The Travelers Cos. will argue May 2 that cash payments made in connection with a phishing attack aren’t covered under a general crime insurance policy.

The litigation before the U.S. Appeals Court for the Sixth Circuit highlights issues facing companies that seek to use broad insurance policies to regain losses after a phishing scheme—a cyberattack where hackers use email credentials to trick others into sending sensitive information or cash payments.

Companies have turned to insurance providers to recover losses following data breaches or other cyberattacks, such as phishing schemes and ransomware strikes. It still isn’t clear, however, if cyberattacks are covered under general insurance policies, or if a specified cybersecurity insurance plan is needed to recover losses. This lack of coverage clarity has caused litigation from consumers, attorneys told Bloomberg Law.

Half of “crime fraud insurance plans include coverage on phishing attacks that lead to wire fraud,” but the other half do not, leaving companies to seek out specific cybersecurity plans, David Zetoony, data privacy and security partner at Bryan Cave Leighton Paisner LLP in Boulder, Colo., told Bloomberg Law.

Reliable insurance brokers will verify that either a cyber or crime policy covers phishing attacks, but others may not see that there is “an exclusion for wire-fraud related cyberattacks,” he said.

Cyber Insurance Litigation

The case of Travelers denying American Tooling Center Inc.'s request for coverage under a general crime policy highlights the challenges faced by business that want to obtain comprehensive cybersecurity coverage.

American Tooling Center had $834,107 in payments intended for its Chinese vendor routed to cybercriminals posting as a third party and sued Travelers to recover the wire payments. Travelers denied the claim, saying that the losses were “not directly caused by the use of a computer to fraudulently cause a transfer of money,” according to ATC’s August 2017 brief.

The U.S. District Court for the Eastern District of Michigan, relying on an insurance policy that requires a “direct loss of money caused by computer fraud,” granted Travelers’ motion for summary judgment in August 2017 because the phishing attack was a remote or incidental case of financial harm—not the immediate or proximate cause. It is that decision that is on appeal by ATC to the Sixth Circuit.

What’s Covered?

While the appeal is heard, companies looking for insurance to cover the broadest potential range of cybersecurity incidents should seek specialized plans, rather than ready-made policies, attorneys said.

“Few off-the-shelf crime polices provide cyber coverage or coverage for phishing attacks unless the insured has specifically requested it,” Thomas Bentz, cybersecurity and insurance partner at Holland & Knight LLP in Washington, told Bloomberg Law. Even in those situations, there are “sub-limits of coverage” that usually range from $250,000 to $500,000, he said.

Insurers, meanwhile, are trying to to clarify coverage terms by explicitly excluding cybersecurity incidents in their general policies, attorneys said.

“The trend has been to exclude cyber incidents and cover these risks as either a separate rider or a cyber policy,” Guillermo Christensen, partner at Brown Rudnick LLP in Washington and chair of the firm’s cybersecurity and data security practice group, told Bloomberg Law.

Although “the cyber insurance market is exceedingly immature at this stage,” it will grow and be able to offer more generalized coverage that will lead to less cyber insurance litigation, Christensen said.

Check Your Policy

Obtaining a thorough social engineering, or phishing, attack plan could help a company avoid litigation over coverage.

“Social engineering crimes perpetrated by using a computer are relatively new and the law regarding insurance coverage for those losses is evolving. Insurers tend to take the position that social engineering losses are not covered under a crime policy’s computer fraud or funds transfer fraud coverages and are only covered if the insured purchased social engineering coverage,” Antoinette Banks, senior vice president and claims attorney at Aon Risk Solutions in San Francisco, told Bloomberg Law.

Companies that do buy insurance to cover potential cybersecurity losses should check to make sure specific cyberattacks aren’t excluded from their coverage, attorneys said.

“Typically, it’s not whether cyberattacks that involve phishing fall within the coverage provisions of the insurance policy, it’s whether cyberattacks that involve phishing are excluded,” Zetoony said. Those that only scan a portion of an insurance plan will often miss out on “dozens of exclusions,” such as providers’ refusal to pay for “redirection of funds"—a term that would typically encompass phishing losses, he said.

Cyber insurance coverage also requires extra due diligence, compared to other business risks, because of the nascent stage of the industry, attorneys said. A comprehensive cyber policy should cover ransomware strikes, business email compromise threats, phishing attacks, and other common cyberattacks, Christensen said.

“Companies will have to examine the language in their policies (around exclusions, limits/sub-limits) much more carefully than for other common businesses risks,” Christensen said. Businesses should have “a detailed conversation with their insurer about what the company wants to protect,” he said.

The case is American Tooling Ctr., Inc. v. Travelers Cas. and Sur., 6th Cir., No. 17-02014, oral arguments 5/2/18.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editor responsible for this story: David Mark at dmark@bloomberglaw.com