In 2016, "cyber" had increased prominence in the minds of organizations and with good reasons. "Hacking" not only made the headlines because of allegations that hackers were interfering with the U.S. presidential election, but also due to their targeting of power utilities in Ontario and Vermont, to name a few.
In an age of manipulative forms of cybersecurity breaches, insurance coverage is important. However, there is sometimes a disconnect between the type of coverage the buyer thinks he or she is getting and what the policy actually covers.
This was a particularly important focus in Apache Corp. v. Great American Insurance Company (Apache), where the U.S. Court of Appeals for the Fifth Circuit adopted a narrow interpretation of a crime insurance policy, finding that it did not cover a loss resulting from a fraudulent e-mail directing funds to be sent electronically to the imposter's bank account because the scheme did not constitute "computer fraud" under the policy.
While the decision is one of a U.S. court, it is a useful reminder to Canadian organizations that are either purchasing cyber insurance coverage or relying on their existing insurance policy to cover losses flowing from a potential cybersecurity incident.
The background is as follows: An employee at Apache received a telephone call in 2013 from an individual identifying herself as a representative of Petrofac, a recognized vendor of Apache. The caller instructed Apache to change the bank account information for its payments to Petrofac. The Apache employee replied that the change request could not be processed without a formal request on Petrofac letterhead.
Apache's accounts payable department received an e-mail a week later from a "petrofacltd. com" address advising that Petrofac's bank information had been changed and attached a fraudulent letter on Petrofac letterhead providing that this "new" bank information was to take "immediate effect." The Apache employee concluded that the change request was authentic which was followed by a formal approval and change.
Shortly thereafter, Apache transferred funds to this "new" bank account, and was later notified that Petrofac had not received payments totally approximately $7 million. While Apache was able to recover a portion of the payments from its deductible, it also sought to recover the balance from its insurer.
While Apache was insured under a crime protection insurance policy issued by Great American Insurance Corporation (GAIC), its claim under the policy's computer fraud coverage was denied. GAIC claimed that the loss did not directly result from the use of a computer nor did the use of a computer cause the transfer of the funds.
The Fifth Circuit reversed the district court's finding made in favor of Apache. It found that the loss was not the result of a "direct" use of a computer so as to be covered under the "computer fraud" provision. The e-mail was merely incidental to the authorized transfer of money and was one step in the multi-step scheme leading to the transfer of funds to the fraudulent account.
The court also recognized that electronic communications are ubiquitous and that, as a result, it is difficult to envision a fraudulent scheme that would not involve some form of computer facilitated communication (i.e., e-mails). However, it found that to interpret the computer fraud provision as reaching any fraudulent scheme in which an e-mail communication was part of the process would convert the computer fraud provision to one for general fraud.
This case highlights the importance of ensuring that an organization's insurance policy covers for all possible contingencies arising from a cyber incident. In Apache, the U.S. court adopted a narrow judicial interpretation to crime policy "computer fraud" provisions, which effectively constrains the computer fraud coverage to "hacking" type events. From a Canadian perspective, the concern is whether our courts and insurance companies would similarly interpret "computer fraud" provisions of insurance policies if faced with similar facts as in Apache.
Cybersecurity threats are increasingly sophisticated and inventive. Rather than "hacking" computers in a traditional sense, hackers will often attempt to exploit individuals to obtain compromising information. Organized crime has adopted sophisticated methods, targeting and tools. In Apache, the court recognized the ubiquitous nature of electronic communications, but declined to extend insurance coverage.
Given the novelty of cybersecurity incidents and the continuing development of the Canadian cybersecurity space, organizations should carefully review their existing insurance to assess the adequacy of their coverage. In this regard, organizations are increasingly conducting internal cyber risk assessments (this includes third party experts conducting threat risk assessment, penetration testing, senior executive tabletop exercises, etc.). This exercise serves to inform the adequacy of their existing insurance coverage vis-à-vis the actual risks the organization faces at an operational level.
Originally published in The Lawyers Weekly, March 24, 2017
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
