Lawsuits over denied cyber insurance claims provide insight into what you should and shouldn’t expect from your policy – and that actions by your own users may make the difference.
The recent appeal of the Star Title Partners of Palm Harbor vs. Illinois Union Insurance Co. case initially sounds like a pretty standard story we’ve seen over the last few years. The insured has some form of cyber incident, they put in a claim, the insurance company denies it on a technicality, the insured sues, and the court sides with the insurer.
In the case of Star Title, the specifics are pretty standard if you’re paying attention to Cyber Fraud attacks: Star Title received an email from someone posing as a Texas mortgage company asking to change the banking details for the upcoming transaction but failed to authenticate the sender. Star Title sent the funds to the fraudster-controlled bank account and lost the funds. The submitted a claim through their cyber insurance policy and were denied.
What should get the attention of every organization concerned that their cyber insurance won’t cover a loss is found in the answer brief from the Florida Eleventh Circuit Court of Appeals. In it, the presiding judge found that the negligent actions of the employee was a major contributing factor to find for the insurance company.
Just because your insurance policy says it covers a particular type of cyber incident, there are always particulars in the policy that dictate the circumstance – the perfect storm, if you will – that need to take place perfectly for the policy to kick in.
The authenticating of a change to an existing financial transaction is a cardinal rule over here. Every organization should be putting any employee with access to company funds or responsibility for financial transactions through Security Awareness Training which, among other things, will educate the employee about scams like these, and how to both verify legitimacy and identify potential fraud – all before a transaction take place.
Insurance is helpful, but the lesson learned here is take steps to minimize putting your organization in a situation where it’s necessary to use your cyber insurance.