Daniel R. Stoller at Bloomberg Law had an excellent observation about the risks of phishing related to general crime policies.
Here is a short excerpt and the whole article is warmly recommended: "The Travelers Cos. will argue May 2 that cash payments made in connection with a phishing attack aren’t covered [emphasis added] under a general crime insurance policy.
"The litigation before the U.S. Appeals Court for the Sixth Circuit highlights issues facing companies that seek to use broad insurance policies to regain losses after a phishing scheme—a cyberattack where hackers use email credentials to trick others into sending sensitive information or cash payments.
Half of “crime fraud insurance plans include coverage on phishing attacks that lead to wire fraud,” but the other half do not, leaving companies to seek out specific cybersecurity plans, David Zetoony, data privacy and security partner at Bryan Cave Leighton Paisner LLP in Boulder, Colo., told Bloomberg Law.
Reliable insurance brokers will verify that either a cyber or crime policy covers phishing attacks, but others may not see that there is “an exclusion for wire-fraud related cyberattacks,” he said.
The case of Travelers denying American Tooling Center Inc.’s request for coverage under a general crime policy highlights the challenges faced by business that want to obtain comprehensive cybersecurity coverage.
American Tooling Center had $834,107 in payments intended for its Chinese vendor routed to cybercriminals posting as a third party and sued Travelers to recover the wire payments. Travelers denied the claim, saying that the losses were “not directly caused by the use of a computer to fraudulently cause a transfer of money,” according to ATC’s August 2017 brief.
“Few off-the-shelf crime polices provide cyber coverage or coverage for phishing attacks unless the insured has specifically requested it,” Thomas Bentz, cybersecurity and insurance partner at Holland & Knight LLP in Washington, told Bloomberg Law. Even in those situations, there are “sub-limits of coverage” that usually range from $250,000 to $500,000, he said.
Insurers, meanwhile, are trying to to clarify coverage terms by explicitly excluding cybersecurity incidents in their general policies, attorneys said.
Check Your Policy
"Although obtaining a thorough social engineering, or phishing, attack plan could help a company avoid litigation over coverage, they may not have ample opportunity to get one, Antoinette Banks, senior vice president and claims attorney at Aon Risk Solutions in San Francisco, told Bloomberg Law. Phishing coverage is relatively new, and the cyber insurance industry is still growing, she said."
You should have a detailed conversation with your insurer about what your organization wants to protect. Please read the full article here, and I recommend you share this with your CEO, Chief Risk Officer and/or your Legal team: