Why cyber insurance should be in the comprehensive insurance portfolio

The Eastern District of Pennsylvania recently provided another reminder of why cyber insurance must be part of any comprehensive insurance portfolio. In Construction Financial Administration Services, LLC c. Federal Insurance CompanyNo. 19-0020 (ED Pa. June 9, 2022), the court rejected a policyholder’s attempt to find coverage under his professional liability insurance for a social engineering incident that defrauded more than $1 million.

Construction Financial Management Services, which goes through CFAS, disburses funds to contractors. One of their clients, SWF Constructors, was hacked and a bad actor posing as the client asked CFAS to distribute $600,000 to a fake third party. John Follmer, a CFAS executive and the only person authorized to approve the distribution of funds, approved it. The next day, the bad actor, again posing as the client, asked Follmer to wire an additional $700,000. Follmer also approved that distribution.

Although Follmer approved both distributions, he did not follow the proper protocol for doing so. The third was not included in the approved budget; CFAS never received a copy of an agreement between the client and the third party; CFAS never received a disbursement receipt for the payment; CFAS never received a waiver from the client; and CFAS never received the additional information it needed to account for the disbursement. Still, Follmer approved the payment.

After the fraud was discovered, CFAS tried to recover the funds that had tricked him into resigning, but it was too late. He recovered only $120,000 of the $1,300,000 he lost.

CFAS filed a claim under its errors and omissions policy, presumably because it did not have separate cyber coverage. Some non-cyber policies include “silent cyber coverage,” which is coverage that is not primarily intended to cover cyber losses, but nonetheless applies to cyber-related losses based on written insurance agreements. in general terms. Federal, CFAS’s insurer, tried to exclude that kind of silent cyber coverage by including an unauthorized access exclusion in its policy. That exclusion prohibits claims “based on, arising out of, or in consequence of any unauthorized or exceeded authorized access, use, or alteration of any computer program, software, computer, or computer system.”

See also  Always expect the unexpected | Insurance business America | Business Insurance

CFAS, in an apparent attempt to avoid that exclusion, did not make a claim of silent cyber coverage; in fact, he did not attempt to claim losses based on the bad actor’s actions at all. Instead, CFAS claimed that its losses were covered because Follmer had been negligent in making the disbursements without collecting all the necessary information. Although creative, that argument ultimately failed.

The court ruled that CFAS could not escape the broad language of the exclusion, eliminating coverage for all losses “as a result of any . . . unauthorized access to. . . computers”—renaming the loss as a result of negligence. Under controlling North Carolina law, as long as the loss “continues to result from” unauthorized access by the wrongdoer, it was “consequent on” unauthorized access and therefore excluded.

Construction financial management services serves as a reminder to policyholders to ensure they have adequate and comprehensive insurance coverage to cover all reasonably anticipated risks of loss. In today’s technology-dependent society, that must include robust cyber protection. While some policies have traditionally provided “silent cyber coverage,” new and broad exclusions are being introduced to reduce such coverage, making it even more important for companies to ensure their insurance portfolio specifically targets cyber risks.

Copyright © 2022, Hunton Andrews Kurth LLP. All rights reserved.National Law Review, Volume XII, Number 186