In the past few months we have seen a few new developments on the cyber-risk frontier, including a court decision in Arizona in the P.F. Chang’s case, and the emergence of social engineering fraud as a stand-alone coverage. Here are three action items to help Northwest businesses manage cyber-risks effectively through insurance.
1) Read your cyber-policy, then read it again – it may not cover your biggest risks, in which case you must negotiate coverage. First up is the recent court decision—one of the first on a stand-alone cyber risk policy—in the P.F. Chang’s case in Arizona. The restaurant chain experienced a data breach involving customer credit card information. The restaurant did not pay the costs to reissue the cards, cover the fraudulent charges, etc. itself—that was taken care of by a “merchant services” vendor and by Visa/Mastercard. But the merchant services vendor was entitled to charge all of those costs back to P.F. Chang’s under a contract. P.F. Chang’s looked to its cyber insurer (Chubb) to cover those costs. Chubb paid some, but denied others, relying on a relatively obscure provision excluding payments made because of a contractual obligation. The court agreed that the exclusion barred P.F. Chang’s recovery even though the charges were because of a data breach, which was otherwise covered.
The lesson here is that cyber policies are not the same, and must be evaluated very carefully against the risks that your company faces, from all corners. P.F. Chang’s Chubb policy did not contain coverage for “PCI-DSS” fees and assessments, which is available as an add-on to some policies and within the body of some other policies. But even adding coverage for PCI-DSS fees may not be enough, because of sub-limits (as a hotel in New Orleans found out: more information here), or because of how the coverage is defined. Detailed analysis of your risks and your coverage, and negotiating changes to your policy to get those risks covered, will avoid surprise down the road.
2) Keep on top of emerging cyber-related risks like Social Engineering Fraud, and ask if you have coverage for them under any of your policies. Insurers are often behind the times on writing coverage that applies to newer cyber-risks. “Social engineering fraud” (sometimes called “business email compromise”) is a good example. There are different varieties of this risk, but the most common is that a criminal will send an email—one that appears to be authentic and from a higher-up, such as the CFO or CEO—to someone inside the company who has the ability to wire funds, directing them to make a transfer. The scammers may have created the fake email by hacking into the company’s system, but often they merely create a dummy email using publicly-available source information. (More on the scam is available here).
This is often considered a “cyber” risk because of the use of e-mail and wire instructions—but if there is no hacking, it likely does not fall within any typical cyber coverage. Companies therefore should look to their crime policy for coverage, and some crime policies have paid out on these claims. This illustrates the principle that your insurance coverage should be treated as a whole program, not as specific policies for specific risks—often a company will have overlapping coverage, without even knowing it, and even “old-school” policies may cover a new risk. (See this piece by my colleague Frank Langfitt on a decision finding coverage for a breach under a traditional CGL policy).
But more often, coverage will be denied under a traditional crime policy, usually on the basis that the employee making the wire transfer was authorized to do so (and therefore the instructions to pay were not “fraudulent”), and that there was no “forgery” of a financial instrument.
Even if hacking is involved in a theft, the insurer may contest coverage. Consider what happened to State Bank of Bellingham, a community bank in Minnesota that lost almost half a million dollars when an employee left a terminal connected overnight, allowing a hacker to transfer funds out of the bank. The bank sought coverage under its Financial Institution Bond (crime coverage for banks) but was denied on the basis that the loss was caused by employee negligence and that an exclusion for employees therefore applied. The bank had to sue for coverage, and eventually an appeals court intervened, finding that the “proximate cause” of the loss was a criminal act, but the bank had to endure years of litigation to get to that point.
Specific coverage for scams that result in theft of money is now widely available through endorsement to either your cyber or crime policy. But those who don’t know about this or other emerging risks, or who assume that their existing coverage applies, won’t know to ask for it. So consult with those “in the know” on emerging risks in your industry, and then ask your broker or coverage counsel whether your existing policy covers those risks.
3) Regulatory risks may now be your biggest “cyber” vulnerability – do your policies cover it, and what’s your sub-limit? As consumer class action litigation remains mired in disputes over standing and other procedural issues, government regulators are stepping in, imposing substantial penalties even against companies that appear to have done everything right. This is particularly true of heavily-regulated companies like financial institutions (see this piece on the SEC’s $1 million fine on Morgan Stanley and other SEC actions) and healthcare companies (see this piece on OCR’s series of significant fines for HIPAA violations), but all companies are at risk from consumer-protection regulators like the CFPB and the FTC (see here for an excellent piece by my colleagues Dave Rice and Faye Ricci on recent CFPB action, and here for more information about the FTC).
The lesson here is to pay close attention to what the regulatory risks are in your industry, and then closely examine your coverage to see if your policy a) covers the risk, not just for potential fines but also for legal costs to defend against the regulatory investigation; b) has a sub-limit for regulatory coverage that is lower than your likely risk.
These are three of the biggest things that you can do right now to get ahead of risks to your company from cyber-related threats and potential coverage shortfalls. As with anything else in business, those who proactively manage these issues will have the advantage.
NB: Hat-tip to Rick Zelinski, a broker at PayneWest in Spokane who focuses on cyber-insurance for financial institutions, for assistance with this piece.