Cybersecurity Insurance Policies May Not Provide Expected Coverage
November 30, 2015
Companies purchase cybersecurity insurance policies to cover financial losses from cyber threats. However, such insurance policies may not provide the expected coverage. BitPay recently incurred such a loss, but its insurance carrier refused coverage. BitPay sued for breach of contract and bad faith denial of coverage. BitPay, Inc. v. Massachusetts Bay Insurance Company, N.D. Georgia, 1:15-cv-03238 (filed September 15, 2015). According to the complaint, Bitpay is a global bitcoin payment processor and is the named insured under a commercial crime policy issued by MBIC. The Policy covers occurrences related to computer fraud as follows: “We will pay for loss of or damage to ‘money,’ ‘securities’ and ‘other property’ resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’: a. To a person (other than a ‘messenger’) outside those ‘premises’; or b. To a place outside those ‘premises.’
BitPay’s CFO received an email from someone purporting to be David Bailey of Bitcoin (a digital currency publication) requesting comment on a bitcoin industry document. Unbeknownst to the CFO, Mr. Bailey’s computer had been illegally hacked. The phony email sent by the person who hacked Mr. Bailey’s computer, directed the CFO to a website controlled by the hacker. The CFO provided the credentials for his Bitpay corporate email account. After capturing the CFO’s credentials, the hacker used that information to hack into the CFO’s email account to fraudulently cause a series of bitcoin transfers. The hacker illegally hacked the CFO’s computer so he could use his or her computer to send false authorizations to Bitpay on December 11 and 12, 2014. The hacking fraudulently transferred $1,850,000 of bitcoin. BitPay made an insurance claim, but MBIC denied it.
MBIC claimed the Policy requires the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises. “Direct” means without any intervening step i.e. without any intruding or diverting factor. The insuring agreement is only triggered where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer to an outside person or place. Since there was not a hacking or unauthorized entry into Bitpay’s computer system fraudulently causing a transfer of Money, MBIC claims the facts do not support a direct loss. MBIC claims it was the computer system of Bailey, not the CFO, that was compromised resulting in fictitious emails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured.
This article is featured in the Indiana Manufacturers Association Executive Memo.
Practices
November 30, 2015
Companies purchase cybersecurity insurance policies to cover financial losses from cyber threats. However, such insurance policies may not provide the expected coverage. BitPay recently incurred such a loss, but its insurance carrier refused coverage. BitPay sued for breach of contract and bad faith denial of coverage. BitPay, Inc. v. Massachusetts Bay Insurance Company, N.D. Georgia, 1:15-cv-03238 (filed September 15, 2015). According to the complaint, Bitpay is a global bitcoin payment processor and is the named insured under a commercial crime policy issued by MBIC. The Policy covers occurrences related to computer fraud as follows: “We will pay for loss of or damage to ‘money,’ ‘securities’ and ‘other property’ resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’: a. To a person (other than a ‘messenger’) outside those ‘premises’; or b. To a place outside those ‘premises.’
BitPay’s CFO received an email from someone purporting to be David Bailey of Bitcoin (a digital currency publication) requesting comment on a bitcoin industry document. Unbeknownst to the CFO, Mr. Bailey’s computer had been illegally hacked. The phony email sent by the person who hacked Mr. Bailey’s computer, directed the CFO to a website controlled by the hacker. The CFO provided the credentials for his Bitpay corporate email account. After capturing the CFO’s credentials, the hacker used that information to hack into the CFO’s email account to fraudulently cause a series of bitcoin transfers. The hacker illegally hacked the CFO’s computer so he could use his or her computer to send false authorizations to Bitpay on December 11 and 12, 2014. The hacking fraudulently transferred $1,850,000 of bitcoin. BitPay made an insurance claim, but MBIC denied it.
MBIC claimed the Policy requires the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises. “Direct” means without any intervening step i.e. without any intruding or diverting factor. The insuring agreement is only triggered where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer to an outside person or place. Since there was not a hacking or unauthorized entry into Bitpay’s computer system fraudulently causing a transfer of Money, MBIC claims the facts do not support a direct loss. MBIC claims it was the computer system of Bailey, not the CFO, that was compromised resulting in fictitious emails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured.
This article is featured in the Indiana Manufacturers Association Executive Memo.