The latest ruling shows how the courts are becoming well-versed in the ways of cyberattacks, and are holding both insurers and policyholders to the letter of the contract.
An employee of Mississippi Silicon Holdings received an email supposedly from a known person from a Russian supplier of theirs asking to have payment arrangements modified. You’ve know the drill – no verification was done, the payment method was modified, and the company was tricked out of $1 million dollars.
The claim placed with their insurer, Axis Insurance, ended up in a court battle that ended last week with the courts only allowing $100,000 of the claim to be paid under the “social engineering” provision of the policy. Despite the total loss of over ten times that amount, the courts found for the insurer because the computer transfer fraud portion of the policy (which had a payout of $1 million) included the language “without the insured entity's knowledge or consent.” Because an employee of Mississippi Silicon was completely aware of the transactions, they were denied their claim in court.
This case exemplifies why organizations need to do two very important things:
- Walk through your policy with a security officer, consultant, someone who can pit scenarios against the verbiage in the policy to understand in what kinds of situations will the policy actually be useful.
- Tech your employees to be mindful of social engineering tactics like this. A simple email is all that was needed to take the company for $1 million. Employees that undergo Security Awareness Training are educated on how to spot common scams and social engineering tricks, as well as what to do – especially in circumstances where access to money is concerned.
This case demonstrates that the courts, like the insurers, are doing their homework and walking through cyberattack scenarios. You need to as well with security folks and employees to ensure you’re protected both before and after an attack.