Very interesting article in the Insurance Journal.
In a closely-watched case on insurance coverage in an age of expanding cyber risk, a federal appeals court in New York has upheld a lower court ruling that a Chubb unit's commercial crime insurance policy covers wire transfer losses resulting from a spoofing attack.
The ruling is a reminder that the wording of your cyber insurance policy is crucial in determining payments relates to social engineering attacks.
The case (Medidata Solutions Inc. v. Federal Insurance Company) before the Second Circuit appeals court involved a crime insurance policy with a computer fraud provision issued by Chubb subsidiary Federal Insurance Co. in June 2014 to Medidata, a clinical trial software firm.
The claim involved a—by now pandemic—type of social engineering called CEO Fraud, which the FBI calls Business Email Compromise, where fraudsters convince employees to wire funds to external accounts. The policy had a $5 million limit for forgery, funds transfer fraud and computer fraud.
Medidata employees were “spoofed” into wiring $5 million to an account they were led to believe was for an acquisition by a series of fraudulent emails that the fraudsters misrepresented were from an outside attorney and Medidata’s own president.
Medidata argued that its computer fraud provision should cover its loss because the Federal policy defined a computer violation as any “entry of Data into” or “change to Data elements or program logic of a computer system.”
Federal Insurance denied the claim, arguing that the email case did not amount to entry of data into or a change to the elements of the Medidata computers. Federal said the policy applies to only hacking-type intrusions.
Medidata sued over the claim denial and the U.S. District Court for the Southern District of New York last August awarded Medidata $5.8 million in damages and interest.
Ruling last Friday on an appeal by Federal, the Second Circuit agreed with the district court in finding that the “plain and unambiguous language of the policy” covers the losses incurred by Medidata.
The appeals court found that while no hacking occurred, the fraudsters did insert the spoofing code into Medidata’s email system, which the court said is part of the computer system, and they sent messages that were made to look like they were from high officials at Medidata to trick the employees. “Thus the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system. The attack also made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender. Accordingly, Medidata’s losses were covered by the terms of the computer fraud provision,” the court found.
Make SURE that your cyber insurance policy clearly covers instances of your employees becoming the victim of a social engineering attack. And of course step them through new-school security awareness training to prevent snafus like this from happening in the first place...
Full story at The InsuranceJournal
Request A Demo: Security Awareness Training
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:
