An Alaska federal court recently dismissed a construction company’s lawsuit, accusing a D&O insurer of bad faith refusal to provide coverage for an email spoofing scheme that resulted in nearly $2 million in fraudulent wire transfers. Alaska Frontier Constructors, Inc., v. Travelers Cas. and Sur. Co. of Am., No. 3:24-cv-00259 (D. Alaska, Nov. 11, 2024). While the case was voluntarily dismissed before the D&O insurer responded to the complaint, the policyholder’s allegations tell a familiar story and highlight several areas of dispute that companies face when navigating the fallout from cyber incidents.

Background

Alaska Frontier Constructors, Inc. (AFC) experienced a 2023 cyber incident where an imposter tricked AFC into wiring $1.9 million into a fraudulent bank account via email. AFC’s CFO received an email that appeared to have been sent by the CFO of another company, Kuukpik, whom AFC worked closely with. The spoofed email asked when a payment would be made for money owed to Kuukpik by Nanuq, a wholly owned subsidiary of Kuukpik that AFC worked with closely on many projects.

This email was actually sent by a black hat hacker presenting to be Kuukpik’s CFO. Kuukpik and AFC provided cash payments to one another on a regular basis by an intercompany account shared by the two.

The spoofed email contained a similar email address to that of Kuukpik’s CFO, and the hacker later sent instructions via email to AFC’s CFO to send a wire to a bank in New Jersey. AFC’s controller initiated the automatic clearing house transfer to the New Jersey bank account as instructed by the hacker which caused Nanuq’s bank to transfer $1,915,448.32 into the fraudulent account. By the time AFC and Kuukpik realized the payment had been wired but not received by Kuukpik, the hacker and the money were gone.

Nanuq demanded that AFC compensate it for the money it lost and sent draft complaints with causes of action for negligence and negligent supervision and training. AFC sought coverage under its D&O policy for the fraudulent wire transfer that resulted from the spoofed email. AFC’s D&O insurer denied AFC’s claim under a “Data and Privacy Exclusion” endorsement that barred coverage all claims based upon or arising out of a list of cyber-related events that included “any unauthorized access to a computer system.”

The Coverage Lawsuit

AFC filed suit in Alaska, where AFC is incorporated and has its principal place of business. Its complaint alleged that the insurer breached the policy in refusing to defend and failing to indemnify AFC’s losses and acted in bad faith in adjusting and denying coverage for the $1.9 million in losses flowing from the fraudulent email scheme.

AFC asserted that, in denying coverage under the data and privacy exclusion, the insurer ignored the Alaska Change Endorsement, which states claims cannot be denied if an excluded cause of loss is secondary to a dominant covered cause of loss in an unbroken chain of events leading to the loss. The dominant cause of loss, AFC alleged, was AFC’s failure to use reasonable care when initiating the wire transfers and not the imposter CFO’s communication of wiring instructions. As a result, the Alaska Change Endorsement prevented the data and privacy exclusion from eliminating coverage.

AFC also contended that the insurer failed to account for the Data and Privacy Exclusion endorsement’s carveback for claims under Insuring Agreement A for non-indemnified losses of insured persons. The company asserted that this carveback applied to the company’s CFO and Controller. Having been “abandoned” by its insurer, AFC ultimately settled the case for nearly $1.7 million and then sought to recover those losses from the D&O insurer.

Before the insurer filed its answer, AFC voluntarily dismissed the lawsuit with prejudice.

Takeaways

The early dismissal likely was the result of an out-of-court confidential settlement or other negotiated resolution. Notwithstanding AFC’s voluntary dismissal, the dispute highlights several recurring coverage issues that can help or hinder the chances of recovery if a claim occurs.

Address cyber exclusions. Many D&O insurers routinely add “cyber” exclusions to D&O policies, usually through endorsement and usually covering a laundry list of underlying cyber events. The intent is to shift “cyber” risks to cyber insurance policies. But as with most insurance issues, the devil is in the details, and many times cyber exclusions are written so broadly that they can encompass D&O exposures with only attenuated connections to the enumerated cyber incidents.

The cyber exclusion endorsement in AFC’s policy was broad—it applied to “any claim based upon or arising out of,” among other things, loss or theft of, disclosure of, or unauthorized access to or use of personal private or confidential information, any unauthorized access to computer systems, any authorized access to cause intentional harm to a computer system, or any violation of law regarding the protection, use, collection, disclosure of, access to, or storage of personal private or confidential information. Policyholders should carefully assess whether their D&O policy has such an exclusion. If it cannot be eliminated entirely, consider limiting its scope by, for example, narrowing the broad causation language.

Policy coordination can avoid coverage gaps. While careful analysis and customization of D&O policy language can help prevent unexpected denials for cyber-related losses, focusing on a single line of coverage for significant loss events, especially cybersecurity incidents, may not be sufficient. D&O policies should be reviewed alongside other complementary coverages—like cyber policies—to ensure coverage grants and exclusions are working as intended and do not result in any unintended gaps.

The global cost of a data breach in the US now has reached $4.88 million on average in 2024, a double-digit percentage increase year to year and the highest total ever. Given those staggering costs, negotiating robust liability coverages with an eye towards cyber incidents is even more important because cyber policies may be quickly eroded and not available to respond to follow-on litigation, investigations, and other claims arising out of a cyber incident.

Understand governing law and its impact on coverage. The AFC dispute also showed how insurance outcomes can differ depending on governing law. Because AFC was an Alaskan company, its policy had an Alaska Change Endorsement that could intervene and preserve coverage based on dominant and secondary causes of loss. But that analysis could differ materially if a policy is governed by another state’s law or has a different state amendatory endorsement applying another rule. Policies may also have choice-of-law, choice-of-venue, and similar provisions that further impact what law governs the insurance claim and what coverage is available under a particular policy.

Evaluating these and other insurance issues in D&O and other liability policies proactively as part of regular insurance reviews can help place and renew stronger policies, maximize recovery, and prevent unexpected denials should a claim arise.