While businesses and their employees continue to operate in the “new frontier” of working-from-home during the COVID-19 pandemic and the gradual reopening of the economy, a serious risk continues to present itself: the threat of cybercrime. The increased use of remote access to work systems and related applications has made businesses a prime target for those unscrupulous individuals seeking to encroach on companies’ cyber-landscape. Flaws in VPNs, firewalls, and videoconferencing, for example, have exposed many companies’ electronic infrastructures to these incursions. Similarly, the at-home workforce has increasingly been subjected to social engineering attacks often cloaked as communications purporting to provide information about pandemic-related issues.
In addition to the technical measures necessary to confront these threats, businesses would be well-advised to ensure that their cyber insurance is up to date and responds to this challenging new environment. Such coverage may be found in a variety of insurance, including property policies, commercial crime bonds or in stand-alone cyber risk policies. Regardless of where it resides, cyber insurance typically provides coverage for data breaches, ransomware attacks and employee wrongdoing, and for loss of business income occasioned by covered occurrences.
While the jurisprudence related to these issues continues to develop, some recent cases provide insight into how courts may decide cyber coverage questions in the current environment.
Ransomware – Covered
Earlier this year the U.S. District Court for the District of Maryland considered the issue of how first-party “computer coverage” responded to data loss resulting from a ransomware attack. In National Ink & Stitch, LLC v. State Auto Property & Casualty Ins. Co., No. SAG-18-2138, 2020 WL 374460 (D. Md. Jan. 23, 2020), the insured was an embroidery and screen printing business that stored business-related art, logos, designs and graphics software on a server that became compromised by a ransomware attack. Id. at *1. As a result, the insured needed to recreate stored data that it was unable to access because of the incursion. Id. Further, after the software was replaced and reinstalled by experts, there remained a likelihood that remnants of the virus lingered on the system, leaving the insured with the unpalatable choice of either “wiping” the entire system or purchasing a new server. Id.
The policy at issue responded to “direct physical loss of damage to Covered Property at the premises…caused by…any Covered Cause of Loss.” Id. “Covered Property” included electronic data processing, recordings or storage media such as film, tapes, disks, etc. in addition to data stored on such media. Id. at *1-2. Software was included as “covered property” in the policy. Id. at *1. The insurer denied the claim on the basis that the insured had not experienced direct physical loss or damage to its computer system to justify reimbursement of the cost of replacing the entire system. Id. at *2. That is, because the insured “only lost data and could still use its computer system,” the insurer took the position that there was no “direct physical loss” and, therefore, no coverage. Id.
In finding that the insured should be reimbursed for its losses, the court determined that the plain language of the policy “contemplates that data and software are covered and can experience ‘direct physical loss or damage’” Id. at *3. The court refused to credit the insurer’s argument that a loss of software and its related functionality was not a direct loss to tangible property simply because the insured could still use the system albeit in a diminished fashion. Id. Instead, relying on relevant case law, the court it recognized that the insured’s computer system, while still functional, had been rendered inefficient and its storage capability was damaged in a way that its data and software could not be retrieved. Id. at *4. Accordingly, the court ruled that the policy did not require the computer system to be completely unable to function in order to constitute covered “physical loss or damage”. Id. at *5.
In granting summary judgment in favor of the insured, the court viewed the system’s loss of use and reliability and impaired function to be consistent with the “physical loss or damage to” language in the policy. Id. This was so because “not only did [insured] sustain a loss of its data and software, but [it] is left with a slower system which appears to be harboring a dormant virus, and is unable to access a significant portion of software and stored data.” Id.
Spoofing – Covered
In Principle Sols. Grp., LLC v. Ironshore Indem., Inc., 944 F.3d 886, 888 (11th Cir. 2019), the 11th Circuit affirmed a finding of coverage for a loss caused by an email spoofing attack. “Spoofing” is a technique by which a fraudster sends an e-mail and uses a code to change the e-mail address in the “From:” line to reflect an e-mail address other than the one belonging to the fraudster”. Cincinnati Ins. Co. v. Norfolk Truck Ctr., Inc., 430 F. Supp. 3d 116, 125 (E.D. Va. 2019). Typically, the spoofed email will direct someone to wire funds to a fake recipient. In Principle Sols., “[t]he loss stemmed from a sophisticated phishing scheme in which a scammer posing as an executive of Principle Solutions Group, LLC, persuaded an employee to wire money to a foreign bank account.” Principle Sols. Grp., 944 F.3d at 888. After the initial spoofed e-mail, which directed the employee to follow the directions of an attorney, the scammers sent a second spoofed e-mail from the purported attorney and then followed up with a phone call. Id. at 889. After the bank’s fraud prevention service asked for clarification, the employee again conferred with the purported attorney and approved the transaction.
The applicable insurance policy covered “[l]oss resulting directly from a fraudulent instruction directing a financial institution to debit [Principle’s] transfer account and transfer, pay or deliver money or securities from that account.” Id. at 889. The insurer, Ironshore, denied coverage, claiming that a subsequent e-mail and phone conversation between the employee and a scammer posing as an attorney effectively meant that the initial e-mail was not “fraudulent instruction” within the meaning of the policy. The circuit court found this argument unpersuasive, stating, “We disagree with Ironshore’s divide-and-conquer approach. Nothing in the policy language warrants the assumption that the two emails could not be part of the same fraudulent instruction.” Id. at 891.
The insurer also argued that Principle’s losses did not result “directly” from a fraudulent instruction as the policy required, because the loss depended on the employee’s conversations with the false attorney and the bank, which occurred after the initial spoofed email directed the money transfer. Id. at 891. The court was also unimpressed with that argument, explaining that “the ordinary meaning of ‘resulting directly from’ requires us to determine whether the fraudulent instruction here approximately caused Principle’s loss.” Id. at 892, and that in this instance both of the purported intervening causes identified by the insurer (the conversations with the false attorney and the bank) were “foreseeable consequences of the email” which satisfied Georgia’s proximate cause requirement. Id., citing Goldstein Garber & Salama, LLC v. J.B., 300 Ga. 840, 797 S.E.2d 87, 89 (2017).
Spoofing – Not Covered
In Apache Corp. v. Great American Ins., 662 F. App’x 252 (5th Cir. 2016), the Fifth Circuit also was faced with an insurance dispute arising out of a spoofing, but in that instance found that the policy did not afford coverage. In that matter, Apache’s accounts payable personnel received a phony email purporting to be from one of its vendors, Petrofac, advising that its payment account details had changed. Id. at 253. The email attached a letter on Petrofac’s letterhead with the old and new account information and instructions to use the new account. Id. In response, an Apache employee called the telephone number listed on the letter to verify that the request was legitimate. Id. Another Apache employee approved and implemented the change in the account detail, resulting in the transfer of several million dollars to the fraudulent account. Id. Apache recovered some of the funds, but still sustained a loss of $2.4 million above the policy deductible. Id. at 254.
Apache submitted a claim under the “computer fraud” coverage in its crime-protection insurance policy. That provision obligated the insurer to pay “for loss of, and loss from damage to money,…resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises.” Id. The insurer denied the claim, finding that Apache’s “loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.” Id. Apache instituted a lawsuit against its insurer, ultimately securing summary judgment in its favor, upon the trial court’s ruling that “the intervening steps of the post email confirmation phone call and supervisory approval do not rise to the level of negating the email as being a substantial factor.” Id. (internal quotation marks omitted).
On appeal, the Fifth Circuit reversed, holding that the email was only part of the scheme because it was “merely incidental to the occurrence of the authorized transfer of money.” Id. at 258. The court viewed the trial court’s coverage determination as a bridge too far, which ran the risk of converting any general fraud utilizing an email into a covered event under the computer-fraud provision of the policy. Id. At bottom, the court held that the cause of the loss was the election to pay legitimate invoices rather than the fraudulent email and subsequent phone call. Id. at 259.
Takeaways
Businesses should be heartened that courts have found coverage for the types of cybercrimes that are increasingly being perpetrated in our current and expanding remote work environment. Nevertheless, as illustrated by the Apache decision, coverage determinations will rise and fall on the factual nuances of each claim. Moreover, businesses should not expect an easy road if through their own actions or inactions, they allow the fox into the hen house, that is to say – if they are a contributing factor to a damaging spoofing or ransomware incursion. Accordingly, businesses should routinely and diligently assess their systems’ security protocols and internal cyber security policies (including as to employee cyber security training) to ensure that they are up-to-date and to safeguard against shortfalls which could impede coverage.