The threat to law firms posed by data breaches and ransomware has been in the news lately —and for good reason. The financial and reputational fallout from a data breach or successful ransomware attack can be catastrophic. We’ve written about the topic ourselves (here, and here, and here).
One line of defense that’s frequently recommended as a means of mitigating security risks is cyber insurance. Cyber insurance policies cover risks for internet-connected firms that own digital assets or handle digital personal information for their employees and clients. These include insurance policies addressing computer fraud, forgery, data breaches, funds transfer fraud, and general “cyber liability” protections that are commonly attached to a firm’s business insurance policy.
Firms can also purchase “social engineering fraud coverage.” The Chubb Insurance Group, for example, says that its social engineering policy protects businesses from losses that occur when a well-meaning employee is duped by a criminal posing as a supplier, new client, or fellow employee. Basically, this is insurance against phishing attacks.
However, there is one large gotcha with cyber insurance. These policies are relatively new. Important policy provisions have not been subjected to decades of litigation, as is the case with other traditional types of insurance. The insurer and insured parties can reasonably differ as to the meaning of key terms — particularly technical terms that describe computer technology.
More importantly, perhaps, is the fact that computer crime threats are constantly evolving. A cyber insurance policy intended to address likely computer-related losses in 2015 may fail to cover the latest hacker exploits. The clever hack that “no one could have predicted” is likely not going to be described in anyone’s cyber insurance policy. Several recent court decisions illustrate this point.
Insurer Not Required to Cover $6 Million Phishing Loss
In RealPage Inc. v. Nat’l Union Fire Ins. Co., No. 21‐10299 (5th Cir., Dec. 22, 2021), the court ruled that the insurer was not obligated to cover $6 million in losses that occurred when phishing criminals tricked an employee of the insured party into revealing login information for the insured’s account with a third-party payment processor.
The insured party, RealPage Inc., served the real estate industry. It collected rental payments from tenants and distributed those payments to its clients using the popular Stripe payment processing service. The criminals gained access to RealPage’s Stripe account by inducing a RealPage employee to click a malicious link in an email message, which took the employee to a webpage that collected login information for RealPage’s Stripe account. Having gained access to the Stripe account, the phishing criminals diverted the rental payments to themselves — resulting in a $6 million loss to RealPage.
RealPage’s insurance policy with National Union provided, in relevant part, that the insurer would cover losses involving property that “you hold for others.” The insurer argued that Stripe – not RealPage – “held” the funds pilfered from the Stripe account. Both the district court and the Fifth Circuit agreed.
The Fifth Circuit interpreted the National Union policy to require that RealPage either possess or control the money in the Stripe account — neither of which were supported by the evidence. The rental payments were stored in an account entirely under Stripe’s control, a fact that the court found dispositive.
“RealPage never possessed its property manager clients’ funds that got caught in the phishers’ net,” the court wrote. The court added that payment-routing instructions provided by RealPage to Stripe were insufficient indicia of control over the funds to qualify as “holding” them within the meaning of the National Union policy.
Given the nature of the modern financial industry and the rise of nonbank payment processors, it is difficult to conceive of a situation in which RealPage could have “held” the rental payments within the meaning of its insurance policy. And it’s highly unlikely that RealPage executives appreciated the insurance coverage consequences of using a third-party payment processing solution at the time it engaged Stripe to collect rental payments.
In Medidata Solutions Inc. v. Federal Insurance Co., 268 F. Supp.3d 471, 473 (S.D.N.Y. 2017), the insured suffered nearly $5 million in losses when phishing criminals tricked Medidata employees into initiating a wire transfer that the employees believed had been requested by the company’s president.
The insurer denied coverage because, it argued, there had been no “fraudulent entry of data” as required by the policy’s computer fraud clause. The insurer also contended that the insured’s receipt of the phishing email was “authorized” because the email system was open to receipt of email messages from anyone. The insurer made several other legal arguments supporting its decision to deny coverage — all essentially claiming that the phishing attack suffered by the insured did not fit within the description of risks covered by the insurance policy.
The court ultimately turned back these arguments and ordered coverage for Medidata’s losses, but not before engaging in a careful reading of the insurance policy’s coverages and exclusions.
In the United States, notions of what types of conduct constitute computer fraud have evolved greatly since the first federal computer crime statute was enacted in 1986, though always lagging behind the ingenuity of online criminals. Today the federal Computer Fraud and Abuse Act prohibits accessing computer networks without authorization, or in excess of authorization. However, the CFAA does not define “without authorization,” leaving it to the courts to define that critical term on a case-by-case basis. Phishing exploits, which typically involve tricking authorized company employees into providing authorization or other valuable information to an unknown third party, often don’t fit neatly within the language of the CFAA or cyber insurance policies.
So … Are You Covered?
Premiums for insurance policies covering cyber losses are rising steeply as carriers respond to growing numbers of claims and large payouts for ever more sophisticated online scams. Insurers are also lowering coverage limits in an attempt to minimize exposure to cyber-related claims. In this environment, it’s reasonable to expect that insurers will be double-checking policy language when they receive claims for cyber-related losses.
Coverage purchased for today’s threats may not cover tomorrow’s vulnerabilities. Here are several new types of cybercrime reported very recently to the FBI’s Internet Crime Complaint Center:
- SMiShing. This is the typical phishing attack committed by transmitting a malicious link via text message.
- Virtual meeting hacks. This attack is committed when a criminal impersonates a company executive (using an image of the executive and possible “deep fake” audio simulating the executive’s voice), or when a criminal attends a company’s virtual meetings without authorization. The purpose of both exploits is to trick company employees into providing valuable information or money.
- Job website scams. Hackers gain unauthorized access to company accounts on job search websites, from which they post fraudulent job descriptions used to subsequently induce job candidates to give them money or personal information. Hackers sometimes threaten reputational harm to companies or job seekers.
- Malicious QR codes. Tampered digital or physical QR codes direct victims to malicious websites that solicit login credentials or financial information.
- SIM swap. Hackers use social engineering ploys or compromised mobile phone carrier employees to switch the victim’s mobile phone number to a SIM card in the hacker’s possession. Once accomplished, the hacker collects the victim’s text and email messages and other data, often sending “forgot password” or “account recovery” requests that enable the hacker to gain access to the victim’s financial accounts.
According to the FBI’s 2020 Internet Crime Report, phishing schemes are far and away the most common type of computer crime. In 2020, the most recent year for which federal statistics are available, there were 241,342 complaints of phishing-related fraud. Phishing-related complaints were more common by far than any other type of computer crime complaint in 2020. For comparison, the second-leading source of complaints in 2020 was nondelivery of goods and services with 108,869 complaints. There were also 2,474 ransomware complaints that year.
If there’s a chance that your law firm might fall victim to any of these emerging cyberthreats, now would be a good time to review the language in your firm’s cyber insurance policies. It’s entirely possible that the leading threats faced by your law firm today were not on anyone’s mind when the firm’s cyber insurance policy was written. Fitting today’s cyberthreats into the language of the policy could prove to be a difficult, if not impossible, task.