On insurance coverage issues, sometimes the boat seems to be listing in the wrong direction. For example, insurers have long tilted the decks to avoid coverage for “spoofing” attacks and similar kinds of email fraud by throwing their weight behind arguments that such transactions do not involve a “direct loss” from the use of company computers to implement a fraudulent scheme, which they claim their policies require. But in the first half of July, not one, but two federal appellate decisions—Medidata Solutions Inc. v. Federal Insurance Co. and American Tooling Center, Inc. v. Travelers Casualty & Surety Co.—rocked the insurers’ boats.
Phishing is a criminal hacker’s favorite sport, and for good reason. It’s a tried and true way to land the big one, over and over again. Whether using a spoofed bank website and stolen email addresses to trick customers into divulging account information, sending email messages purporting to be from a senior company official to deceive employees into providing personal health records, or posing as a trusted vendor and transmitting wire transfer instructions to fraudulently divert funds, hackers are reeling in the catch and making it look easy.
But a well-managed company should have sophisticated safeguards in place. And if these fail, there is insurance coverage, right? The prudent policyholder buys all kinds of insurance: It has up-to-the minute “Cyber” coverage. It has Crime and Fidelity coverage with Computer Fraud riders. It has Professional Liability coverage. And of course it has regular old Commercial General Liability and Property coverage. Surely it’s covered for this type of fraud. Or is it?
While seeming to offer products that respond to the latest risks, insurers often provide limited coverage and seek to exclude the most obvious and inevitable losses. A series of recent cases highlight some of the biggest holes in the insurance safety net.