Still much to be determined on insurance coverage after cyberattacks

Case law on coverage after social engineering fraud is sparse

Still much to be determined on insurance coverage after cyberattacks
Sean Lewis says case law related to insurance coverage after fraud involving social engineering is sparse

Two recent cases have highlighted issues around cybersecurity insurance coverage, and lawyers say clients need to take a close look at their policies to see if they’re covered should a problem arise. 

Sean Lewis, an associate with Lenczner Slaght Royce Smith Griffin LLP in Toronto, says there are policies that exist to address social engineering fraud, which he describes as “identity theft and fraudulent schemes perpetrated online.”

This can include email phishing, he says.

“We have them, but what’s not clear is what it all means from a coverage standpoint once you actually get into one of these situations,” says Lewis, who says case law in the area is “sparse.”

For example, in Dentons Canada LLP v. Trisura Guarantee Insurance Company, 2018 ONSC 7311, the law firm became embroiled in a dispute with its insurance company.

This came after an associate was misled by fraudsters and transferred $2.5 million into a Hong Kong bank account.

The firm managed to get $800,000 back and made a claim for the remaining amount from Trisura, but the insurer said it wouldn’t pay out.

“Trisura denied coverage for the loss on November 13, 2017, on the ground that the Computer Fraud Rider does not respond to the circumstances of the loss as alleged by Dentons, specifically that the transfer of funds by Dentons on January 3, 2017 was not itself fraudulently caused and that no computer was used to fraudulently cause any transfer of any funds because the transfer itself was not fraudulent; that Dentons is precluded from relying on the Computer Fraud Rider because it declined a Social Engineering Fraud Rider and, as a result, had no reasonable expectation of coverage for social engineering fraud losses . . .,” said the ruling.

However, Dentons said the “plain language of the policy provides coverage in the circumstances.”

Dentons applied for a declaration that the insurer had breached it policy and had a duty to pay, later narrowing the application to obtain an advisory opinion on the fraud rider. Justice Carole Brown ultimately ruled that the application had to be converted into an action.

“I am of the view that all evidence necessary to make a full determination of the issues is not in the record and is not before the Court on this application,” said the ruling.

Meanwhile, in the Brick Warehouse LP v. Chubb Insurance Company of Canada, 2017 ABQB 413, the Brick transferred more than $330,000 to a fraudster after they called the company and pretended to be an employee of Toshiba and followed up by email. The Brick became involved in a legal dispute with its insurer.

The Brick argued that “the policy provision states that Chubb will pay for direct loss resulting from funds transfer fraud by a third-party, and the focus should be on the fraud itself and not on the fraudulent instructions.”

However, the court said the company was not entitled to recover its financial losses from Chubb.

“Certainly, the emails with the fraudulent instructions were from a third party. The actual transfer instructions; however, were issued by a Brick employee. There was no one forcing the employee to issue the instructions, there were no threats of violence or other harm. The employee was simply a pawn in the fraudster’s scheme. Therefore, the transfer was not done by a third party,” said the ruling.

Eric Charleston, a senior associate with Miller Thomson LLP in Toronto, says that, despite an organization’s best efforts, human error is inescapable. In a recent article Charleston co-authored, he cited a statistic from the Canadian Survey of Cyber Security and Cybercrime, stating that Canadian businesses have spent an estimated $14 billion on cybersecurity.

“Organizations can mitigate the impact of a cyberattack by purchasing comprehensive standalone cyber-insurance tailored to the specific risks. Many organizations mistakenly believe that cyber riders and add-ons to their existing coverage are sufficient to protect against a cyberattack,” he says. “The case law reveals that this mistaken belief can be costly, leading to coverage gaps and significant uninsured losses, especially in the context of social engineering fraud.”

Lewis says it’s important for lawyers and their clients to consider the issue.

“While companies feel that they need this coverage — and it’s probably wise to have this coverage — at the end of the day, once you have seen a coverage dispute down to the end, it’s not entirely clear where the court is going to side,” he says.

Lewis says it’s also critical that clients carefully review their policies.

“It’s understandable that clients want this coverage and people feel as though they should have this coverage, but we don’t necessarily have the specifics yet. So, from a what-to-do-next standpoint . . . it’s about reading all of your policies in tandem and looking at it and saying, ‘OK, well, if [we have] cyber-security coverage either as a standalone policy or as part of another policy, if I think that it applies to this group of things, does it also apply to the next group of things?” he says.

“[S]o, if we know it applies to ransomware because it says so in the policy, does it apply to social engineering? Does it apply to something else, and if so, elsewhere in my policy, elsewhere in my coverage, is there a potential exclusion, is there an issue, is there an overlap? Do you get into competing coverages either within a single insurer or with multiple insurers? These are the things that start to matter . . .”