and anti-fraud protections, conduct keystroke tracking, and otherwise enter or change electronic data and computer programs on National Bank’s computer systems, which allowed them to illegally withdraw funds from the accounts of National Bank customers, post fake deposits, and remove illegal transactions from customer accounts.”
An investigation indicated the first attack originated from a phishing email which allowed for the installation of malware that allowed access to the Bank’s computer systems. An investigation of the second attack indicated it was related to the first attack and was linked to phishing email that tricked a bank employee. The second attack also included additional steps where the hackers fraudulently credited customers accounts before removing money from the accounts. National Bank claims the first attack resulted in a loss of $569,648 while the second attack caused a loss exceeding $1.8 million. The complaint further alleges that Everest National denied coverage under the Computer & Electronic Crime Rider and, instead, agreed to cover losses under the Debit Card Rider also modify the terms of coverage provided by the Bond. The Crime Rider had limits of $8 million while the Debit Card Rider had a limit of $50,000.
The Crime Rider issued to National Bank modified the Bond in the following manner:
“Loss resulting directly from an unauthorized party (other than an Employee) acting alone or in collusion with others, entering or changing Electronic Data or Computer Programs within any Computer System…operated by the Insured…[p]rovided that the entry or change causes (1) property [e.g. money] to be transferred, paid or delivered, (2) an account of the Insured [National Bank], or if its customer, to be added, deleted, debited or credited, or (3) an unauthorized account or a fictious account to be debited or credited.”
On the other hand, the Debit Card Rider provided coverage for “Loss resulting directly from Debit Transactions, or automated mechanical device transactions, due to the fraudulent use of a lost, stolen or altered Debit Card or Counterfeit Debit Card used to access a cardholder’s deposit account through an electronic payment device or automated mechanical device.”
Based on these allegations, National Bank sought a declaratory judgment that the two attacks were covered under the Bond’s Crime Rider rather than the Debit Card Rider.
Based on nothing more than National Bank’s complaint, the Slate article concludes coverage is warranted for the two attacks to the extent “the National Bank incidents seem like textbook example of computer and electronic crimes.” After discussing the facts giving rise to the insurance coverage dispute, the Slate article asks “[s]urely it was precisely incidents like these that cybercrime insurance policies were intended to cover?” Unfortunately, the Slate article may make the same mistakes that many people that are considering cyber insurance may make when they are looking at coverage options. Therefore, in addition to providing valuable information concerning the insurance coverage issues presented by the cyber market, this article also provides a useful glimpse at how the public may view the current state of cyber insurance.
First, there are some larger points that the Slate article may overlook. National Bank is not making a claim under a cyber policy. The Slate article glosses over the fact that National Bank is seeking coverage on a sophisticated financial institution bond that has been modified by riders for computer & electric crime and debit card use. This may not be the best scenario to make sweeping conclusions about the value of cyber insurance when a cyber insurance policy is not involved in the litigation. Indeed, the National Bank litigation may provide little insight for a small or medium sized company considering cyber insurance.
Further, reviewing only National Bank’s complaint does not allow for a full analysis of whether this can be considered a “textbook example of computer and electronic crimes.” That is, even if the incidents were textbook computer crimes, the insurance coverage questions are still complex. Not to mention the fact that Everest’s denial letters are filed under seal and cannot be viewed, and, therefore, the only unbiased information we have on Everest’s position is Everest’s answer and affirmative defenses [4].
Nevertheless, while the insurance coverage analysis may be slightly unfocused, the Slate article ultimately provides prudent advice when it concludes “[f]or customers looking to buy cyberinsurance, it should serve as a strong reminder of how much time they should spend scrutinizing and customizing a boilerplate policy with an expert before agreeing to purchase anything.” Indeed, this is valuable information for anyone looking to navigate the cyber insurance marketplace.
We will continue to provide updates on the National Bank litigation.