Articles Posted in News and Policy

Increasingly, businesses buy cyberinsurance to protect valuable electronic assets, including computer systems themselves and the data stored within them. These policies, however, are relatively young.  They frequently utilize terminology taken from traditional property/casualty policies, the meanings of which are informed by decades of case law.  These seemingly familiar words, however, are creating novel cyberinsurance issues that may impact the coverage you have, or think you have.

In Nat’l Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., CV SAG-18-2138, 2020 WL 374460 (D. Md. Jan. 23, 2020), a court addressed a centuries old concept – physical loss – through the cyberinsurance lens.  After a screen-printing company suffered a ransomware attack, the company had data stolen and computers rendered partially inoperable. The company filed a claim under their cybersecurity policy, which familiarly stated that the carrier “will pay for direct physical loss of or damage to Covered Property…”.

The company obtained cyber coverage through an endorsement.  The Businessowners Special Form Computer Coverage endorsement refined the definition of “Covered Property” to include “Electronic Media and Records (Including Software).” It defined “Electronic Media and Records” to include:

Classic phishing attacks identify an item of information or an opportunity that is appealing to a target audience, and they use that to bait the target into clicking a malicious link or opening a corrupted file. Like a worm to a fish. Hence the term, phishing.

The earliest attacks fed off of a near universal allure – money. Do as I say, and you will receive hundreds of thousands, or even millions, of dollars. As we wised up, the scams became more tailored. Professionals were hit with new client inquiries. Manufacturers received purportedly important alerts from trade associations. Parents’ in-boxes were inundated with phony updates from their children’s schools (yes, this has happened).

There has likely never been a single subject, however, with the same universal appeal as information related to the COVID-19 outbreak. And phishing scammers know it.

Had my mother previewed this post, she would have cautioned me not to give myself a kenahorah (ken-a-ho-rah).  That’s a yiddish term.  It means doing or saying something to tempt evil, to invite bad things to come your way.  The title of this post, in light of what may or may not be warranted mass hysteria, would seem to flirt with something that, to be on the safe side, should not be flirted with.  Alas, like the names of my children, Bubby does not get a preview of my blogs.  She sees them after they are posted, just like you.  So, at the risk of a kenahorah…

My office is still open.  Will that be the case tomorrow?  Or the next day?  Unclear.  The NBA just suspended the entire season.  Schools are closing.  New Rochelle, New York has created a one-mile quarantine zone.  Anything is possible.  We are officially freaking out.

Many companies are either going remote or are preparing to do so.  But the fortunate employees who can do their jobs from home are more likely than those who cannot to access or process sensitive electronic data.  Think about it.  Many professionals are going this route.  Even manufacturing or other industrial processes that have become largely automated are probably able to control some or all of their operations remotely.  Because the volume of remote work is increasing, so too are the opportunities for cyber crime.  Here’s three simple, easily implementable tips to improve security as we all voluntarily quarantine ourselves in what I truly hope will prove to have been an unnecessary panic.  I’m just not sure at this point.  The tips…

In 2018, the FBI’s Internet Crime Complaint Center (IC3) received more than 900 complaints of internet driven crime every day.  This amounted to over 350,000 complaints involving $2.7 billion in losses.  Business enterprise compromises (BECs) were the most common and the most consequential.

These scams, which involve the use of fraudulent emails instructing recipients to unwittingly wire payments to criminals’ bank accounts, accounted for over 20,000 complaints and a whopping $1.2 billion in losses in 2018.  The Cyber Division of the FBI’s Economic Crimes Unit investigates these complaints with the goal of recovering fraudulently diverted funds.

“Michael” is a retired FBI field agent who worked in this Unit since its inception.  With his permission, the following is a summary of our recent conversation.

In April 2016, I highlighted insurance issues related to business enterprise compromises, or BECs.  Yesterday, I had the privilege of presenting on the topic to the Central Jersey Chapter of the Institute of Internal Auditors at its Annual Fraud Conference (thanks  to Frank Pina at Mercadian for the invite).

Since I last wrote about the subject, the FBI has determined that BECs, also known as CEO fraud, social engineering and spoofing, are among the most costly forms of cyber-crime.  Refresher: the FBI defines a BEC as a “sophisticated scam targeting both businesses and individuals performing wire transfer payments…[that] is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer engineering techniques to conduct unauthorized transfers of funds.”   Common examples of BECs are e-mails that appear to come from a CEO or CFO directing an employee to pay a fake vendor and scammers posing as title insurance representatives sending last-minute changes in wiring instructions to real estate purchasers.

Between 2013 and 2018, BECs accounted for over $12.5 billion in reported losses globally.  I say reported because the FBI’s data set is limited to self-reported information received through its Internet Complaint Center, or IC3.  Many victims of this type of fraud likely do not report it to the FBI for a multitude of reasons.  Of these losses, there have been 41,058 incidents in the United States accounting for nearly $3 billion in losses.  This figure represents more than half of fraud-related losses reported to the FBI during this -five-year period.

Cyber this.  Cyber that.  I deal in dirt, and I don’t care.

If there’s a commercial building on top of that dirt, you should.

The “internet of things” refers to the ever-expanding connectivity between our digital and physical worlds.  In our homes, we have smart climate control, security, refrigerators, televisions, vacuum cleaners (yes, vacuum cleaners) and, well, you get it.  We like the comfort and convenience, and the fact that we can control all of it from our phones, which we’re always looking at anyway.

This month, the Department of Justice issued a fairly comprehensive set of pre and post cyber security incident recommendations.  For all you total geeks, you can get the whole thing here.  For those of you preoccupied with, well, other news, here’s some highlights.

Pre-incident, the DOJ recommends having a breach response plan.  We’ve all heard this repeatedly at this point, and many companies and firms still do not have actionable response plans.  Some of the important components of these plans highlighted by the DOJ include: (1) identifying your most vital resources and prioritizing their protection; (2) having a clear internal and external reporting structure that focuses on containing the incident, mitigating its effects and preserving information to later understand the scope and source of the incident; (3) identifying and establishing relationships with applicable law enforcement authorities and regulators who have jurisdiction in your industry or jurisdiction; and (4) finally hammering out appropriate policies and procedures for the use of and access to key information assets, as well as investing in appropriate technical protections.

Post incident, DOJ basically recommends – wait for it – following the plan you established pre-incident.

Since 2016, Verizon has annually declined to estimate the average cost of a data breach.  Verizon reasons that since there are many variables that can determine breach cost, there is no reliable “average” data point.  There are, however, identifiable factors that we know impact breach cost, like industry sector, threat actor, number of records, impacted data type etc.  So, the more we know about a particular entity’s risk profile, there better equipped that entity is not only to protect itself but also to predict the potential cost of a breach.

Enter Chubb’s Cyber Risk Index.  It’s 20 years of claims data, organized by industry, annual revenue and time period.  Since industry sector and company size are significant differentiators in the context of data breach analyses, this tool lets companies hone in on meaningful data about the nature and extent of their data breach risk.  And it’s free, whether you’re insured by Chubb or not.

I played with the interactive index a bit and here are a few interesting data points:

Stand-alone cyberinsurance is a critical component of enterprise risk management.  But even companies with traditional and cyber coverage may, and usually do, have gaps in coverage created by what I’ve referred to as the ‘hot potato’ problem.  This is when neither the cyber policy nor the relevant traditional coverage is truly designed for a relatively new kind of risk.

One example is physical damage caused by cyber events.  Particularly as the Internet of Things increases the connectivity of physical devices, cyber attacks can hurt people and property.  Cyberinsurance likely covers network security failures and unauthorized access to these devices, but ‘standard’ cyber policies typically exclude coverage when these events result in physical damage.  And property and casualty policies that would otherwise cover physical harm generally exclude damages arising out of cyber events.  Rock, meet hard place.

Gap, meet AIG’s Cyber Edge products.  These products are designed to fill this gap by, in addition to covering the relatively standard range of cyber risks, including the ability to add coverage for cyber events that cause physical damage to people or property.

This article was first published in the Fall 2016 issue of “The Bulletin,” a quarterly newsletter published by Kessler Topaz Meltzer & Check, a renowned law firm representing institutional investors and classes in securities, shareholder and other complex litigation.  I’ve included the full publication on my Resources page.

Find me a centralized repository of personal, financial and health information, and I will find you millions of attempts per day to access, steal or corrupt it. Even absent a malicious actor, there is an increasing likelihood that private data will be inadvertently made public.  This is our world.

Contact Information