Bank Account Takeover & Cyber Risk Insurance

More reports have surfaced of bank account takeovers and loss of money through ACH/wire fraud (see our prior post), but little mention of Cyber Risk Insurance (see here) or cyber risk management. 

The first report, from the NYT (see here) and Krebs On Security (see here), involved Golden State Bridge, an engineering and construction company based in California.  Criminals obtained online access credentials and succeeded in transferring $125,000 in two ACH’s out of the companies accounts in 2010.  Seven other transactions were caught and cancelled.  The article makes an important point for small business:

Owners often assume incorrectly that the protection they have on personal bank accounts applies to their business accounts. Many are shocked to learn that most banks do not take responsibility for unauthorized debits from business accounts. Unless the owners have fraud insurance, they must shoulder the losses alone

Golden State Bridge had insurance to cover the loss.

The second report is in the Wall Street Journal ($, see here & here; we normally don't link to subscription-only material).  The company, Lifetime Forms & Displays, is a mannequin maker and importer in New York and a perfect target for cyber criminals.  It appears that the criminals wired money out of the Company's account in nine transactions of approximately $150,000 each to three US banks and one Chinese bank.  Most of the money has been recovered through quick action on the part of the company, but amounts wired to the Chinese bank have not been recovered.  The company was likely a prime target for the criminals because it regularly utilized online banking for foreign transactions and periodically maintained significant sums in its accounts.

Cyber Risk Insurance is mentioned as a risk mitigation tool in some of these reports.  Brian Krebs, a computer security authority, writes the blog Krebs On Security.  He has commented (see here):

Cyber theft insurance can be a reasonable and effective investment in an era when ultra-sophisticated cyber thieves increasingly are defeating the security that surrounds many commercial online banking accounts

Cyber Risk Insurance is an important tool in mitigating bank account takeover theft, but coverage provided is not consistent and many policies do not cover the loss of money.

According to a recent Account Takeover Survey (see here), bank account takeover attempts continue to increase, but the percentage of cases where funds were actually transferred was flat from 2010 to 2011 at 32%, which was down from 70% in 2009.  Note that part of the challenge with any of these statistics is the level of reporting.  It is not known what percentage of security breaches are reported.

Cyber Risk Insurance coverage is not well understood, but there is more than enough information available to educate clients.  For example, we have a unique approach to ease the educational challenges for retail agents and brokers, and for their customers.  As a wholesale broker, we provide Cyber Risk Insurance to all types organizations through retail insurance agents and brokers.

Specialty Insurance Expertise: Tennant Risk Services
Supporting Insurance Entrepreneurship: Tennant Capital Partners

Insurance Agents/Brokers Should Offer Cyber Risk Insurance

Because the risks of privacy breaches, data thefts and hacking are rapidly escalating, particularly for small businesses, Cyber Risk Insurance has become the hot new product in the insurance business.  Not all insurance agents and brokers are regularly offering this coverage to their commercial clients, and they should be. 

Unfortunately, there is a real-life example that demonstrates the importance of offering Cyber Risk coverage.  According to reports (see here), back-up tapes with 1.7 million patient records from hospitals affiliated with the University of Utah were stolen from a service provider employee’s car.  The University incurred more than $3.0 million in costs associated with the breach, and litigation has ensued between the University, the service provider, and the service provider’s insurer.  It appears that no Cyber Risk Insurance was in place. 

Unfortunately, the agent has been brought into the litigation.  The allegations read, in part, as follows (see here, here, and here).  Note that the actual participants are not important, and therefore we refer to the insurance company as Insurer, the service provider as Provider and the agents as Agents.

• Agents failed to obtain the needed insurance coverage for Provider, to which the University was a third-party beneficiary.
• Agents are liable for all damages resulting to the University in the event that coverage under the Insurer’s Policies is unavailable, and the expense in bringing a lawsuit to resolve the coverage issues and the Insurer’s denial of coverage.
• Agents were careless, negligent and made various negligent misrepresentations about Provider’s insurance coverage from Insurer, pursuant to Policies to which the University was a third-party beneficiary.

The claim against the agents would have been easy to avoid.  Cyber Risk insurance provides protection from various risks associated with technology, including data breaches of the type noted above, and is easy to obtain (see here, and our prior post here).  As noted at InformationLawGroup (see here):

Brokers should approach the market to obtain cyber insurance for their customers…Relying on a general liability or property policy to provide the coverage is no longer a wise choice (if it ever was).

The coverage is new and not well understood, but there is more than enough information available to educate clients.  For example, we have an approach to ease the educational challenges for retail agents and brokers, and for their customers.  As a wholesale broker, we provide Cyber Risk Insurance to all types organizations through retail insurance agents and brokers.

Specialty Insurance Expertise: Tennant Risk Services
Supporting Insurance Entrepreneurship: Tennant Capital Partners