The Eastern District of Pennsylvania recently provided another reminder of why cyber insurance should be part of a comprehensive insurance portfolio. IN Construction Financial Administration Services, LLC v. Federal Insurance Companyno. 19-0020 (ED Pa. June 9, 2022), the court rejected a policyholder’s attempt to find coverage under his professional liability insurance for a social engineering incident that defrauded over $ 1 million.
Construction Financial Administrative Services, which is part of CFAS, pays funds to contractors. One of its customers, SWF Constructors, was hacked, and a bad actor who pretended to be the client asked CFAS to hand out $ 600,000 to a fake third party. John Follmer, a CFAS manager and the only person authorized to approve the distribution of funds, approved it. The next day, the bad actor, who again posed as a client, asked Follmer to transfer another $ 700,000. Follmer also approved that distribution.
Although Follmer approved both dividends, he did not follow the proper protocol to do so. The third party was not included in the approved budget; CFAS never received a copy of an agreement between the client and a third party; CFAS never received a payment voucher for the payment; CFAS never received an exemption from the client; and CFAS never received the additional information needed to account for the payout. Despite this, Follmer approved the payment.
After the fraud was discovered, CFAS tried to get back the money it had been tricked into giving up, but it was too late. It only got back $ 1
20,000 out of the $ 1,300,000 it lost.CFAS filed a claim under its policy for errors and omissions – probably because it did not have separate cyber coverage. Some non-cyber insurances include “silent cyber coverage”, which is coverage that is not primarily intended to cover cyber losses, but which nevertheless applies to cyber-related losses based on broadly worded insurance contracts. Federal, CFAS’s insurer, sought to exclude that type of silent cyber-coverage by including an exclusion of unauthorized access in its policy. That exception blocks claims “based on, arising from or as a result of unauthorized or exceeded authorized access to, use of or modification of computer programs, software, computer, computer systems.”
CFAS, in an obvious attempt to avoid this exclusion, made no claim to silent cyber coverage; in fact, it did not try to claim losses based on the actions of the bad actor at all. Instead, CFAS claimed that its losses were covered because Follmer had acted negligently by making the payments without collecting all the necessary information. Even if it was creative, that argument ultimately failed.
The court ruled that CFAS could not avoid the broad language of the exclusion – which eliminates coverage for all losses “due to any… Unauthorized access to… Computers” – by naming the loss as a result of negligence. North Carolina, which controlled, as long as the loss “follows as an effect of” the bad actor’s unauthorized access, it was “due to” the unauthorized access and was therefore excluded.
Construction finance administration serves as a reminder to policyholders to ensure that proper, comprehensive insurance coverage is in place to cover all reasonably expected risks of loss. In today’s technology-dependent society, it must include robust cyber protection. Although some insurances have traditionally provided “silent cyber coverage”, new, broad exceptions are introduced to limit such coverage, making it all the more important for companies to ensure that their insurance portfolio specifically targets cyber risks.
Source link
