Safeguarding private information and network security are now critical elements of the operation of any successful business. Coupled with this is the need for an understanding of how best to manage an organization’s risks and the potential liabilities associated with the failure to protect data and to defend against breaches or loss when perpetrated using technology. In-house and outsourced legal counsel must now be prepared to scrutinize contractual language as it relates to privacy and cybersecurity. There are serious issues to address: How can liabilities be properly managed, should they be managed internally or transferred to others; If an organization suffers a breach incident what obligations does it have to its stakeholders, its employees, its customers, and/or others?
One important area of contract review for organizations and their legal counsel is insurance. Network security and privacy liability insurance, a.ka. cyber liability insurance is fast becoming a critical type of insurance coverage for organizations of all sizes. Cyber liability insurance is designed to respond to a variety of circumstances, all of which revolve around the safeguarding of data, whether print or electronic and maintaining the integrity of a computer network system. The coverage typically includes:
A. Coverage for suits brought by 3rd parties for the failure of an insured to properly protect that 3rd party’s sensitive information, whether due to a hacker or an employee error.
B. Coverage for claims by 3rd parties who have suffered a financial loss because an insured’s network system caused them harm. For example, the transmission of a software virus from the insured to the plaintiff. More critically to a cyber liability insurance policy is what it provides in 1st party protection. 1st party coverage protects an insured when they discover an incident and need help to triage the situation before it evolves into a 3rd party claim. For example, when the head of IT pays a visit to senior management to advise of a potential break in the network system, the situation likely needs to be investigated immediately. In this case, the 1st party coverage of cyber liability policy should be triggered and ideally, the breach threat is resolved before it escalates to a 3rd party claim.
In today’s cybersecurity environment, many insureds struggle to determine what, if any, insurance policy can be triggered to provide protection in the event of a network security or cyber breach. The novelty of cyber breaches is such that most traditional policies will not respond to a breach or if they do it will only be in a limited fashion. If a policy does respond, it is very possible that gaps in the coverage, including policy exclusions, can limit coverage. This is why in-house and outsourced legal counsel must be familiar with insurance policies and their potential gaps. Take social engineering fraud for example. Social engineering fraud, such as “spear phishing” which is one form of the fraud, is a lucrative con perpetrated on an unsuspecting victim via email. But, unlike other electronic transmission-based crimes, social engineering fraud doesn’t depend on sophisticated hacking techniques and its end goal is generally steal money, not data. Social engineering fraud typically involves sending (usually by email) a targeted employee a bogus but very genuine looking instruction to transfer funds to a 3rd party. If the employee falls for the hoax and transfers the funds – there is clearly a financial loss to the employer. But, from an insurance standpoint, does coverage for the loss fall under a crime policy or a cyber liability policy?
Crime Loss VS. Cyber Loss
Crime insurance typically deals with the loss or theft of money while cyber liability insurance primarily deals with loss or theft of data. As already noted, the goal of social engineering fraud is typically to steal money which would suggest crime insurance should respond. Unfortunately, it’s more complicated than that.
Traditionally, crime insurance targets loss due to intentional employee theft. If the employee is deceived into directing funds to a seemingly legitimate third party, the employee is not themselves stealing and, therefore, the act may not be seen as a true crime loss.
In a recent court decision (The Brick Warehouse LP v. Chubb Insurance Company of Canada, 2017), a scenario challenging the interpretation of coverage under a crime policy was played out. An employee at The Brick was tricked into believing that one of their vendors had changed banks. Following this, a second employee who also believed the request to pay the vendor’s invoices to the new bank was entirely legitimate, authorized funds totaling $448,000 to be transferred from the Brick’s bank to a fictitious bank account. The Brick reported the loss to their crime insurer. When their claim was denied, The Brick sued the insurer, arguing that the loss should have been covered under the crime provision for “Funds Transfer Fraud by a Third Party”. Unfortunately, for The Brick, the definition of Funds Transfer Fraud in the crime policy was (and is) very restrictive: invoking coverage requires a fraudulent instruction to be made to a financial institution (i.e. a bank) directing it to pay money from the insured’s account without the insured’s consent. In The Brick’s case, while the funds were authorized for transfer by the duped employee, the instructions given to the bank by the employee were clearly done with The Brick’s consent and there was no intent on the part of the employee to steal. As such, the insurer was successful in denying the claim.
Insurance coverage for social engineering fraud is not a standard to either a crime or cyber liability insurance policy but it can be added as a coverage endorsement usually to a crime policy. A select number of insurers are prepared to offer social engineering fraud coverage in addition to a cyber policy, but most insurers see it primarily as a crime loss even though it might smell like cyber.
Whether added through a crime or cyber policy, social engineering fraud coverage is typically sub-limited and relative to the overall main policy limit. A sublimit of $250,000 on a $1M crime policy is not uncommon.
The old adage that information is power has never been truer in today’s business world. Organizations must use the information to adapt to the evolving battle against loss and breach perpetrated using technology – and must not only be cautious in how they treat and protect client data, but they must also be sure to protect themselves from loss and various liabilities associated with failing to do so through careful contract review. In some cases, a risk transfer mechanism like insurance can augment diligent contract protections. However, when placing insurance coverage to transfer risk organizations, their legal counsel and their insurance advisors must be sure that the right policies are in place. Subtle differences exist within insurance policy wordings and coverage, such as between crime and cyber liability insurance policies. Be sure to review them with proper expertise.
To learn more information about cyber insurance, visit OsgoodePD’s Legal & Business Risk Management in Cloud & SaaS on September 28, 2018 – registration is now open. Or for more information on Privacy and Cybersecurity visit OsgoodePD’s LLM in Privacy and Cybersecurity. Register for an upcoming Information Session or learn more about the application process. The application window is now open – the program starts in January 2019.
Patrick Bourk, is the National Cyber Practice Leader for HUB International Canada. As an insurance coverage expert, he provides technical expertise in the analysis, placement, and negotiation of various management risk insurance coverages. Patrick also provides claims expertise and assists clients by managing and advocating on their behalf.