Ride the Lightning

Bank Loses $2.4 Million to Hackers: Insurer Offers It $50,000

August 14, 2018

I say it all the time when I lecture: Cyberinsurance is confusing as hell.

A recent Slate post covered the 2016 and 2017 data breaches of the National Bank of Blacksburg. I'll bet the executives actually felt pretty good thinking that their $2.4 million in losses was going to be covered by their cyberinsurance policy. But oh no . . .

The insurer, Everest National Insurance Co., ultimately refused to pay out a significant portion of the bank's claimed losses of $2.4 million, offering instead only $50,000 on the grounds that the breaches were not covered by National Bank's computer and electronic crime insurance rider. In June, National Bank sued Everest for breach of contract and a larger portion of the breach costs in a lawsuit that highlights just how confusing and unhelpful cyberinsurance policies can be, as well as how little the companies purchasing those policies typically understand about their coverage.

So, read the post and the full list of exclusions and you will certainly ask yourself how the policy could cover any computer crimes at all. Yup, it's that bad.

Why? Well, it's a rapidly growing market without a lot of predictive history. Companies are eager to sell cyberinsurance, which is a fast-growing market, but they are also nervous about being profitable in light of all the data breaches. Compounding the mess is that the line between cyberinsurance and other kinds of insurance is blurred, which means it is hard to know which coverage applies.

In the case of National Bank, the central issue is whether the two breaches in May 2016 and January 2017 are covered under the computer and electronic crime rider of their insurance policy, which has a single loss limit liability of $8 million and a $125,000 deductible, or instead under the debit card rider, which has a significantly lower single-loss limit of $50,000 and a $25,000 deductible. Everest, upon investigating the National Bank breaches, classified both the 2016 and the 2017 incidents as a single event that was covered exclusively by the debit card rider, not the computer and electronic crime rider, and therefore eligible for a total of $50,000 in coverage, or slightly more than 2 percent of the bank's estimated $2,433,632.82 in losses.

That sure works out well for Everest, doesn't it?

Actually, the National Bank incidents seem like textbook examples of computer and electronic crimes. Both were initiated by phishing emails that enabled intruders to install malware on servers belonging to National Bank, steal usernames and passwords, and then infiltrate ATMs and user accounts belonging to the bank in order to steal more than $569,000 in 2016 through fraudulent ATM transactions and another $1,833,984 in early 2017. Investigations linked the malware and servers used by the hackers to Russia, and concluded that the two incidents were likely the work of the same criminal group.

The computer and electronic crime rider in National Bank's policy insured the bank against:

Loss resulting directly from an unauthorized party (other than an Employee) acting alone or in collusion with others, entering or changing Electronic Data or Computer Programs within any Computer System … operated by the Insured … [p]rovided that the entry or change causes: (1) property [e.g. money] to be transferred, paid or delivered, (2) an account of the Insured [National Bank], or of its customer, to be added, deleted, debited or credited, or (3) an unauthorized account or a fictitious account to be debited or credited.

Certainly, the 2016 and 2017 incidents fit those criteria—an unauthorized party changed the computer programs operated by National Bank in a way that caused money to be paid and bank accounts to be debited. However, the policy also included a slew of exclusions that carved out exceptions to this coverage. The computer and electronic crime rider specifically excluded coverage of any losses—like the National Bank's—involving credit or debit cards or ATMs.

According to the National Bank's suit, Everest justified its decision by pointing to two exclusions in particular. Exclusion (k) of the National Bank's policy states that it does not cover:

loss resulting directly or indirectly from the use, or purported use, of credit, debit, charge, access, convenience or other cards (1) in obtaining credit or funds, or (2) in gaining access to automated mechanical devices which, on behalf of the Insured, disburse Money, accept deposits, cash checks, drafts or similar Written instruments or make credit card loans, or (3) in gaining access to point of sale terminals, customer-bank communication terminals, or similar electronic terminals of electronic funds transfer systems.

Exclusion (l) exempts Everest from covering:

loss involving automated mechanical devices which, on behalf of the Insured, disburse Money, accept deposits, cash checks, drafts or similar Written instruments or make credit card loans, unless such automated mechanical devices are situated within an office of the Insured which is permanently staffed by an Employee whose duties are those usually assigned to a bank teller, even though public access is from outside the confines of such office, but in no event shall the Underwriter be liable for loss (including loss of Property) (1) as a result of damage to such automated mechanical devices perpetrated from outside such office, or (2) as a result of failure of such automated mechanical devices to function properly, or (3) through misplacement or mysterious unexplainable disappearance of Property located within any such automated mechanical devices.

Since the losses in the 2016 and 2017 breaches involved the use of debit cards and automated mechanical devices, Everest concluded in its July 20 response to the lawsuit, National Bank's claims are not eligible for the $8 million computer and electronic crime coverage. If you read through the full list of exceptions laid out by Everest, you will wonder how its policy could cover any computer crimes whatsoever.

Those exceptions, and the blurred lines distinguishing cyberinsurance from other forms of insurance, are what enabled Everest to shift the cybercrimes perpetrated against National Bank under its $50,000 debit card rider, which covers losses "resulting directly from Debit Transactions, or automated mechanical device transactions, due to the fraudulent use of a lost, stolen or altered Debit Card or Counterfeit Debit Card used to access a cardholder's deposit account through an electronic payment device or automated mechanical device."

If you'd like a little dollop of irony, the reason the debit card coverage is so much lower is presumably because the losses from fraudulent debit or ATM transactions aren't expected to be very high: There are lots of protections in place to prevent someone from making lots of huge ATM withdrawals all at once. Except that, in this case, all of those automatic fraud protections were overridden through the compromise of the bank's computer system.

One lesson here is that a cyberinsurance purchaser should examine a proposed insurance policy with an expert. Insurers may be thinking, after reading this story, that it's easy to carve out exceptions all over the place and designate cyber incidents under other, smaller policies to drive down claims.

That will no longer be true if National Bank wins its suit, which would be a wake-up call to the insurance industry about its ambiguous, incomprehensible and overlapping policies.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson