In today’s business world, our use of technology is constant. Technology helps us run our businesses more effectively—from collaborating with teams and enhancing customer relationships to simplifying decisions and streamlining processes—the list of improvements are extensive. And while technology has changed the way we do business for the better, it has also presented some challenges along the way too.
Cyber criminals have been aggressively taking advantage of businesses that are not properly prepared to defend against malicious cyber attacks. In this year alone, phishing attempts have increased by 600% and ransomware attacks are up 148%, as 80% of businesses have seen an increase in cyber attacks. Unfortunately, hackers have shown no signs of slowing down. Instead, they are finding (or even inventing) new ways to take advantage of vulnerabilities in your network.
It’s no wonder why the Cyber Liability Insurance market is growing so quickly. When you consider today’s relentless threat landscape and the increased likelihood your business will experience a cyber incident—businesses want more protection and support in responding to a breach.
Or at least that is what a business purchasing Cyber Liability Insurance would like to believe. But, what happens if you have Cyber Liability Insurance and your policy doesn’t cover you due to an exception in the fine print?
The National Bank of Blacksburg, Virginia learned this lesson the hard way after suffering two data breaches, first in May of 2016 and then again in January of 2017.
Here’s Their Story
National Bank's breach started when an employee of the bank was targeted by a phishing email. This ultimately resulted in cyber criminals installing malware onto the employees computer and a second computer where hackers were able to gain entry to the STAR Network—a system used by the bank to manage debit card transactions for customers.
With access to the STAR Network, hackers were able to disarm protections that would normally prevent fraud or theft like PIN numbers, withdrawal amounts, debit card usage limits, and fraud score protections. This allowed hackers to steal from customer accounts by using hundreds of ATMs scattered throughout North America, totalling $569,000 in stolen funds.
And then, despite implementing new and improved security protocols, National Bank was breached for a second time just 8 months later, again by a phishing email. Similar to the first breach, hackers gained access to the STAR Network, only this time they were also able to access Navigator—a software used by the bank to supervise credits and debits to customer accounts.
With access to Navigator, hackers had the ability to credit 2 million dollars to several of the bank’s customer accounts. And then once again, were able to lift fraud and theft protections, withdrawing more than $1.8 million from various ATMs, while carefully deleting all evidence from customer account records.
Between the two incidents, losses reached $2.4 million.
Surely, at some point during this nightmare scenario, National Bank must have let out a sigh of relief for knowing that they had invested in Cyber Liability Insurance for situations just like this. Imagine the shock when their insurer, Everest National Insurance Company, denied the bank’s full claim due to a rider exclusion, offering only $50,000 in coverage.
During the determination of coverage, Everest National Insurance Company stated that the breaches in 2016 and 2017 were most likely connected to the same Russian cyber criminal group and for this reason the two incidents would be evaluated as a singular breach.
National Bank’s policy had two riders that would protect their business against losses from cyber attacks—a computer and electronic crime rider with a coverage limit of $8 million and a debit card rider with a much lower coverage limit of $50,000.
Despite the two incidents appearing to be classic examples of computer and electronic crimes. Everest National Insurance Company pointed to two exclusion clauses that would cause them to deny payout for the $8 million computer and electronic crime rider. The first exclusion stated it would not cover loss that resulted from the use of credit, debit or similar cards to gain credit, funds, or access to automated mechanical devices that disperse money like ATMs and the second exclusion would not cover loss that involved automated mechanical devices that disperse money (ATMs).
As a result, Everest National Insurance Company determined that the losses incurred by National Bank were covered exclusively under the debit card rider and eligible for $50,000 in coverage—a mere 2% of the bank’s total losses.
This unfortunate turn of events led to the National Bank filing a lawsuit against Everest National Insurance Company for breach of contract, requesting relief for all damages caused by both the 2016 and 2017 incidents. The lawsuit also went on to describe how unclear and difficult to understand Cyber Liability Insurance policies can be.
A Few Things To Consider
The National Bank case reveals that your Cyber Liability Insurance policy may not cover your business the way you understood it to. While insurers are in no way the “bad guys,” businesses should be aware of a few things...
1. While the cyber liability insurance industry is still relatively new, its policies and their interpretation are not consistent across all insurance companies—relationship status: it’s complicated.
2. Many insurance companies are uncertain whether they have accurate models to properly predict cyber attacks and fear they may pay out too much on claims—here come the exclusions.
3. It has become increasingly more common to have incidents that overlap between cyber liability insurance and other types of insurance, blurring the lines of what is actually covered—wait, can you repeat that?
It’s not a matter of “if” disaster strikes, but “when.” And when it does, the last thing you need to learn is that your Cyber Liability Insurance policy won’t protect you due to coverage exceptions in the fine print. Due to how new and often complex Cyber Liability Insurance policies have proven to be, it can feel like the Wild West. At One Step Secure IT, we recommend getting an expert involved to make sense of legal jargon that is meant to minimize payouts and help you choose a policy that is favorable for the insured.