Texas Court Backs Phishing Attack Insurance Claim
Are insurance companies bound to pay claims for phishing attacks resulting in third-party losses?
RealPage, a Texas-based company, operated a rent-servicing portal whereby renters could pay their rent and landlords could get paid (minus, of course, a servicing fee to RealPage.) In May 2018, RealPage fell victim to a spear-phishing attack, during which the hackers were able to obtain and alter the credentials of a RealPage employee and redirect about $10 million the company had collected from renters and owed to landlords to their own accounts. $6 million was eventually recovered, and RealPage filed an insurance claim for the lost funds against a commercial crime policy it had purchased two months earlier.
The policy purported to cover RealPage’s losses “resulting directly from the use of any computer to fraudulently cause a transfer” from within RealPage or its bank to a place outside RealPage or its bank. The policy also covered any loss “resulting directly from a ‘fraudulent instruction’ directing a financial institution to transfer, pay or deliver ‘funds’ from” RealPage’s accounts. The policy also covered any losses “resulting directly from ‘theft’ (including forgery) committed by an ‘employee,’ whether identified or not, acting alone or in collusion with other persons.”
If you know anything about insurance companies, it should not surprise you that the insurance company refused to pay, and RealPage sued. RealPage v. National Union Fire Insurance Co. of Pittsburgh & Beasley Insurance, CIVIL ACTION NO. 3:19-CV-1350-B, (N.D. Tex., April 1, 2020)
On April 1, a federal court in Dallas denied the insurance company’s motion to dismiss the lawsuit. In particular, the court rejected the insurance company’s claim that the insurance policy ONLY acted as a “bond[s] to indemnify [RealPage] for loss due to embezzlement, larceny, or gross negligence by an employee or other person holding a position of trust.” Since the employee did nothing illegal or grossly negligent, and the losses were due to the actions of hackers, the insurer claimed that the policy did not cover the losses. Even though the policy acted as a “fidelity bond”—covering certain losses resulting from the acts of trusted employees, that was not the ONLY coverage in the policy. The policy, by its own terms, also covered ANY losses resulting from funds transfer as a result of fraudulent transfer instructions—exactly the kind of thing that occurs in a spear-phishing attack.
The case illustrates a frequent problem when it comes to “cyber” insurance which is that there is no such thing as “cyber” insurance. That’s because “cyber” isn’t a “thing.” Or, more accurately, “cyber” is many things. When companies purchase insurance that includes coverage for losses that may occur as a result of events involving computers, internet and computer technology, they have to understand in advance the nature of the potential losses that could occur and whether their “cyber” or other policies will, in fact, cover their actual losses. For example, in the RealPage case, the insurer claimed that the company itself suffered no first-party losses, since none of the funds “stolen” were RealPage’s funds (their commissions) but rather were those of its customers—each of whom may have had their own cyber policies. Was this a “first party” claim of loss by RealPage or a “third party” claim of loss by its customers—and if so, did the policy cover it? If the RealPage employee whose credentials were stolen by the phishing attack violated company policies—particularly security policies (which often happens in a phishing attack)—was the “loss” caused by criminal actions of the hacker or gross negligence by the employee? Are the costs of investigating the atttack, forensics and law enforcement coordination, as well as attempts to recover lost funds and notification to affected entities covered under a policy that protects against losses from fraudulent wire transfers, or are the costs of the wire transfers alone covered?
There are people who are experts in insurance policies—what they say, what they mean and what they exclude. They are also experts in how the courts have interpreted specific language in policies. But when it comes to “cyber”-related losses, these experts need help. They need to have a dialogue with the CIO and the CISO, as well as with knowledgeable outside consultants to understand the peculiar nature of cyber-related attacks. How does a phishing attack typically work? What does ransomware do? How are DDoS attacks perpetrated? How do revenge pron or doxxing attacks use stolen data to create losses? What kinds of sensitive information flow through a system? Who is responsible for its protection, and what is the role of third parties? What coverages to these third parties have (and what are you requiring of them?). Technical experts may be necessary to understand the difference between data that is “deleted,” “lost,” “inaccessible” or simply difficult to retrieve, for the purposes of insurance that covers data “loss.”
These coverages are made more complicated by the patchwork quilt of policies companies have. If a factory floor is shut down because of flooding, a commercial general liability (GCL) policy may cover. If the flooding is caused by a hack to a SCADA system, however, then maybe not. If the SCADA hack is caused by employee negligence or crime, that’s another policy. If the stock price drops because of the factory shut down, that’s maybe another policy altogether. And, if stockholders sue because the stock price drops—you guessed it—that’s yet another policy. So, while YOU think you have coverage, your insurance company may disagree—at least, if you file a claim.
We will continue to see these battles fought out in the courts. But if you have insurance, it’s better to know what’s covered before you file a claim—and before you have to sue. And that means getting your cyber people involved in reading the policies and running scenarios. Now. More than ever.
