Social engineering scams seeking to deceive companies into making wire transfers to fraudulent bank accounts continue to plague companies. According to the FBI, social engineering fraud costs businesses billions of dollars each year. On top of the lost funds, social engineering scams can lead to substantial investigation costs and even litigation.
Many businesses trust their crime or fidelity insurance policies to protect them from social engineering losses. Insurers, however, take the position that such policies do not cover all social engineering scams. Depending on the type of social engineering scam or how it happens to play out, insurers may deny coverage, depriving the policyholder of valuable insurance protection. Continue reading “Is There a Glitch in Insurance Coverage for Social Engineering Scams?”
The “WannaCry” and “NotPetya” computer viruses that infected computer systems around the world in 2017 sounded a wakeup call. They demonstrated the power of a cyber event to disrupt the core operations of numerous companies and other organizations. Now some fear that another unpleasant surprise related to the 2017 virus attacks may be on the horizon—this time from the insurance industry. A recent lawsuit alleges that an insurer denied coverage for losses arising out of the “NotPetya” virus based on an exclusion for “hostile and warlike actions.” A version of this war exclusion appears in virtually all insurance policies, including cyberinsurance policies, which are supposed to address cyber events like “WannaCry” and “Not Petya.”
The lawsuit is Mondelez International, Inv. v. Zurich American Insurance Company. Filed late last year in Illinois state court, the policyholder, a snack food and beverage maker, alleges that it suffered a nightmare cyber scenario. Two separate intrusions of the “NotPetya” virus at different locations “rendered permanently dysfunctional approximately 1700 of [the policyholder’s] servers and 24,000 laptops.” According to the complaint, the virus caused property damage, commercial supply disruptions, unfulfilled customer orders, reduced margins, and other covered losses aggregating well in excess of $100,000,000. Continue reading “Recent Lawsuit Highlights Need for Careful Review of Cyberinsurance Policies”
The General Data Protection Regulation (“GDPR”) goes effective tomorrow. Companies are considering the consequences and attempting to determine whether they are compliant or how to get there, whatever “compliant” ultimately will be determined to mean as time progresses under GDPR. In considering the consequences of failure to comply, companies are, or should, also be thinking about whether they can transfer risk, including to insurance, and whether their current insurance policies will do the trick. Many companies now have cyber insurance, but cannot presume that their current cyber policy will protect against GDPR exposures. So, as we welcome in GDPR, the internal corporate conversation should include discussion of whether existing cyber policies are enough, or what needs to be done to fortify insurance protection against unknown future GDPR financial exposures.