Umbrella in rain showing how AIG case highlights complexities of covering cyber-related losses
AIG Case Highlights Complexities of Covering Cyber-Related Losses

AIG Case Highlights Complexities of Covering Cyber-Related Losses

There is a growing precedent within the global insurance industry for insurers to back away from covering cyber-related incidents, usually in the face of potentially massive losses. The latest insurance company to dispute what type of cyber-related losses it must cover as part of its policies is insurance giant AIG, which is disputing a breach of contract lawsuit filed in August in a U.S. District Court in the Southern District of New York. The company says the insurance plan in question does not cover “criminal acts,” which is the way that it is characterizing a cyber incident involving nearly $6 million in losses at multi-billion-dollar financial technology company SS&C Technologies. As a result, the insurance giant wants the lawsuit tossed.

When is a cyber incident not really a cyber incident?

In many ways, the case involving SS&C Technologies and AIG should be black and white, and not gray. Getting scammed by spoof emails should be a cyber incident that is covered by insurance, right? In 2016, SS&C Technologies was involved in a major cyber incident in which Chinese hackers managed to dupe the company out of $5.9 million. Spoof emails purporting to come from one of the company’s clients – Tillage Commodities Fund – instructed the company to make six wire transfers to an unknown bank account holder in Hong Kong. This is the classic type of business email compromise (BEC) scam, in which a third party hacker poses as someone else via email in order to ensure that funds move into the hacker’s bank account. So, theoretically, this is exactly the type of incident that should have been covered by a standard cyber coverage policy.

But there’s just one little problem here – AIG says it never sold the company a “cyber insurance” policy. According to the 81-page motion to dismiss the case filed in New York, AIG says that it insured SS&C under a “specialty risk protector policy of insurance.” And written right there in the middle of the policy was a clause that AIG did not agree to provide indemnity coverage for losses arising from “dishonest, fraudulent or criminal acts.” AIG agreed to pay the defense costs for those cases, but not the actual losses.

Importantly, SS&C Technologies has already acknowledged that the funds were “stolen” and not “lost.” From a legal perspective, that transformed the cyber incident into a criminal act. In short, says AIG, Chinese criminals stole the $5.9 million from a client account, and therefore, the insurance policy did not apply, and SS&C has no right to demand payment for the claim. Thus, as AIG eventually told a U.S. District Court in the Southern District of New York, it should not be found guilty of “breach of contract.” An event involving Chinese criminals was never part of the original policy.

Indeed, AIG has been making legal defense payments as part of its insurance policy, which covered losses up to $10 million. Ever since Tillage Commodities Fund took legal action against SS&C to recover its funds (which were wired to a hacker’s account in Hong Kong), AIG has been paying for legal costs, including a discretionary and confidential payment between SS&C and Tillage. However, as AIG saw it, asking the insurance company to go the next step and pay for the full amount of the losses was simply too much. That led to AIG filing a motion in court to dismiss the case: the company says there is no breach of contract for failing to cover losses.

Before you continue reading, how about a follow on LinkedIn?

The problem of lax cybersecurity defenses

As more details of the case emerge, it’s clear that SS&C Technologies failed to have even the most basic form of cybersecurity defenses in place. For example, one request from the hackers to wire $3 million into a Hong Kong bank account simply included a brief introduction (“How was your weekend?”), followed by details of where to wire the money. Other emails appeared to be coming from a clearly spoofed email address, with the name of the client misspelled as “Tilllage” instead of “Tillage.” Other emails included awkward syntax, grammatical errors, and nonsensical sentence construction. In short, it was the sort of shoddy, second-rate phishing email that is all too common these days. Surely, anyone with a modicum of common sense would have seen through this scam, right?

And, to make things even more damaging (at least, from the perspective of AIG), was the fact that SS&C failed to comply with its own internal policy, which clearly stated that any wire bank transfer needed to be authorized by four different people. This is exactly the sort of basic cyber defense that could have prevented the fraudulent transaction from taking place – at some point, wouldn’t a senior executive or top manager see through these obvious cyber shenanigans and stop the wire transfer from taking place? Thus, from the perspective of AIG, SS&C Technologies failed to exercise even a modicum of care and responsibility. How could SS&C Technologies even argue that the funds were “lost” and not “stolen”?

Cyber coverage companies look for new ways to avoid paying claims

While AIG’s position certainly has some legitimate claim, it’s also part of a more disturbing trend in which major insurers sell expensive insurance policies to multinational companies that claim to provide cyber coverage, but with no intention of ever paying if something really bad happens in the event of a cyber event. Sure, a cyber coverage policy might cover a minor business continuity issue if computer systems go down due to a digital glitch, but if millions of dollars are at stake, you can rest assured that the legal definition of every word in an insurance contract will be carefully scrutinized, to see if there might be some way to avoid paying a claim.

Case in point: Zurich Insurance has been embroiled in a massive legal scandal with Mondelez International, in which the company was thrown offline as a victim of NotPetya ransomware. Mondelez argues that this was exactly the sort of business continuity cyber event that was originally envisioned as being covered by its property insurance policy. The company wanted a safety net in the event that a virus, bug or bit of malicious code ever took the company offline. Not so fast, said Zurich, which claims that the NotPetya cyber attack should be treated as an “act of war” because it was originally designed by Russian attackers to take down the Ukrainian power grid. And, as you might have guessed by now, the Zurich cyber coverage policy didn’t cover “acts of war” – just like the AIG insurance policy didn’t cover “criminal acts.”

AIG claims its #insurance policy does not cover criminal #cyberattacks and thus not paying for SS&C Technologies’ loss of $5.9 million. #respectdata Click to Tweet

Is cyber coverage really worth it?

All of this raises a fundamental question: Is cyber coverage really worth it? If any major cyber claim is going to be denied under some legal pretext, then it really weakens the case for paying for the cyber coverage in the first place. Moreover, as we can see in the example of SS&C Technologies, putting an insurance policy in place designed to safeguard against some cyber risks actually introduced a potential element of “moral hazard.” Instead of beefing up its cyber defenses, training its employees how to recognize phishing scams, and installing anti-malware software, SS&C Technologies simply coasted on the idea that anything bad that happened would be covered by insurance.

Going forward, it will be interesting to see what happens in the global cyber insurance market. At some point, there will need to be some sort of standardized definition of how to classify each type of cyber incident, and under what conditions a cyber coverage policy is valid. Until that happens, it looks like insurance companies will continue to wiggle out of their obligations – or, at least, strenuously object to any efforts by companies to recoup their cyber losses.

 

UPDATE: This article has been updated to clarify that AIG sold a “specialty risk protector policy of insurance” rather than a “cyber insurance” policy to SS&C Technologies. Details of the policy have been updated to reflect that AIG did not sell “cyber coverage” to SS&C. The article also has been updated to reflect that Mondelez purchased a property insurance rather than cyber insurance policy.

 


Senior Correspondent at CPO Magazine

3
Leave a Reply

Please Login to comment
3 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
TomRickettsmike.c.cavanaugh Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
mike.c.cavanaugh
Member
mike.c.cavanaugh

Mondelez did not have a Cyber policy in place. They are making the claim under their Zurich Property policy. Would you expect your homeowner’s insurance policy to cover damage to your car from a fender bender? This is well documented and has been for several months. Please do the research. That is not to say that there are no issues with the current cyber insurance market. AIG is clearly paying a significant amount of money for the claim with 10M spent so far on response and cyber-related losses. The limited information we are receiving at the moment does not confirm… Read more »

TomRicketts
Member
TomRicketts

This dispute/litigation is not about a Cyber Policy. The dispute between SS&C and AIG is over a Professional Liability policy (SS&C Technologies holdings Inc. v. AIG Speciality Insurance Co. case number 19-cv-7859 U.S. District Court for the Southern District of New York). So this article is 2 for 2 in questioning the value of cyber insurance using as examples litigation over policies that are not cyber insurance policies. A claim of this nature would not, in any event, be covered by most cyber policies based on the fact that there was no compromise of systems or confidential data (receipt of… Read more »

TomRicketts
Member
TomRicketts

So the article has been updated to address some of the most blatantly incorrect information, but is still perpetuating a very misleading impression of what Cyber Insurance does and should do & the performance of cyber insurance as a product. In the first place, the opening statement of this article “There is a growing precedent within the global insurance industry for insurers to back away from covering cyber-related incidents” is contradicted by statistics such as the Association of British Insurers who recently stated that Cyber insurance has the highest payout rate of ANY type of insurance at over 99%. “ABI… Read more »

Follow CPO Magazine