A recent court case could serve as a warning for companies as they try to determine how to insure against cyber losses. National Bank of Blacksburg v. Everest National Insurance Co. involves two coordinated hacks from 2016 in which cyber criminals stole $2.4 million from the National Bank of Blacksburg in Virginia using targeted phishing email that an employee opened. But the court case does not involve action against the hackers. Instead, the bank is suing its insurance provider for failing to cover the losses despite the bank having cyber insurance.
A Case of Two Cyber Insurance Riders
The lawsuit is built around the bank carrying two different cybercrime riders on its policy. The first (a computer and electronic crime rider) had a limit of $8 million. The second (a debit card rider) had a single loss limit of $50,000. The hack involved taking information from a data breach and constructing fake debit cards to steal money from the bank’s accounts. The insurance company, Everest National Insurance Company, has stated that because the theft was from debit card use, they only have to pay under the second rider that only lets the bank recoup a fraction of the total lost amount. The bank claims that the debit card fraud only occurred because of the initial data breach and that it should therefore be covered under the first rider with the higher limit. The New Jersey-based insurance company states that while “National Bank suffered a sophisticated computer system intrusion and hackings” they deny “that Everest has breached its contract with National Bank, denies that it acted in bad faith, and denies that National Bank is entitled to any damages from Everest.”
Businesses Should Heed This Warning
This case serves as a warning for companies purchasing cyber insurance. Cyber insurance policy language is complex and varied across carriers. Businesses that try to make purchasing decisions without true cyber experts in their corner may discover the hard way they are uninsured or underinsured for their specific cyber risk profile. According to Charisse Castagnoli, an adjunct professor with the John Marshall Law School, “When it comes to actual intrusions and managing intrusions, it’s a wild wild west. The policies and definitions they use are not consistent across carriers.”
Who Can You Trust?
Because of this wide variation in terminology and policy definitions, Castagnoli adds, “The serious brokers who are out there selling cyber insurance all say the same thing: Have an expert help you to write your policy. It’s mind-numbingly complicated and we don’t have standard language in insurance policies that help insurance clients decide what policy is right for them.”
INSUREtrust wrote the first cyber policy back in 1997, and we’ve been experts ever since. We work with all the major carriers in the cyber market, and offer our clients state-of-the-art cyber coverage on a daily basis. Call us today to learn how we can help you get the right coverage for your clients.