5th Circuit Court Finds Cyber Insurer Must Pay for $1 Million Social Engineering Attack



Cyber Insurer Must Pay for Social EngineeringA simple social engineered Business Email Compromise attack resulted in fraud that the cyber insurer contended was not covered under the policy.

I’ve written a number of times about court cases where the attacked organization sued their insurer because the insurer wouldn’t cover the claim… and the insurer won due to a technicality. In a turn of events, the court case between financial services provider HMI and their insurer Twin City has recently resulted in the favor of the client.

HMI was the victim of a BEC scam pretending to be a client, the Geibs, requesting that $1M be transferred to what was a threat actor-controlled account. HMI fell for the scam, losing $1M of the Geibs’ money. A settlement was made and HMI filed a claim with their insurer Twin City. The denied claim resulted in a lawsuit that reached the 5th Circuit Court on appeal.

Twin City maintained that the claim was invalid due to the following clause:

“Loss...in connection with any Claim based upon, arising from, or in any way related to any actual or alleged...rendering of, or failure to render, any services for or on behalf of others for a fee... ”

HMI maintained no fee was incurred by the Geibs and the courts agreed, finding for HMI and mandating Twin City pay the claim.

While this case worked out for the attacked organization, it’s important to realize that in every case, it seems that cyber insurers are going to scrutinize every word in the policy, looking for ways to get out of paying the claim.

A better approach – in addition to having cyber insurance – is to put Security Awareness Training in place (as part of a layered defense strategy) to educate those employees with access to company financials and money about such scams and how to spot them before becoming a victim.


Request A Demo: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

Save My Spot!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://info.knowbe4.com/kmsat-request-a-demo

Subscribe To Our Blog


Ransomware Hostage Rescue Manual




Get the latest about social engineering

Subscribe to CyberheistNews