New York Rolls Out New Cybersecurity Requirements for Banks, Insurers

 

cyber-liability

Harrisburg, Feb. 22 –  According to the New York Department of Financial Services, new cybersecurity rules aimed at safeguarding consumer data go into effect on March 1, 2017.  The regulations  will require banks, insurers, and money services to strengthen their cybersecurity protocols by, in part, putting data security programs in place, and accepting greater responsibility for monitoring the vendors with whom they do business.  The rules also require reporting breaches within 72 hours.

The new rules impose obligations which could create liability from regulatory actions or consumer litigation. According to attorneys quoted in a recent article appearing on Law360.com,  the new guidelines will give enterprising  plaintiffs’ lawyers new claims against financial services firms, as well as firm directors and officers. Under the new DFS scheme, Company executives must certify compliance with the NY DFS regulations on an annual basis. Should those certifications prove incorrect, they could provide the basis for the DFS or consumers to make claims against banks, insurers and other financial services firms for breach of such certification.  Because of that, companies should devote considerable  attention and resources to two areas: 1.) implementation of cybersecurity programs and systems in compliance with DFS requirements; and 2.) making sure company executives have liability insurance coverage for cyber-related missteps, including coverage for both regulatory and consumer  claims.

With respect to adequately insuring cyber exposures, companies should undertake review of D&O policies to make sure any cyber-related liability is not excluded, and also that the insurance will cover the costs of defending against regulatory actions and any resulting penalties.  With respect to DFS requirements for the supervision of third-party vendors, the rules call for vendors to encrypt  nonpublic information and to set up robust protection systems.  Companies should require and review both vendor cybersecurity policies and related liability insurance products to make sure the vendors have technology errors and omissions coverage.  Companies may wish to secure additional insured protection in such policies as well.

A copy of the regulations may be found here:  nydfs-cybersecutiry-regs-03012017

 

 

Cybercrime Insurance Outlook 2017: Man vs. Machine

edi-spotlight-banner

HARRISBURG, Feb. 17 – As 2017 unfolds, it remains to be seen whether an emerging trend of stricter readings of cybercrime insurance policies to limit or exclude the reach of computer fraud  crimes protection coverage will continue.  One case decided late last year illustrates the trend, and the view that whether or not computer fraud coverage applies will be based in large part on the degree of human involvement in bringing about the criminal losses.

In Apache Corp. v. Great American Ins. Co, No. 15-20499, 2016 WL 6090901 (5th Cir. Oct. 18, 2016),  the Fifth Circuit Court of Appeals ruled that a policy covering losses arising out of computer fraud did not apply to a fraudulent financial transfer “that was the result of other events and not directly by the computer use.”

Of interest to the appeals court in Apache was that the crime started with a telephone  call from the thief, posing as a vendor to the insured, requesting a change of bank wiring instructions through which the insured paid the vendor.  Pursuant to Apache’s request  for the change of wiring instructions in writing, the thief provided the instructions via email, although the email address did not match the vendor’s email domain on file.  After a telephone call made by Apache following up the email , however, Apache instructed its bank to change the wiring instructions.

Apache discovered that the wiring change was ultimately fraudulent,  resulting in net losses of $2.4 million. Apache filed a claim with Great American under its crime protection insurance policy which included computer fraud coverage. The insuring agreement in the Great American policy provided for payment of losses “resulting directly from the use of any computer to fraudulently cause a transfer of [such money] from inside the premises or banking premises … to a place outside those premises.”

Great American denied the claim on the grounds that the losses did not result directly from the use of a computer, but rather human error.  Apache sued Great American for coverage in Texas state court,  and the case was removed to the U.S. District Court for the Southern District of Texas, after which both parties cross – moved for summary judgment. The federal district court granted the insured’s motion for summary judgment in favor of coverage,  and denied the insurer’s motion for summary judgment, but refused to impose statutory penalties on the insurer.

Following appeal by both parties to the U.S. Court of Appeals for the Fifth Circuit, the appeals court reversed judgment for Apache, relieving Great American of its indemnity obligations.  A three-judge panel held that that numerous intervening non-computer actions were taken between the digital actions of the posing vendor’s email and the computer bank transfer of funds.  Such non-computer acts, the court noted, included telephone calls, approval of the change in wiring instructions by Apache’s management, the receipt and processing of invoices by Apache, and Apache’s approval of invoices for payment.  The court finally found that Apache’s instructions to the bank to effectuate the wiring change were verbal as well.

The Court held:

“The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would. . . convert the computer-fraud provision to one for general fraud.. . . We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred. In short, few—if any—fraudulent schemes would not involve some form of computer-facilitated communication. This is reflected in the evidence at hand. Arguably, Apache invited the computer-use at issue, through which it now seeks shelter under its policy, even though the computer-use was but one step in Apache’s multi-step, but flawed, process that ended in its making required and authorized, very large invoice-payments, but to a fraudulent bank account.”

For the Apache court, then, a critical area of focus in the analysis of coverage of cyber-crime insurance is the nexus between the crime, and the degree of computer, versus human, involvement. Apache, and decisions like it, impose rather strict limits on the scope of cyber-insurance coverage, setting a bright line between fraud which is primarily the result of flawed human systems, and fraud which is primarily digital, and computer-driven.

Cyber-crime and related technology insurance coverage is still very much an emerging insurance market.  Policy language, therefore, remains varied, and such variance imposes obligations on both insurers and insureds to be precise in their understanding of what kinds of protections  the policy terms, conditions, and endorsements provide.

Apache Corp. v. Great American Insurance Company, No. 15-20499, 2016 WL 6090901 (5th Cir. Oct. 18, 2016) 

Computer Fraud Losses Barred By “Authorized Representative” Exclusion

cyber-liability

PASADENA, June 28 — The Ninth Circuit U.S. Court of Appeals affirmed summary judgment for Great American Insurance Co., holding that the relevant policy’s “authorized representative” exclusion barred coverage of $100,000 in losses to Southern California Counseling Center  arising out of computer fraud by one of the Center’s payroll agencies.

The Southern California Counseling Center (SCCC) sued its insurer Great American Insurance Co. (GAIC) for breach of contract and bad faith, alleging  $100,000 in losses after a payroll company withdrew funds from SCCC’s bank accounts and used them instead of paying SCCC’s federal and state payroll tax obligations.  SCCC sought a declaratory judgment that Great American had a duty to cover the underlying losses arising out of computer fraud.

On June 17, 2014, U.S.District  Judge Audrey B. Collins granted summary judgment for Great American, holding that a policy provision excluding coverage for losses caused by “authorized representatives” applied to the misconduct of SCCC’s payroll services agent Ben Franklin Payroll Service .

The Ninth U.S. Circuit Court of appeals  affirmed the District Court’s ruling in favor of the insurer,  holding:

the plain meaning of the “authorized representative” language [here] . . . is not ambiguous and covers those who by authorization of the insured are given access to and permitted to handle the insured’s funds. . . This understanding comports with the function of the provision within the policy: to place the onus of vetting the individuals and entities whom the insured engages to stand in its shoes — and thus the risk of loss stemming from their conduct — squarely on the insured. In other words, the term ‘authorized representative’ is ‘a straightforward effort to embrace all statuses that are “authorized,” and thus are the insured’s responsibility to supervise…’”

“SCCC executed multiple agreements with Ben Franklin Payroll Service and/or its principal, Richard Zakarian, to allow the latter party or parties to provide payroll services…In doing so, SCCC gave them direct access to its bank account and permission to file tax documents on its behalf. These agreements used the word ‘authorize’ numerous times; indeed, it is difficult to imagine contracts that could more explicitly ‘authorize’ a ‘representative’ to act on one’s behalf. Under these circumstances, the district court did not err in concluding that the only reasonable construction of the term ‘authorized representative’ encompasses Ben Franklin Payroll Service and/or Zakarian, and, as a result, the exclusion unambiguously applies.”

Southern California Counseling Center v. Great Am. Ins. Co., (9th  Cir., 2016)

Minnesota: Insurance Coverage for Fraudulent Bank Transfer

images

MINNESOTA, May 20 –  The U.S. Court of Appeals for the Eighth Circuit Court has ruled that the State Bank of Bellingham was covered for losses caused by an unauthorized wire transfer by hackers.  The Bank sough coverage under a financial institution bond underwritten by BancInsure, Inc. for a transfer of nearly $500,000.00 to  a foreign bank account.  The bond is treated as an insurance policy under Minnesota state law.

According to the opinion, the unauthorized transfer occurred when a bank employee, using an electronic token, password, and passphrase as well as those of another bank employee, executed an authorized wire transfer but left the tokens “open” on an operating computer following completion of the transaction. The following day, two unauthorized transfers were discovered, only one of which the Bank was able to reverse. A forensic investigation of the breach  revealed that a computer virus created a breach in access which permitted the fraudulent transfers.

A federal district court ruled that the computer fraud was the legal cause of the loss, not the bank employees’ breach of bank policies and practices regarding the use of confidential passwords, or failure to update antivirus software. The appeals court affirmed the ruling in favor of coverage, and held that while other possible factors may have “played an essential role” in the loss, they  did not make the unauthorized transfers “certain” or “inevitable” such that there would be no coverage under the bond.

State Bank v. BancInsure, Inc., 2016 U.S. App. LEXIS 9235 (8th Cir. Minn. May 20, 2016)

The Developing Cyber-Gap In Insurance Coverage

edi-spotlight-banner

Conventional wisdom has been that insureds might be able to recoup losses for cyber-related risks causing personal injury or property damage to third parties by submitting claims to their general liability insurers.   But that window is closing.

In 2013, the Insurance Services Office (ISO), an industry organization responsible for drafting coverage language, issued two endorsements for CGL policies which eliminate the possibility of CGL coverage for cyber-related losses:

  • ISO Endorsement CG 21 07 05 14 excludes coverage for damages arising out of: “The loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” “Electronic data” includes “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software … which are used with electronically controlled equipment.”
  • ISO Endorsement CG 21 06 05 14 contains  identical language, but contains a limited exception for bodily injury.

These endorsements are appearing more frequently in CGL policies, and insurers are likely to argue that they exclude liability coverage for  bodily injury or property damage claims which are the result, for example, of security breaches in to computers, and electronic programmable controllers of all kinds,  including ubiquitous programmable logic controllers (PLCs), used in everything from Christmas trees to cars to manufacturing plants.

Moreover, in its current form, stand-alone cyber insurance may not close the gap.  Most existing cyber-insurance policies, or ones in development, contain exclusions for bodily injury or property damage.  These exclusions are based on an assumption which is becoming less and less true — that CGL coverage responds to such losses.

Those monitoring this industry issue say it is likely too soon in the process to tell if the gap is likely to become a significant one.  While not all insurers are using the new ISO language, it is becoming more and more popular, however.  The case law remains in its infancy, so there is little to no current guidance on this specific problem.

Conducting a thorough review of existing insurance policies to diagnose the gap is an important first step.  Filling the gap, however, is somewhat more complicated.  It may be that unique products like captive insurance coverage might be the best solution for this exposure, unless and until the conventional insurance market responds.

Reach  me at chaddick@dmclaw.com or 717-731-4800 for more information and a no-cost consultation..

 

 

Data Breach Covered Under Traditional Travelers’ Policy, 4th Circuit Says

edi-spotlight-banner

VIRGINIA,  April 11  – The U.S.  Fourth Circuit Court of Appeals  has affirmed a ruling which obligates Travelers to defend Portal Healthcare in a class action case alleging its failure to protect a records server from unauthorized access.  What is mildly surprising is that the Court found this obligation exists under an Advertising Injury Endorsement to a commercial general liability policy issued by Travelers to Portal.

In an unpublished opinion, the appeals Court approved the  reasoning of a Virginia district court, which in 2014 ruled that Portal published, and therefore disclosed, confidential patient information, which falls under the terms of its policy with Travelers.   U.S. District Judge Gerald Bruce Lee found that Travelers had a duty to defend Portal because the medical records were “published,” implicating the personal and advertising injury coverage provision in the insurer’s CGL policy.

The Appeals Court held:

“[T]he [district court] opinion concluded that the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the policies.”

The appeals Court commended Judge Lee’s “sound legal analysis.”

In 2013,  Portal was sued in a New York class action claim alleging that it  negligently failed to secure a server containing confidential records for patients at a Glen Falls, New York, hospital.  The complaint alleged that this confidential material was available online for viewing without the need of a password.  Google searches by several of the patients discovered the breach.

Travelers denied coverage for the suit, and Portal filed suit against Travelers in federal court in Virginia for coverage.

Travelers Indemnity Co. of America v. Portal Healthcare Solutions LLC, 14-1944 (4th Cir. 2014)

Cyber Coverage Watch: Louisiana Dispute Over Ascent Cyberpro Policy

cyber-liability

NEW ORLEANS, March 30 – Eustis Insurance Company and its insured, New Hotel Monteleone, remain embroiled in litigation over coverage for a 2014 cyberattack, centering on the insurability of exposures Hotel Monteleone faces in the wake of the attack, including fraud recovery and operational reimbursement expenses.  The case, venued in the Eastern District of Louisiana, is a signal example of the non-standard nature of cyber-coverage, and the need for experienced counsel on all sides when policies are formulated, bought, and sold.

This week, the dispute became even more complicated when Eustis  filed a third-party complaint against wholesale insurance broker, R-T Specialty, Inc., alleging that R-T failed to properly explain to the Hotel Monteleone the precise coverage of the policy, issued by Certain Underwriters at Lloyd’s, London (Lloyd’s), subscribing to Ascent Cyberpro (the Ascent) policy.  The hotel previously initiated the suit against Eustis and Lloyds In December 2015 seeking complete coverage for its losses under the Ascent Policy

Eustis engaged R-T after the Hotel Monteleone approached Eustis about cyber coverage following an earlier, 2013 cyber attack on the hotel, for which there was no insurance coverage.  Eustis did not have broad experience with cybercoverage, and brought in R-T based on R-T’s alleged representations that it was conversant in procuring such insurance.

The Ascent Policy issued through Lloyds and R-T had an overall limit of $3 million.  The coverage, however, was restricted substantially relating to costs incurred by an insured which constituted fines or penalties.

The third party complaint against R-T Specialty alleges that the broker failed to  inform Eustis that fraud recovery and operation reimbursement might be considered to be a fine or penalty, or that a $200,000 sub limit appearing in the policy’s Payment Card Industry Fines or Penalties Endorsement may apply to fraud recovery and operational reimbursement expenses arising from the cyberattack.

The case illustrates the murkiness of the current cybercoverage market, the great variability in individual coverage, and the possible exposure of agents and brokers for failing to properly produce or explain the coverage they secure for their customers.

New Hotel Monteleone, LLC v. Certain Underwriters at Lloyd’s of London, Subscribing to Ascent Cyberpro Policy No. ASC14C00944, No. 2:16-CV-00061-ILRL-JCW (Eastern District, Louisiana 2016)