[BreachExchange] Texas Court Backs Phishing Attack Insurance Claim

Destry Winant destry at riskbasedsecurity.com
Fri May 29 10:25:33 EDT 2020


https://securityboulevard.com/2020/05/texas-court-backs-phishing-attack-insurance-claim/

 Are insurance companies bound to pay claims for phishing attacks
resulting in third-party losses?

RealPage, a Texas-based company, operated a rent-servicing portal
whereby renters could pay their rent and landlords could get paid
(minus, of course, a servicing fee to RealPage.) In May  2018,
RealPage fell victim to a spear-phishing attack, during which the
hackers were able to obtain and alter the credentials of a RealPage
employee and redirect about $10 million the company had collected from
renters and owed to landlords to their own accounts. $6 million was
eventually recovered, and RealPage filed an insurance claim for the
lost funds against a commercial crime policy it had purchased two
months earlier.

The policy purported to cover RealPage’s losses “resulting directly
from the use of any computer to fraudulently cause a transfer” from
within RealPage or its bank to a place outside RealPage or its bank.
The policy also covered any loss “resulting directly from a
‘fraudulent instruction’ directing a financial institution to
transfer, pay or deliver ‘funds’ from” RealPage’s accounts. The policy
also covered any losses “resulting directly from ‘theft’ (including
forgery) committed by an ‘employee,’ whether identified or not, acting
alone or in collusion with other persons.”

If you know anything about insurance companies, it should not surprise
you that the insurance company refused to pay, and RealPage sued.
RealPage v. National Union Fire Insurance Co. of Pittsburgh & Beasley
Insurance, CIVIL ACTION NO. 3:19-CV-1350-B, (N.D. Tex., April 1, 2020)

On April 1, a federal court in Dallas denied the insurance company’s
motion to dismiss the lawsuit. In particular, the court rejected the
insurance company’s claim that the insurance policy ONLY acted as a
“bond[s] to indemnify [RealPage] for loss due to embezzlement,
larceny, or gross negligence by an employee or other person holding a
position of trust.” Since the employee did nothing illegal or grossly
negligent, and the losses were due to the actions of hackers, the
insurer claimed that the policy did not cover the losses. Even though
the policy acted as a “fidelity bond”—covering certain losses
resulting from the acts of trusted employees, that was not the ONLY
coverage in the policy. The policy, by its own terms, also covered ANY
losses resulting from funds transfer as a result of fraudulent
transfer instructions—exactly the kind of thing that occurs in a
spear-phishing attack.

The case illustrates a frequent problem when it comes to “cyber”
insurance which is that there is no such thing as “cyber” insurance.
That’s because “cyber” isn’t a “thing.” Or, more accurately, “cyber”
is many things. When companies purchase insurance that includes
coverage for losses that may occur as a result of events involving
computers, internet and computer technology, they have to understand
in advance the nature of the potential losses that could occur and
whether their “cyber” or other policies will, in fact, cover their
actual losses. For example, in the RealPage case, the insurer claimed
that the company itself suffered no first-party losses, since none of
the funds “stolen” were RealPage’s funds (their commissions) but
rather were those of its customers—each of whom may have had their own
cyber policies. Was this a “first party” claim of loss by RealPage or
a “third party” claim of loss by its customers—and if so, did the
policy cover it? If the RealPage employee whose credentials were
stolen by the phishing attack violated company policies—particularly
security policies (which often happens in a phishing attack)—was the
“loss” caused by criminal actions of the hacker or gross negligence by
the employee? Are the costs of investigating the atttack, forensics
and law enforcement coordination, as well as attempts to recover lost
funds and notification to affected entities covered under a policy
that protects against losses from fraudulent wire transfers, or are
the costs of the wire transfers alone covered?

There are people who are experts in insurance policies—what they say,
what they mean and what they exclude. They are also experts in how the
courts have interpreted specific language in policies. But when it
comes to “cyber”-related losses, these experts need help. They need to
have a dialogue with the CIO and the CISO, as well as with
knowledgeable outside consultants to understand the peculiar nature of
cyber-related attacks. How does a phishing attack typically work? What
does ransomware do? How are DDoS attacks perpetrated? How do revenge
pron or doxxing attacks use stolen data to create losses? What kinds
of sensitive information flow through a system? Who is responsible for
its protection, and what is the role of third parties? What coverages
to these third parties have (and what are you requiring of them?).
Technical experts may be necessary to understand the difference
between data that is “deleted,” “lost,” “inaccessible” or simply
difficult to retrieve, for the purposes of insurance that covers data
“loss.”

These coverages are made more complicated by the patchwork quilt of
policies companies have. If a factory floor is shut down because of
flooding, a commercial general liability (GCL) policy may cover. If
the flooding is caused by a hack to a SCADA system, however, then
maybe not. If the SCADA hack is caused by employee negligence or
crime, that’s another policy. If the stock price drops because of the
factory shut down, that’s maybe another policy altogether. And, if
stockholders sue because the stock price drops—you guessed it—that’s
yet another policy. So, while YOU think you have coverage, your
insurance company may disagree—at least, if you file a claim.

We will continue to see these battles fought out in the courts. But if
you have insurance, it’s better to know what’s covered before you file
a claim—and before you have to sue. And that means getting your cyber
people involved in reading the policies and running scenarios. Now.
More than ever.


More information about the BreachExchange mailing list