<div dir="ltr"><div dir="ltr"><a href="https://www.canadianunderwriter.ca/risk/client-properly-insured-computer-crime-1004149026/">https://www.canadianunderwriter.ca/risk/client-properly-insured-computer-crime-1004149026/</a></div><div dir="ltr"><br></div><div dir="ltr">Brokers placing commercial insurance for the risk of theft should pay close attention to exclusions.<br></div><div dir="ltr"><div class="gmail-the-content">
<p>Exclusions on some policies covering crime losses for financial
institutions may be leaving a gap in cover computer crime, a new paper
from <a href="http://www.marsh.com" target="_blank" rel="noopener">Marsh Inc.</a> suggests.</p>
<p>Financial institution bonds are first-party insurance policies that
protect commercial clients “from a myriad of theft-related exposures” –
such as employee dishonesty, forgery, vendor-related fraud and theft
through computer systems – AIG Canada notes.</p>
<p>But financial institutions “should pay specific attention to
potentially broad exclusionary language” to make sure their insurance
adequately covers theft of funds, Marsh said in a recent report,
commenting in general and not on any particular carrier.</p>
<p></p>
<p>A coverage dispute south of the border is raising discussions around
hacking attacks on banks’ computer systems and stealing money from
customers accounts, Marsh said in <em>Protecting High-Value Assets: Insurance Implications of Cybercrime for Financial Institutions</em>, a report released Nov. 16.</p>
<p>Marsh was referring to computer attacks in 2016 and 2017 in which the
victim was National Bank of Blacksburg, situated in Virginia’s
Appalachian mountains.</p>
<p>Beginning two years ago, hackers were able to get user names and
passwords of employees of the National Bank of Blacksburg, reports the <em>Roanoke Times</em> newspaper. Using those stolen computer login credentials, hackers were able to steal money from customers’ accounts.</p>
<p>The bank’s insurer is Everest National Insurance Company. The bank’s
loss was over $1 million. But Everest says the portion of the policy
that covers the loss is one that deals with misuse of debit cards, which
has a $50,000 sub-limit, the <em>Roanoke Times</em> reports.</p>
<p>“The coverage dispute arising from this loss does not involve a cyber policy,” Marsh said in <em>Protecting High-Value Assets</em>.
Instead the issue is whether the loss triggers coverage under the
computer and electronic portion of the financial institution bond that
Everest wrote for National Bank of Blacksburg. The C&E portion has
an exclusion for loss arsing from “the use, or purported use, of credit,
debit, charge, access, convenience or other cards.” The bank says that
exclusion does not apply.</p>
<p>“Insurance – while effective at reducing the financial impact of
cyber events, has also raised questions for banks – as well as disputes
with insurers – about how coverage should respond to a cyber event
involving multiple types of loss,” Marsh said.</p>
<p>A “big trend” in insurance these days is social engineering, says
Brian Kelly, Montreal-based managing partner for risk management at <a href="http://www.bflcanada.ca" target="_blank" rel="noopener">BFL Canada Risk and Insurance Services</a>.
One example of social engineering is when a criminal impersonates
someone. In some cases, criminals have used social engineering to fool
employees into thinking they are paying suppliers when in fact the
employees are unwittingly sending money to the criminals.</p>
<p>“Normally that is provided under a crime policy but for smaller and
medium sized organizations, we see a benefit to actually including that
under a cyber policy as well,” Kelly told <em>Canadian Underwriter</em> earlier.</p>
<p>One such incident resulted in a coverage dispute in Alberta, notes
Ryan Burgoyne, managing partner of law firm Cox & Palmer’s
Fredericton office.</p>
<p><em>The Brick Warehouse LP v. Chubb Insurance Company of Canada</em>
was released in 2017 by the Court of Queen’s Bench of Alberta. That
court ruled that a Chubb commercial crime policy did not cover a loss
resulting from social engineering fraud, Burgoyne reported earlier in a
paper titled <em>A New Realm: Cyberspace, Cyber Liability and Cyber Liability Insurance</em>.</p>
<p>In that case, The Brick lost $200,000 because money owed to computer
maker Toshiba – a legitimate vendor – was sent to the wrong bank
account. A fraudster purporting to be a Toshiba worker had called The
Brick’s accounting department giving a false bank account for Toshiba.
As a result, The Brick paid the criminal, not the vendor.</p></div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span style="font-size:10pt"></span></b><span style="font-size:10pt"></span><span style="font-family:arial,helvetica,sans-serif"></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>