Cyber insurance is a critical part of a layered cybersecurity defense.
However, as this blog recently covered, cyber insurance carriers are suffering increasing losses from claims on cyber insurance policies. Consequently, cyber insurance companies have started to draft strict coverage clauses to reduce the number of claims, and lowered the amount of coverage available for insureds.
As a result, there continues to be a steady stream of disputes between insureds and their carriers. A recent case from California illustrates the type of insurance lawsuits that will likely continue for the foreseeable future. Ernst and Haas Management Co., Inc. v. Hiscox, Inc. began like so many cyber frauds do: with an email. An accounts payable clerk at Ernst and Haas Management (“Ernst & Haas”), a property management company, received an email allegedly from her superior. However, in reality the email was spoofed, and came from overseas fraudsters.
The accounts payable clerk initiated a $50,000 wire transfer based on the fraudulent email. After the first transfer occurred, the fraudster requested a $150,000 transfer. The clerk initiated the second transfer. However, the clerk became suspicious when her “superior” requested a $470,000 transfer. At that point, the clerk discovered the fraud. Unfortunately, by that time the $200,000 transferred to fraudsters could not be recovered.
Ernst & Haas had cyber insurance from Hiscox. There were two insuring clauses that potentially provided coverage—computer fraud and funds transfer fraud. The relevant provisions stated:
Computer fraud coverage will cover losses “resulting directly from the use of any computer to fraudulently cause a transfer of that property from” Ernst & Haas.
Funds transfer fraud coverage will cover losses “resulting from a Fraudulent Instruction directing a financial institution to transfer, pay or deliver Money and Securities from Your Transfer Account.”
The insurance company denied coverage, so Ernst & Haas filed a lawsuit. The district court ruled in favor of the insurance company, so Ernst & Haas appealed. The issue on appeal was whether the losses Ernst & Haas suffered resulted “directly” from the fraudulent email.
Whether fraudster spoofing emails are the “direct” cause of loss is often the core of insurance disputes. Insurance companies argue that these losses are not “directly” the result of the fraudster emails, because employees voluntarily took intervening action to setup and initiate the funds transfers.
The Ninth Circuit Court of Appeals, however, disagreed with both the insurance company and district court. The Court reasoned that an email directing an employee to initiate a funds transfer was a direct cause of the loss.
While Ernst & Haas prevailed on appeal, it may yet lose. That is because there is still an unresolved issue in the case regarding whether the policy had been updated before the loss occurred. The original policy was issued in 2012, but in 2019 the insurance company argued it updated the policy. The policy update may mean Ernst & Haas ultimately loses.
This case illustrates two important issues with cyber insurance. First, insurance clauses are still open to interpretation, so insureds should not give up pursuing a claim simply because the insurance company initially denies a claim. Second, insurance companies are updating insurance agreements to limit the scope of coverage. Insureds should closely review any potentially applicable insurance in the wake of a cybersecurity event. The policy may provide more coverage than even the insurance company realizes.
Shareholder Attorney John Lande is chair of Dickinson Law’s Cybersecurity, Data Breach, & Privacy practice group. For more information on his practice, click here.