A coordinated attack between November 2013 and May 2014 resulted in Interactive Communication International processing 25,553 fraudulent transactions resulting in a $10.7 million loss. It turned the claim into Great American Insurance Company for coverage under its Computer Fraud Policy and coverage was denied. Interactive argued for coverage from the scam because all actions were fraudulent. Great American denied coverage because the fraudulent activity took place because of a vulnerability in the computer system.
See how the courts responded.
Interactive Communications International, Inc. and HI Technology Corp. (together, “InComm”) operate a business that allows customers to put money onto reloadable bank-issued debit cards. The money is added by the customer first buying a chit from a retailer and then calling InComm’s 1-800 number which connects to an interactive voice response (IVR) computer system. The consumer enters the debit card number and the PIN located on the chit at which time the IVR credits the value of the chit to the card. The funds become immediately available to the cardholder.
Between November 2013 and May 2014, fraudsters identified a vulnerability within InComm’s IVR system that permitted multiple redemptions of a single chit. The vulnerability occurred when two or more calls were made to the IVR system simultaneously for the redemption of the same chit. One call would transfer the funds from the chit to the debit card account, while the other would return the chit to an “unredeemed” state which permitted a future redemption. Over seven months, InComm’s system processed 25,553 fraudulent redemptions associated with 1,988 individual chits.
After the loss was discovered, InComm made a claim for $10.7 million against its computer fraud policy underwritten by Great American Insurance Company (GAIC). The policy provides coverage for:
“loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: (a) to a person (other than a messenger) outside those premises; or (b) to a place outside those premises.”
GAIC filed for summary judgment as to coverage contending that the policy does not cover InComm’s loss because the scam was not executed through the direct use of a computer. It argued that the loss occurred as a result of the misuse of the IVR system. The district court granted the summary judgment and InComm appealed.
The appellate court affirmed the ruling of the district court. It held that the loss was not the result of a computer and that even if it had been due in some way to a computer, the loss remained excluded because the loss was not due to any direct use of a computer.
Interactive Commc’ns Int’l, Inc. v. Great Am. Ins. Co., No. 17-11712, 2018 WL 2149769 (11th Cir. May 10, 2018)
A scam may be a fraud but not necessarily a computer fraud
The Computer Fraud Insuring Agreement provides important crime coverage but it was not designed to cover the many hacking and phishing activities that are constantly taking place. Attempting to solve a cyber insurance issue with a crime product can result in a very disappointed client.
Review of coverage provided by Insuring Agreement A.6: Computer and Funds Transfer Fraud and also the exclusions that apply.
- INSURING AGREEMENTS
CR 00 21 contains seven insuring agreements. Coverage for a specific insuring agreement applies only if there is a limit of insurance on the declarations beside that insuring agreement. Coverage applies to losses the named insured sustains under the following circumstances:
- The loss must be the result of an occurrence.
- The occurrence must take place DURING the policy period on the declarations.
- The named insured must discover the loss DURING the policy period or the extended discovery period.
All of the above are subject to all of the following:
- Condition E. 1. g: Extended Period To Discover Loss
- Condition E. 1. k: Loss Sustained During Prior Insurance Issued By Us Or Any Affiliate
- Condition E. 1. l: Loss Sustained During Prior Insurance Not Issued By Us Or Any Affiliate
- Definitions of the terms discovered and occurrence in Section F
- Computer and Funds Transfer Fraud
- The insurance company pays the following:
- (1) Loss caused when money, securities, or other property is transferred, paid, or delivered because of a fraudulent computer entry or change or a fraudulent electronic data entry or change. The entry or change must be within a computer system that the named insured owns, operates, or leases. This also applies if the fraudulent entry or change resulted in the named insured’s account at a financial institution being either debited or deleted.
| Example: Josie Proust, the top salesperson for Cyberfroot Distributors, was staying in a hotel in Beijing. She regularly conducted business from her room. While at a meeting with a local group of lychee and pomegranate farmers, someone broke into her room, stole some of her valuables and hacked into her laptop to transfer funds from her account. This insuring agreement covers this computer fraud loss. |
- (2) Loss caused when money or securities are transferred, paid, or delivered from the named insured’s account at a financial institution based on fraudulent instructions.
- Related Court Case: Bond’s Exclusion Provision was Conspicuous, Plain, and Clear
- Fraudulent entry or fraudulent change of electronic data or a computer program as described in 6. a. (1) above is broadened to include such entries when made in good faith by employees. However, coverage applies only if the entries are made based on fraudulent instructions received from a computer software contractor. This contractor must have a written agreement with the named insured to design, implement, or service computer programs for computer systems that this insuring agreement covers.
| Example: Ken receives an electronic update file from his network provider and is told that it is a required patch. Ken uploads the file as instructed. Charlene’s financial institution informs her that unusual charges are being made against the company account. Ken and Charlene review the timing and realize the patch is actually a program designed to redirect funds. Ken changes network providers and Charlene files a police report and a computer transfer claim. |
- EXCLUSIONS
- These exclusions apply to all insuring agreements unless stated otherwise.
- Acts Committed by You, Your Partners or Members
There is no coverage for theft or any other dishonest act the named insured or its members or partners commit. This applies if the named insured, partner or member acts alone or involves others in the dishonest event. Note: The named insured cannot claim coverage for an employee’s dishonest act if the named insured is involved in the same dishonest act. For the purposes of this exclusion, a member is an owner of a Limited Liability Corporation (LLC).
- Acts Committed by Your Employees Learned of by You Prior to the Policy Period
This exclusion applies to losses caused by employees with a history of committing dishonest acts. Coverage does not apply to any loss that employee causes if the named insured, its partners, members, managers, officers, directors, or trustees knew about his or her previous dishonest acts that took place prior to the policy period. However, coverage does apply if the member, partner, manager, officer, director, or trustee who knew about the dishonest acts was working with that employee to commit the dishonest act.
| Example: Trent has a troubled background and Rick, the vice president of operations, knows about it. Rick uses Trent and his shady contacts to help him fence items they steal from their company’s warehouse. When the loss is discovered, the insurance company cannot deny coverage because Rick is the only one at the company who was aware of Trent’s dishonest past. |
Acts Committed by Your Employees, Managers, Directors, Trustees, or Representatives
This exclusion applies to all insuring agreements except Insuring Agreement A. 1. Employee Theft.
Coverage does apply to any dishonest act (including theft) any of the named insured’s employees, managers, trustees, directors, or authorized representatives commit. This exclusion applies whether they act alone or with any other persons. It applies whether the perpetrator is providing a service for the named insured at the time of the loss or not.
| Example: Jeremy is an employee at Jones and Sons. He and three of his friends broke into the Jones and Sons warehouse and stole a substantial amount of electronics. Jeremy’s involvement was captured by the warehouse’s surveillance cameras. Coverage under all Insuring Agreements except for Insuring Agreement A. 1 is denied because Jeremy was an employee of Jones and Sons. |
- Confidential or Personal Information (11 15 changes)
The insurance company does not pay for loss that result from either of the following:
(1) Disclosing another person’s or organization’s confidential or personal information. It also does not pay for loss resulting from any use of such information.
| Example: Marguerite works in Acme College’s Record’s Department. Her boyfriend, Phillip, asks for some information about his roommate, Paul, and uses it to steal Paul’s identity. Paul discovers the identity theft when he attempts to secure a student loan. The police track the release of information to Phillip and Marguerite, both of whom have left town. Paul demands that Acme compensate him for the monetary loss due to Marguerite’s actions. One reason the crime coverage written on Acme College does not respond is because of this exclusion. |
(2) Disclosing the named insured’s confidential or personal information. However, this exclusion does not apply to coverage that is available in certain insuring agreement when such information is used for dishonest acts.
Examples of such confidential or personal information mentioned in this exclusion are patents, trade secrets, customer lists, processing methods, credit card information, financial information, health information, or any other kind of information that is generally not available to the public. These are only examples and are not meant to restrict the term confidential or personal information.
Note: This exclusion was rewritten to clarify that only loss due to the disclosure of the named insured’s personal and confidential information is not covered. Coverage provided in an insuring agreement that is due to the use of the named insured’s personal or confidential information could still be covered.
- Data Security Breach
Coverage does not apply for any expenses or costs the named insured must incur or for any fines, fees or penalties it must pay because access was provided to another person or organization’s personal or confidential information or that information was somehow disclosed. The personal or confidential information examples are the same as described in Exclusion d. above.
| Example: Acme College is reprimanded by its accreditation board and both the state and local governments for permitting Paul’s identity to be stolen. The college must perform an audit, review and update its procedures, and add levels of security to protect student information. The college must also pay fines. None of these costs are covered. |
- Government Action
Coverage does not apply to loss that results when property is taken or destroyed because of an order from a governmental authority.
| Example: The owner of Shot Docks Bass Boat Rentals files a claim for the loss of a boat. The boat is valued at $37,000 and the owner states that “some official persons” took it from her premises. The claims adjuster investigates and learns that the boat was confiscated under a federal controlled substances law. The claim is denied. |
- Indirect Loss
There is no coverage for loss that is an indirect result of an occurrence that this insurance covers. The following are examples of such excluded indirect losses but the exclusion is not limited to just these:
- Loss of income as a result of not being able to use money, securities, or other property.
Note: This means that coverage does not apply to loss of interest income on money that could have been invested. There is no coverage for loss of income on stock holdings that could have appreciated during an upturn in the market. Finally, loss of profit due to the loss of a chance to sell product stolen from an insured is excluded. Business income coverage available in commercial property forms pays for the loss of income on property other than money or securities.
- Damages for which the named insured is legally liable. The only exception is for any direct damages that this insurance covers.
- Costs, fees, or other expenses the named insured incurs in order to establish that a loss actually happened or to determine the amount of a loss.
Note: These costs, fees, or expenses can be substantial.
Examples:
Coverage for these costs and expenses is available by attaching CR 25 40–Include Expenses Incurred to Establish Amount of Covered Loss. |
Related Article: ISO Commercial Crime Coverages Available Endorsements and Their Uses
- Legal Fees, Costs, and Expenses
There is no coverage for any legal fee, cost, or expense the named insured incurs. However, there is an exception explained under Insuring Agreement A. 2.
- i. Nuclear Hazard
There is no coverage if nuclear reaction or radiation causes loss or damage. Radioactive contamination is also excluded. This exclusion applies regardless of how such losses occur.
- Pollution
Loss or damage caused by or that results from pollution is excluded. Pollution means any release or escape of any solid, liquid, gaseous, or thermal contaminant or irritant. These include vapor, smoke, acids, fumes, chemicals, alkalis, and waste. Waste includes materials to be reclaimed, recycled, or reconditioned.
Note: This definition of pollutant is identical to the one used in ISO Commercial Property Coverage Forms.
- Virtual Currency (11 15 addition)
Any loss that involves virtual currency is excluded. Virtual currency is any type of electronic currency such as digital or crypto currency. The name of the currency and whether it is actual or fictitious is irrelevant to this exclusion.
Note: Coverage is available for this type of currency through CR 25 45–Include Virtual Currency as Money.
| Example: Justine sells products only online and accepts many forms of payment, including bitcoin. A recent audit reveals that Chris, one of her employees, has been siphoning the bitcoin payments to his personal bitcoin account. Justine submits an Employee Theft claim that is denied because the loss is entirely in virtual currency. |
War and Military Action
There is no coverage for loss or damage that results from war, undeclared war, or civil war. This includes a military force’s warlike actions or actions to hinder or defend against an expected or actual attack by any governmental authority that uses military personnel or other agents.
Loss or damage due to rebellion, insurrection, usurped power, revolution, or action a governmental authority takes to defend against or hinder any of these is also not covered.
Note: This wording is identical to the wording in ISO Commercial Property Coverage Forms.
- The following exclusions apply to Insuring Agreement A. 6: Computer and Funds Transfer Fraud.
- Authorized Access
Coverage does not apply when the loss results from actions of any party that is authorized to access that computer system. The only exception is described in Insuring Agreement A. 6. b. which explains that when an employee acting in good faith takes an action based on fraudulent information of a specific type of contractor there is coverage.
- Credit Card Transactions
Coverage does not apply when a loss is due to any type of credit, debit, charge, or other similar card being used. There is also no coverage when the loss is the result of information that was contained on any of those cards.
- Exchanges or Purchases
There is no coverage for loss that occurs because property was relinquished as a part of a purchase or an exchange.
Note: There is no standard endorsement available to “buy back” this exclusion or to purchase this coverage.
- Fraudulent Instructions
There is no coverage when an employee or financial acting on false or fraudulent instructions transfer, pay or deliver money or securities or other property. This exclusion applies even if the named insured’s account is debited or deleted based on those instructions.
The only exceptions are described in Insuring Agreement A. 6.a.(2) and 6. b. These both describe very specific fraudulent instruction situations that are covered.
Note: This exclusion appears to be a way to clarify the exact circumstances when coverage is provided and then to eliminate all others.
- Inventory Shortages
There is no coverage when the fact that a loss has occurred is based solely on an inventory shortage or a profit and loss statement. The inventory and profit and loss can be used to calculate or substantiate a loss but other evidence of the actual physical loss must be provided.
Do your clients understand that they need cyber insurance
Cyber insurance that is properly designed may cover a loss like the one described in this newsletter. However, it may not. Cyber Insurance remains a very fluid product because the hazards and exposures continue to evolve. ISO has developed a standardized form that can be used to develop a template for comparison but the many carriers providing this coverage continue to innovate.
Here is a comparison template that could help in evaluating coverage.
(August 2018)
This form should be useful for documenting the differences among companies that offer cyber insurance policies to medium to large entities. It can be used to record special endorsement limits, exclusions, other improvements, or any restrictions that apply.
Using this chart is not a statement of coverage; it is a tool to help you and your client understand key differences. It is important to note that it will not highlight every difference that could impact coverage.
| COVERAGE | GENERIC | COMPANY A | COMPANY B | COMPANY C |
| Liability – Claims-made | No – ins agree 1
Yes – ins agree 2,3 |
|||
| All other – Discovery | Yes | |||
| INSURING AGREEMENT | ||||
| Website publishing liability | Optional | |||
| Security breach liability | Optional | |||
| Programming errors and omissions liability | Optional | |||
| Replacement or restoration of electronic data | Optional | |||
| Extortion Threats | Optional | |||
| Business income and extra expense | Optional | |||
| Public Relations Expense | Optional | |||
| Security Breach Expense | Optional | |||
| LIMITS OF INSURANCE | COMPANY A | COMPANY B | COMPANY C | |
| Policy aggregate limit | Yes | |||
| Insuring agreements aggregate | Yes | |||
| DEDUCTIBLE | COMPANY A | COMPANY B | COMPANY C | |
| Dollar or percentage | Dollar | |||
| Liability deductible must be self-insured | Yes | |||
| Highest deductible for multiple | Yes | |||
| DEFENSE AND SETTLEMENT | COMPANY A | COMPANY B | COMPANY C | |
| Duty to defend | Yes | |||
| Right to defend | Yes | |||
| Regulatory actions | Yes | |||
| Consent to settle | Yes | |||
| Consequences of not consenting to settle | Yes | |||
| EXCLUSIONS | COMPANY A | COMPANY B | COMPANY C | |
| Acts of nature | Yes | |||
| War | Yes | |||
| Biological/nuclear release | Yes | |||
| Bodily injury/Property damage | Yes | |||
| Computer system failure | Yes | |||
| Lack of access to electronic data | Yes | |||
| Insufficient capacity | Yes | |||
| Activity overload | Yes | |||
| Network disruption | Yes | |||
| Power source fluctuation | Yes | |||
| RICO violations | Yes | |||
| Satellite failure or malfunction | Yes | |||
| Publishing false material | Yes | |||
| Contract or agreement | Yes | |||
| Patent or trade secret violation | Yes | |||
| Pollution | Yes | |||
| Prior claim or suit | Yes | |||
| Employment-related practices | Yes | |||
| Wrongful acts prior to retroactive date | Yes | |||
| Knowledge prior to effective date | Yes | |||
| Prior policy claim | Yes | |||
| Criminal acts | Yes | |||
| Willful violations | Yes | |||
| Governmental/regulatory action | Yes | |||
| Poor upkeep of computer system | Yes | |||
| Insured vs insured claim | Yes | |||
| Unintentional entry-related E&O | Yes | |||
| Contract-related fines, penalties | Yes | |||
| CONDITIONS | COMPANY A | COMPANY B | COMPANY C | |
| Cancellation | Yes | |||
| Changes | Yes | |||
| Examination of books/records | Yes | |||
| Inspections and surveys | Yes | |||
| Premiums | Yes | |||
| Transfer of rights and duties | Yes | |||
| Subrogation | Yes | |||
| Bankruptcy | Yes | |||
| Representations | Yes | |||
| Changes in exposures | Yes | |||
| Other insurance | Yes | |||
| Legal action against insurer | Yes | |||
| Separation of insureds | Yes | |||
| Duties in event of claim or loss | Yes | |||
| Valuation settlement | Yes | |||
| Extended period to discover loss | Yes | |||
| Extended reporting periods | Yes | |||
| Confidentiality | Yes | |||
| Territory | Yes | |||
| Policy bridge – discovery replacing sustained | Yes | |||
| DEFINITIONS | COMPANY A | COMPANY B | COMPANY C | |
| Application | Yes | |||
| Business income | Yes | |||
| Claim | Yes | |||
| Computer program | Yes | |||
| Computer system | Yes | |||
| Cyber incident | Yes | |||
| Defense expenses | Yes | |||
| Discover | Yes | |||
| E-commerce | Yes | |||
| Electronic data | Yes | |||
| Employee | Yes | |||
| Extortion expenses | Yes | |||
| Extortion threat | Yes | |||
| Extra expense | Yes | |||
| Hacker | Yes | |||
| Informant | Yes | |||
| Insured | Yes | |||
| Interrelated wrong acts | Yes | |||
| Interruption | Yes | |||
| Loss | Yes | |||
| Named insured | Yes | |||
| Negative publicity | Yes | |||
| Personal information | Yes | |||
| Pollutants | Yes | |||
| Privacy regulations | Yes | |||
| Public relations expense | Yes | |||
| Ransomware | Yes | |||
| Regulatory proceeding | Yes | |||
| Security breach | Yes | |||
| Security breach expenses | Yes | |||
| Subsidiary | Yes | |||
| Suit | Yes | |||
| Third party | Yes | |||
| Virus | Yes | |||
| Wrongful act | Yes | |||
| ENDORSEMENTS | COMPANY A | COMPANY B | COMPANY C | |
The positive approach
Approaching a customer about purchasing cyber insurance can be difficult but explaining to him or her after a loss that coverage could have been purchased but you had never offered it will be even more difficult.
Here is a letter you might use as a way to start the conversation.
Dear [Name]:
Business owners face increasingly serious information technology challenges. Regardless of business size, most companies report that they suffer at least one significant data breach yearly. They also share that they have been victimized by computer-related vandalism (including denial of service attacks where operations are jammed). Further, these problems tend to trigger significant financial losses.
Most security breaches have involved attempts by criminals to acquire sensitive company information, usually concerning customers or clients. Businesses and entities that are popular targets include those like you in [insert business type].
We represent several fine insurance companies that offer specific Cyber Liability Insurance coverage because traditional property and liability coverage forms do not meaningfully address cyber risks. Cyber liability risk is complex and is also dynamic. Businesses must include the need to address such risks in their regular planning.
Please contact our office at your convenience to arrange for this valuable protection. We are also happy to answer any questions you may have …just call or e-mail.
Sincerely,
