Tag: Policies

Insurance — Do You Know What’s in Your Bank’s Policies?

There are many different types of insurance — directors and officers (D&O), employment practices liability (EPLI), and general liability, to name a few. Unfortunately, many clients do not know what is in their policy or policies, including what is covered, their deductibles or retention, or, in some unfortunate cases, that they have no policy at all.

This article attempts to help you answer some simple questions about what to look for when you are buying a policy and what to look for in a current policy when you need to use it. It is not an attempt to promote any particular policy, as each policy has to be read in light of the specific facts at issue.

Buying the cheapest — you may get what you pay for.

In too many cases, we find that clients have simply purchased the cheapest policy they can find. The reasons for this vary. Maybe the client asked for the cheapest policy, maybe the agent simply got the client the cheapest policy, or maybe there was no real conversation at all between the insured (client) and the agent except to “get some insurance.”

This is never an issue — until it is. By way of example, let’s say a lawsuit is filed against you that should kick in your D&O or EPLI policy. You then turn the lawsuit over to your agent for defense and coverage. And then, one of several increasingly common scenarios occurs. You discover that your deductible or retention is very high, e.g., the first $100,000 is on you. Or you discover that many employment cases could be resolved or dismissed for less than that, and that for a little more on the front end, you could have had a lower deductible. Or you discover that what you purchased does not cover alleged fiduciary breaches by your directors and officers, and you could have purchased that coverage if you had asked.

You also might discover that you could have purchased, for a small additional amount, wage and hour coverage that would have covered the overtime lawsuit you were just served, but no one ever specifically talked with the agent about that. You also might discover that the attorney you have worked with for years will not be able to handle the case because there is no “choice of counsel” in the policy. In many cases, spending 30 minutes with your agent (and probably an attorney who has experience working with you) could have resolved these issues — that now are out of your control.

The point is, spending the necessary time with your agent (and attorney) is something that should be done before any policy is purchased or renewed. This allows you to express what you want and consider the options available. It also allows you to avoid issues such as not being able to use the attorney of your choice.

Do you have a claims-made or an occurrence policy?

While each policy and case must be examined individually, generally, an occurrence policy covers claims arising from acts or incidents that occurred during the policy period. This means that if the incident occurred during the policy period and the policy was in effect and in good standing, the claim will be covered, even if you get sued over that incident after the policy has expired.

Claims-made policies are entirely different animals. Claims-made policies generally cover only claims made during the policy period. The claim must also be reported to the insurer as required by the policy.

Generally, claims-made policies are cheaper, as they usually provide coverage for a shorter period of time. Again, however, be aware of “going cheap.” Claims-made policies that are not renewed or are canceled — and for which tail coverage is not purchased — can create exposure for an incident that occurred during the policy period. This can happen, for example, if you simply let the policy lapse and a year or so later someone files a suit against you that would have been a “claim” under your claims-made policy but it was not reported when the policy was effective. It can also occur if you change insurers.

The above is a very general description, and any discussion about the type of policy you should buy or what to do when you renew is beyond the scope of this article, but you should absolutely consult with your agent (and likely your attorney) about any specific needs or concerns you know of prior to purchasing or renewing any policy.

Do you have coverage and defense, or just defense?

Be aware that some policies provide for attorney’s fees and costs to defend claims made against you as well as coverage for any settlement or judgment against you. Some policies, however, only provide for attorney’s fees and costs. Again, this goes to what type of policy you want, what you can afford, and knowing the risks of what you have versus what you do not have.

I have had the unfortunate situation where a client thought they had a policy providing coverage and defense, but the policy provided only defense. The matter involved multiple plaintiffs and conflicting witness testimony that made dismissal of the case prior to any trial impossible. While the resolution of the case was not substantially out of line for the average federal court employment case, the money came directly from the client’s pocket because the policy only provided for defense costs, not coverage for any settlement or verdict. When questions arose about why that type of policy was provided by the agent, it was clear the client had only told the agent to “get some insurance” and made no specific requests.

To sum up, it is unfortunately common that when purchasing insurance of any kind, insureds do not actively engage their agent (or ask for any advice from their attorney) about what types of policies and coverage they may need. This creates many issues (deductible, choice of counsel, lack of coverage, etc.) that likely could have been avoided. There is no guarantee that any issue could be avoided, as no one knows what type of claim or claims might be made in the future, but spending the necessary time on the front end could save many headaches on the back end if your agent gets as much specificity as possible from you.

© 2024 Jones Walker LLP
by: Joseph (Jojo) Lee Adams of Jones Walker LLP
For more news on Insurance Policies, visit the NLR Insurance Reinsurance & Surety section.

Will Your Company’s Insurance Cover Losses Due to Phishing and Social Engineering Fraud?

Six Tips for Evaluating and Seeking Coverage for Business Email Compromises

If your company fell victim to a business email compromise – a scam that frequently involves hackers fraudulently impersonating a corporate officer, vendor, business partner, or others, getting companies to wire money to the hackers – would your insurance cover your loss?  There is reason to be concerned about this sort of attack, as the FBI has explained that the “scam continues to grow and evolve, targeting small, medium, and large business and personal transactions. Between December 2016 and May 2018, there was a 136% increase in identified global exposed losses” in actual and attempted losses in U.S. dollars.  The good news for policyholders is that courts across the country have been ruling that crime insurance policies should provide coverage for this sort of loss, at least where it is not specifically excluded.

How do business email compromises work?

In early versions of business email compromises, the hackers send emails that appear to be from company executives, discussing corporate acquisitions, or other financial transactions, and are received by company employees in the finance department.  See, e.g.Medidata Sols., Inc. v. Federal Ins. Co., 268 F. Supp. 3d 471 (S.D.N.Y. 2017), aff’d, — F. App’x — (2d Cir. 2018).  The employee is told that the transaction is highly confidential, and that the employee should work closely with an attorney or other financial advisor to help close the deal.  The employee then is told to wire money to cover the costs of the transaction, very often to a foreign country.  Having been defrauded, the employee logs in to an online banking site, and approves a wire transfer.

In other versions of a business email compromise, hackers get access to email accounts of one party, sometimes via a brute force attack where an attacker breaks into a system by guessing a password, or via a phishing attackwhere a user is fooled into typing a username and password into a fraudulent site.  Then, the hacker sends out emails from the compromised account, pretending to be a vendor, and asking for payment to be sent to a different bank account.  See, e.g.Am. Tooling Center, Inc. v. Travelers Cas. & Sur. Co. of Am., — F.3d — (6th Cir. 2018).  Again, having been defrauded, the employee has money wired to the fraudster, instead of to the vendor.

Will insurance cover losses due to business email compromises?

The answer to whether insurance carriers will cover these losses – without court intervention – is “it depends.”  Recent decisions have ordered insurance carriers to provide coverage.  And the insurance industry has been scrambling to write new endorsements for their insurance policies that the insurance companies say provide coverage for business email compromises.

A common place for seeking coverage for these losses is under crime insurance policies.  Many crime insurance policies include coverage for “computer fraud,” “funds transfer fraud,” or even “computer and funds transfer fraud.”  Exemplar “computer fraud” coverage applies to “direct loss” of money resulting from the fraudulent entry, change, or deletion of computer data, or when a computer is used to cause money to be transferred fraudulently.  Exemplar “funds transfer fraud” coverage applies to “direct loss” of money caused by a message that was received initially by the policyholder, which purports to have been sent by an employee, but was sent fraudulently by someone else, that directs a financial institution to transfer money.  A reasonable policyholder, which fell victim to a fraudulent scheme via a computer, or transferred funds because of a fraudulent scheme, likely would think that computer and funds transfer fraud coverages would apply to the losses.

What have courts said?

Two recent decisions from federal courts of appeal have resulted in coverage under crime policies for business email compromise losses.

The first is the July 6, 2018 opinion issued in Medidata Solutions, Inc. v. Federal Insurance Co., No. 17-2492 (2d Cir.).  The Medidata trial court ruled that a crime insurance policy provides coverage for a fraudulent scheme and wire transfer.  The Court of Appeals for the Second Circuit affirmed the trial court’s decision.  In Medidata, the policyholder’s employees received emails that purported and appeared to be from high level company personnel but were, in fact, sent by fraudsters.  Based on those emails, and messages from purported outside counsel, Medidata wired nearly $5 million to the fraudsters.  It sought coverage under a crime policy that it bought from Chubb that had computer fraud, funds transfer fraud, and other coverages.  The trial court ruled that computer fraud and funds transfer fraud coverages both applied.  It rejected the arguments that the loss was not “direct” because there were steps in between the original fraudulent message and the wiring of funds.

On appeal, the Second Circuit ruled that Medidata’s loss was “direct” under the insurance policy language.  “Federal Insurance further argue[d],” as carriers have done in many business email compromise cases, “that Medidata did not sustain a ‘direct loss’ as a result of the spoofing attack, within the meaning of the policy.”  Slip op. at 3.  The Court of Appeals held that because “[t]he spoofed emails directed Medidata employees to transfer funds in accordance with an acquisition, and the employees made the transfer that same day,” the loss wasdirect.  Id.  The court rejected the insurance carrier’s argument that the loss was not direct because “the Medidata employees themselves had to take action to effectuate the transfer”; the employees’ actions were not “sufficient to sever the causal relationship between the spoofing attack and the losses incurred.”  Slip op. at 3.  The Court of Appeals did not address the trial court’s ruling that funds transfer fraud coverage applied, “[h]aving concluded the Medidata’s losses were covered under the computer fraud provision.”  Id.

Shortly after Medidata was issued, the Sixth Circuit decided on July 13, 2018 that computer fraud coverage applies to losses resulting from a business email compromise in American Tooling Center, Inc. v. Travelers Casualty & Surety Co., No. 17-2014 (6th Cir.).  There, the policyholder (ATC) wired money to fraudsters, instead of a vendor, because of a business email compromise.  The Sixth Circuit reversed the district court, ruling that the losses are “direct,” covered by crime insurance.

In a decision that will be published, the Court of Appeals held there was “‘direct loss’ [that] was ‘directly caused’ by the computer fraud,” even though the policyholder had engaged in “multiple internal actions” and “signed into the banking portal and manually entered the fraudulent banking information emailed by the impersonator” after receiving the initial fraudulent emails.  Id.

Holding that coverage applied, the Sixth Circuit distinguished the Eleventh Circuit’s decision regarding computer fraud coverage in Interactive Communications v. Great American, No. 17-11712, ___ F. App’x ___, 2018 WL 2149769 (11th Cir. May 10, 2018).  Id. at 9-10.  After the policyholder in American Tooling had “received the fraudulent email at step one,” it “conducted a series of internal actions, all induced by the fraudulent email, which led to the transfer of the money to the impersonator at step two.”  The loss occurred at step two; as such, “the computer fraud ‘directly caused’ [the policyholder’s] ‘direct loss.’”  Id. at 10.  By contrast, the Sixth Circuit explained, the policyholder in Interactive Communications only suffered losses at step four in a significantly more complicated chain of events.  See id. at 9-10.

These decisions are great news for policyholders pursuing coverage under crime policies for losses resulting from business email compromises.  And, in light of this new authority, policyholders would be well-advised to examine denial letters carefully, giving due consideration to whether these decisions could be used to argue in favor of coverage.

What options are available to policyholders going forward?

Cynical viewers of insurance history might view the state of coverage as similar to what the industry has done in the past.  That is, initially, cover new claims under “old” policies.  Then, after claims get expensive, hire coverage counsel to tell courts why the carriers must not have meant to cover these new claims (whether the drafting history reflects such an intent or not).  Next, get insurance regulators to approve exclusions purportedly tailored explicitly to the risk, and, at the same time, sell new policy endorsements (often for additional premium) that provide lower limits of coverage for the risk.

That’s what is happening in connection with insurance for business email compromises.  At least one insurance group that drafts crime insurance policies has asked for a definition of computer and funds transfer fraud to be changed, and a new social engineering fraud endorsement to be approved for sale.  Insurers have rolled out these endorsements with limits of coverage that often are capped at low amounts, and might also have high retentions.  These endorsements frequently are available for crime policies and, sometimes, are available for cyberinsurance policies as well.

So what are some options for policyholders trying to structure an insurance program for these risks?  These questions should provide helpful tips:

1. What does the insurance policy include? Policyholders would be well-advised to see whether the insurance program includes social engineering fraud endorsements or coverage parts.

2. What are the applicable limits? Policyholders would be well-advised to check the policy limits that would apply to those coverages.  Binder letters might not disclose a sublimit, and the policyholder might not realize the limit of coverage is lower than the full policy limit until it is too late.

3. Are coverages available under more than one policy? At the time of policy renewal, policyholders would be well-advised to consider asking whether social engineering fraud coverage can be added to a crime program and a cyberinsurance program.

4. Will excess coverage apply, and, if so, when? Policyholders would be well-advised to explore whether excess policies will provide this coverage, and, if so, will “drop down” to attach at the level of any sublimit, to avoid donut holes in the coverage.

5. Will other policy provisions provide coverage, beyond narrow endorsements? If the policyholder faces a claim, policyholders would be well-advised to determine whether other coverages might apply to the losses, notwithstanding a social engineering fraud endorsement.

6. What happens if the insurance carrier says, “no,” or that sublimits apply? If the insurance carrier denies coverage, or tries to apply a sublimit, policyholders would be well-advised to be mindful of the interpretation that two Courts of Appeals have used for computer fraud coverage in similar contexts.

 

© 2018 BARNES & THORNBURG LLP
This post was written by Scott N. Godes of Barnes & Thornburg LLP.