There is a growing precedent within the global insurance industry for insurers to back away from covering cyber-related incidents, usually in the face of potentially massive losses. The latest insurance company to dispute what type of cyber-related losses it must cover as part of its policies is insurance giant AIG, which is disputing a breach of contract lawsuit filed in August in a U.S. District Court in the Southern District of New York. The company says the insurance plan in question does not cover “criminal acts,” which is the way that it is characterizing a cyber incident involving nearly $6 million in losses at multi-billion-dollar financial technology company SS&C Technologies. As a result, the insurance giant wants the lawsuit tossed.
When is a cyber incident not really a cyber incident?
In many ways, the case involving SS&C Technologies and AIG should be black and white, and not gray. Getting scammed by spoof emails should be a cyber incident that is covered by insurance, right? In 2016, SS&C Technologies was involved in a major cyber incident in which Chinese hackers managed to dupe the company out of $5.9 million. Spoof emails purporting to come from one of the company’s clients – Tillage Commodities Fund – instructed the company to make six wire transfers to an unknown bank account holder in Hong Kong. This is the classic type of business email compromise (BEC) scam, in which a third party hacker poses as someone else via email in order to ensure that funds move into the hacker’s bank account. So, theoretically, this is exactly the type of incident that should have been covered by a standard cyber coverage policy.
But there’s just one little problem here – AIG says it never sold the company a “cyber insurance” policy. According to the 81-page motion to dismiss the case filed in New York, AIG says that it insured SS&C under a “specialty risk protector policy of insurance.” And written right there in the middle of the policy was a clause that AIG did not agree to provide indemnity coverage for losses arising from “dishonest, fraudulent or criminal acts.” AIG agreed to pay the defense costs for those cases, but not the actual losses.
Importantly, SS&C Technologies has already acknowledged that the funds were “stolen” and not “lost.” From a legal perspective, that transformed the cyber incident into a criminal act. In short, says AIG, Chinese criminals stole the $5.9 million from a client account, and therefore, the insurance policy did not apply, and SS&C has no right to demand payment for the claim. Thus, as AIG eventually told a U.S. District Court in the Southern District of New York, it should not be found guilty of “breach of contract.” An event involving Chinese criminals was never part of the original policy.
Indeed, AIG has been making legal defense payments as part of its insurance policy, which covered losses up to $10 million. Ever since Tillage Commodities Fund took legal action against SS&C to recover its funds (which were wired to a hacker’s account in Hong Kong), AIG has been paying for legal costs, including a discretionary and confidential payment between SS&C and Tillage. However, as AIG saw it, asking the insurance company to go the next step and pay for the full amount of the losses was simply too much. That led to AIG filing a motion in court to dismiss the case: the company says there is no breach of contract for failing to cover losses.
The problem of lax cybersecurity defenses
As more details of the case emerge, it’s clear that SS&C Technologies failed to have even the most basic form of cybersecurity defenses in place. For example, one request from the hackers to wire $3 million into a Hong Kong bank account simply included a brief introduction (“How was your weekend?”), followed by details of where to wire the money. Other emails appeared to be coming from a clearly spoofed email address, with the name of the client misspelled as “Tilllage” instead of “Tillage.” Other emails included awkward syntax, grammatical errors, and nonsensical sentence construction. In short, it was the sort of shoddy, second-rate phishing email that is all too common these days. Surely, anyone with a modicum of common sense would have seen through this scam, right?
And, to make things even more damaging (at least, from the perspective of AIG), was the fact that SS&C failed to comply with its own internal policy, which clearly stated that any wire bank transfer needed to be authorized by four different people. This is exactly the sort of basic cyber defense that could have prevented the fraudulent transaction from taking place – at some point, wouldn’t a senior executive or top manager see through these obvious cyber shenanigans and stop the wire transfer from taking place? Thus, from the perspective of AIG, SS&C Technologies failed to exercise even a modicum of care and responsibility. How could SS&C Technologies even argue that the funds were “lost” and not “stolen”?
Cyber coverage companies look for new ways to avoid paying claims
While AIG’s position certainly has some legitimate claim, it’s also part of a more disturbing trend in which major insurers sell expensive insurance policies to multinational companies that claim to provide cyber coverage, but with no intention of ever paying if something really bad happens in the event of a cyber event. Sure, a cyber coverage policy might cover a minor business continuity issue if computer systems go down due to a digital glitch, but if millions of dollars are at stake, you can rest assured that the legal definition of every word in an insurance contract will be carefully scrutinized, to see if there might be some way to avoid paying a claim.
Case in point: Zurich Insurance has been embroiled in a massive legal scandal with Mondelez International, in which the company was thrown offline as a victim of NotPetya ransomware. Mondelez argues that this was exactly the sort of business continuity cyber event that was originally envisioned as being covered by its property insurance policy. The company wanted a safety net in the event that a virus, bug or bit of malicious code ever took the company offline. Not so fast, said Zurich, which claims that the NotPetya cyber attack should be treated as an “act of war” because it was originally designed by Russian attackers to take down the Ukrainian power grid. And, as you might have guessed by now, the Zurich cyber coverage policy didn’t cover “acts of war” – just like the AIG insurance policy didn’t cover “criminal acts.”
All of this raises a fundamental question: Is cyber coverage really worth it? If any major cyber claim is going to be denied under some legal pretext, then it really weakens the case for paying for the cyber coverage in the first place. Moreover, as we can see in the example of SS&C Technologies, putting an insurance policy in place designed to safeguard against some cyber risks actually introduced a potential element of “moral hazard.” Instead of beefing up its cyber defenses, training its employees how to recognize phishing scams, and installing anti-malware software, SS&C Technologies simply coasted on the idea that anything bad that happened would be covered by insurance.
Going forward, it will be interesting to see what happens in the global cyber insurance market. At some point, there will need to be some sort of standardized definition of how to classify each type of cyber incident, and under what conditions a cyber coverage policy is valid. Until that happens, it looks like insurance companies will continue to wiggle out of their obligations – or, at least, strenuously object to any efforts by companies to recoup their cyber losses.
UPDATE: This article has been updated to clarify that AIG sold a “specialty risk protector policy of insurance” rather than a “cyber insurance” policy to SS&C Technologies. Details of the policy have been updated to reflect that AIG did not sell “cyber coverage” to SS&C. The article also has been updated to reflect that Mondelez purchased a property insurance rather than cyber insurance policy.