[BreachExchange] 2 Recent Decisions May Affect Your Cyber Policy

[Destry Winant]

https://www.bradley.com/insights/publications/2018/11/2-recent-decisions-may-affect-your-cyber-policy

In decades past, crime was associated with physical attacks on persons
and companies, such as theft of physical possessions or bank robberies
at gunpoint. The increasing pace of technology has caused a marked
shift towards a new criminal threat, cybercrime. Technology has
allowed criminals to reach into our homes, businesses and bank
accounts without ever leaving a computer screen. Businesses must now
focus on how to protect themselves from crimes that are perpetrated
digitally.

As digital crimes increase, cyber insurance claims have dramatically
increased. Traditional data breach claims remain a main source of
claims. However, there is a new focus on other types of cybercrime,
including unauthorized wire transfers, theft of funds and ransomware.

Cybercrime on the Rise

Cybercrime generally refers to cyberattacks or cyber incidents. Cyber
incidents can take many forms — phishing, insider theft, SQL
injection, malware, denial of service, session hijacking, credential
farming or just old-fashioned “hacking.” Although many of these attack
vectors employ technical knowledge, some utilize deception to
manipulate individuals into performing certain actions or divulging
confidential information.

Commonly referred to as “social engineering,” a perpetrator can
exploit human behavior to pull off a scam. Oftentimes this comes as an
email, which appears to be from a trusted colleague, vendor or
business partner, asking for a wire transfer to a particular account
to settle a bill or provide payment for services.

Some of the most common social engineering scams include:

Phishing/Spear Phishing

This is one of the most utilized social engineering scams. Phishing
involves the fraudulent practice of sending emails purported to be
from a reputable company or individual seeking passwords or other
personal information. Once usernames and passwords are obtained,
criminals not only have access to email and documents, but often
attempt to access HR and payroll accounts to divert direct deposit
payroll amounts or obtain tax return funds.

Pretexting

Attackers create a fake identity and use it to manipulate an
individual into providing information. A common pretext is “vishing”
or phishing over the phone. The attacker will call someone with a
little bit of information, such as a date of birth and name, and use
the information to obtain additional personal information or log-in
credentials that can be used to perpetuate fraud.

Baiting

This is a social engineering scheme that exploits human curiosity,
such as leaving a flash drive infected with malware in a company
parking lot. An unsuspecting employee picks up the infected flash
drive and plugs it into their computer to determine who it may belong
to. The malware deploys and infects the company’s system.

Social Engineering and Cyber Insurance Policies

To date, social engineering claims have often faced coverage denials
under cyber or computer fraud insurance policies, with many insurance
carriers insisting that the policies only cover hacking-type
intrusions.

That tide may be starting to turn. In recent months, two separate
courts have reversed the trend. Once by the Second Circuit in Medidata
Solutions Inc. v. Federal Insurance Co. and once by the Sixth Circuit
in American Tooling Center Inc. v. Travelers Casualty and Surety Co.
of America.

In both cases, the court found in favor of the policyholder in a
dispute over coverage for social engineering schemes. In Medidata, the
insured brought suit claiming that its losses from an email spoofing
attack were covered by a computer fraud provision in its insurance
policy. The provision at issue covered losses stemming from any “entry
of Data into” or “change to Data elements or program logic of” a
computer system. The court reasoned that although no hacking occurred,
the perpetrators crafted a computer-based spoofing code that enabled
the fraudsters to send messages that appeared to come from one of
Medidata’s employees.

Similarly, in American Tooling, a fraudster sent a series of emails,
purportedly from a vendor, requesting that American Tooling wire
transfer payments to new accounts. American Tooling wired over
$800,000 before realizing that the emails were fraudulent. The court
in American Tooling found that the loss was covered under the policy
and that none of the asserted policy exclusions applied, finding that
the emails were computer fraud that directly caused the loss.

The legal landscape around cybercrime and cyber insurance is changing.
The recent case law above and the recent legislative focus on
cybersecurity and privacy at the federal level forecast the potential
for sweeping changes in the field of cybersecurity and privacy over
the next several years.

Practical Steps to Avoid Loss and Ensure Your Policy Covers Attacks

Avoiding social engineering and criminal acts requires preparation.
Education is key to that preparation. Some of the greatest challenges
to preventing cyberattacks are a lack of knowledge or strategy to
mitigate new risks that emerge as a result of increased complexity and
interconnectedness of modern computer and technological systems.
Business owners and executives should seek to educate themselves on
the risks, threat actors, attack vectors and prior incidents involving
social engineering and other criminal attacks. Preventing an attack
will require not only improving the security of your business, but
understanding the vulnerabilities both from a human and technical
perspective.

Cybersecurity education is becoming a necessary part of both personal
pursuits and business operations. The U.S. Department of Homeland
Security, in partnership with the National Cyber Security Alliance,
observes National Cybersecurity Awareness Month each year in October.
This year’s theme is “Cybersecurity is our shared responsibility and
we all must work together to improve our Nation's cybersecurity.”

In accordance with this year’s theme, all individuals within a company
must work together to prevent cybercrime. Companies should understand
the complexity and varied types of cyber incidents that they face,
build in mechanisms to avoid engineering scams by validating proposed
requests and review their cyber and crime insurance policies to ensure
that they take full advantage of available insurance coverage. These
recent cases also serve as a reminder to have a clear incident
response policy in place and to quickly engage counsel who understands
the complexities of the incident, as well as the insurance coverage,
in order to minimize loss.

As for risk transfer, businesses should work with their risk
management professionals to prepare contracts and find coverage
tailored to their particular risks. The cyber market is in a highly
competitive phase, and sophisticated brokers can locate broad coverage
for a good price. Businesses can also use their bargaining power to
negotiate for contractual risk transfer with vendors and other
business partners, including defense and indemnity for first- and
third-party exposures.

Cybercrime is unlike any risk the business community has faced before
because it changes every day. Like a mutating virus, the criminals
create a new path of attack just as authorities are figuring out the
previous one. That said, the risk can be managed with appropriate
internal procedures and transfer tools. Finally, if you face a loss,
look to the risk management tools you may already have. As these two
recent court decisions indicate, businesses may already own policies
that can respond to a cyber claim.

The article, "2 Recent Decisions May Affect Your Cyber Policy,"
originally appeared on law360.com on November 2, 2018.