A simple social engineered Business Email Compromise attack resulted in fraud that the cyber insurer contended was not covered under the policy.
I’ve written a number of times about court cases where the attacked organization sued their insurer because the insurer wouldn’t cover the claim… and the insurer won due to a technicality. In a turn of events, the court case between financial services provider HMI and their insurer Twin City has recently resulted in the favor of the client.
HMI was the victim of a BEC scam pretending to be a client, the Geibs, requesting that $1M be transferred to what was a threat actor-controlled account. HMI fell for the scam, losing $1M of the Geibs’ money. A settlement was made and HMI filed a claim with their insurer Twin City. The denied claim resulted in a lawsuit that reached the 5th Circuit Court on appeal.
Twin City maintained that the claim was invalid due to the following clause:
“Loss...in connection with any Claim based upon, arising from, or in any way related to any actual or alleged...rendering of, or failure to render, any services for or on behalf of others for a fee... ”
HMI maintained no fee was incurred by the Geibs and the courts agreed, finding for HMI and mandating Twin City pay the claim.
While this case worked out for the attacked organization, it’s important to realize that in every case, it seems that cyber insurers are going to scrutinize every word in the policy, looking for ways to get out of paying the claim.
A better approach – in addition to having cyber insurance – is to put Security Awareness Training in place (as part of a layered defense strategy) to educate those employees with access to company financials and money about such scams and how to spot them before becoming a victim.