[BreachExchange] Is your client properly insured for computer crime?

Fri Nov 23 15:12:01 EST 2018

https://www.canadianunderwriter.ca/risk/client-properly-insured-computer-crime-1004149026/

Brokers placing commercial insurance for the risk of theft should pay close
attention to exclusions.

Exclusions on some policies covering crime losses for financial
institutions may be leaving a gap in cover computer crime, a new paper
from Marsh
Inc. <http://www.marsh.com> suggests.

Financial institution bonds are first-party insurance policies that protect
commercial clients “from a myriad of theft-related exposures” – such as
employee dishonesty, forgery, vendor-related fraud and theft through
computer systems – AIG Canada notes.

But financial institutions “should pay specific attention to potentially
broad exclusionary language” to make sure their insurance adequately covers
theft of funds, Marsh said in a recent report, commenting in general and
not on any particular carrier.

A coverage dispute south of the border is raising discussions around
hacking attacks on banks’ computer systems and stealing money from
customers accounts, Marsh said in *Protecting High-Value Assets: Insurance
Implications of Cybercrime for Financial Institutions*, a report released
Nov. 16.

Marsh was referring to computer attacks in 2016 and 2017 in which the
victim was National Bank of Blacksburg, situated in Virginia’s Appalachian
mountains.

Beginning two years ago, hackers were able to get user names and passwords
of employees of the National Bank of Blacksburg, reports the *Roanoke Times*
newspaper. Using those stolen computer login credentials, hackers were able
to steal money from customers’ accounts.

The bank’s insurer is Everest National Insurance Company. The bank’s loss
was over $1 million. But Everest says the portion of the policy that covers
the loss is one that deals with misuse of debit cards, which has a $50,000
sub-limit, the *Roanoke Times* reports.

“The coverage dispute arising from this loss does not involve a cyber
policy,” Marsh said in *Protecting High-Value Assets*. Instead the issue is
whether the loss triggers coverage under the computer and electronic
portion of the financial institution bond that Everest wrote for National
Bank of Blacksburg. The C&E portion has an exclusion for loss arsing from
“the use, or purported use, of credit, debit, charge, access, convenience
or other cards.” The bank says that exclusion does not apply.

“Insurance – while effective at reducing the financial impact of cyber
events, has also raised questions for banks – as well as disputes with
insurers – about how coverage should respond to a cyber event involving
multiple types of loss,” Marsh said.

A “big trend” in insurance these days is social engineering, says Brian
Kelly, Montreal-based managing partner for risk management at BFL Canada
Risk and Insurance Services <http://www.bflcanada.ca>. One example of
social engineering is when a criminal impersonates someone. In some cases,
criminals have used social engineering to fool employees into thinking they
are paying suppliers when in fact the employees are unwittingly sending
money to the criminals.

“Normally that is provided under a crime policy but for smaller and medium
sized organizations, we see a benefit to actually including that under a
cyber policy as well,” Kelly told *Canadian Underwriter* earlier.

One such incident resulted in a coverage dispute in Alberta, notes Ryan
Burgoyne, managing partner of law firm Cox & Palmer’s Fredericton office.

*The Brick Warehouse LP v. Chubb Insurance Company of Canada* was released
in 2017 by the Court of Queen’s Bench of Alberta. That court ruled that a
Chubb commercial crime policy did not cover a loss resulting from social
engineering fraud, Burgoyne reported earlier in a paper titled *A New
Realm: Cyberspace, Cyber Liability and Cyber Liability Insurance*.

In that case, The Brick lost $200,000 because money owed to computer maker
Toshiba – a legitimate vendor – was sent to the wrong bank account. A
fraudster purporting to be a Toshiba worker had called The Brick’s
accounting department giving a false bank account for Toshiba. As a result,
The Brick paid the criminal, not the vendor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181123/922ab550/attachment.html>