Posted on 05/09/2018 at 12:30 PM by John Lande
This blog has repeatedly covered cases where “cyber insurance” did not cover losses from cyberattacks. For example, we previously covered the case of Aqua Star (USA) Corp. v. Travelers Casualty & Surety Company of America. Aqua Star was a seafood importer that routinely made payments to Zhanijan Longwei Aquatic Prodcuts (“Longwei”) in China for seafood. Hackers monitored Aqua Star’s internal email, and were able to trick an Aqua Star employee into changing the destination bank account for Aqua Star’s payments to Longwei. Aqua Star ended up sending approximately $700,000 to fraudsters rather than Longwei.
Aqua Star made a claim under its insurance policy’s “Computer Fraud” coverage provision. Travelers, the insurance carrier, denied the claim because the policy contained an exclusion that provided it “will not apply to loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System. . . .” In other words, the exclusion denied coverage for any loss resulting from an Aqua Star employee voluntarily initiating an electronic payment. That is exactly what happened in this case when the duped Aqua Star employee voluntarily changed the destination account for vendor payments.
The United States District Court for the District of Washington ruled in favor of Travelers. Aqua Star appealed to the Ninth Circuit Court of Appeals. In April 2018, the Ninth Circuit affirmed the district court’s ruling. The Ninth Circuit concluded that the policy did not cover losses resulting from employees voluntarily initiating electronic payments. Thus, if an employee is tricked into initiating a wire transfer or sends payments to fraudsters then the Travelers policy at issue in this case will not cover any losses.
The Aqua Star case provides a good example of how gaps in insurance coverage can lead to significant losses. When purchasing insurance, organizations need to pay close attention to where their greatest risks are. For many organizations, employee actions in response to spoofed emails are a substantial source of risk. Organizations should shop for insurance coverage that covers those kinds of events. Alternatively, if the organization cannot find insurance coverage that applies to those risk areas, then they need to make sure they have effective controls in place to prevent employees from causing losses that are not covered by insurance.
This case shows that buying “cyber” insurance isn’t as simple as buying a policy that covers computer fraud. Organizations should carefully review policy limitations with a knowledgeable broker, and discuss coverage needs with their counsel.
The material in these presentations is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.The opinions expressed in these videos are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.
- John Lande