We continue to hear that the threat to a smaller organization of cyber-attack is real (see prior post), and we have talked about Cyber Risk Insurance as one (essential) method of protection. A bank account takeover attack is just one of these threats, but the consequences to a small business are significant (prior post). One attack we have previously noted is the Choice Escrow attack (see here). Subsequent to the attack, litigation ensued between Choice Escrow and their bank over responsibility for the loss of funds.
The litigation went to appeal, where the bank prevailed. Rather than continue the appeal process, the parties settled, agreeing to each pay their own legal fees (see here).
The obvious lesson is that Cyber Risk Insurance could have provided some protection to Choice Escrow, but there are complicating matters. Not all Cyber Risk insurance policies cover theft of money. And some insurers have sustained losses from bank account takeovers and have either removed the coverage completely or reduced the coverage in their Cyber Risk forms.
And banks are not a good source of recovery for cyber related theft of money for organizations. Banks have generally not been held responsible for a commercial customer’s loss of money by cyber-attack when the breach occurs within the customer’s system, typically by stealing user credentials from the customer. This seems to be the case for Choice Escrow:
- The federal appeals court … ruled the loss was the responsibility of Choice Escrow (see here)
- The panel found that the liability for account takeover losses shifted when the escrow company declined to use a two-person authorization security feature offered by the bank (see here)
- The decision could be a blow to companies trying to recover cyberheist losses from their banks (see here)
While the ruling supports some IT security obligations on the part of the banks, it also may have created a roadmap for banks to shift liability as noted in an article in Business Law Today (here):
- Banks should continue to require and/or offer various security procedure options
- The bank’s agreements with its commercial customers should invoke and carefully track the requirements of Article 4A of the UCC in order to shift liability to the customer for fraudulent transactions
- Banks and their commercial customers need to be thoroughly versed in and trained on the importance of security systems and procedures
Businesses must take steps to protect themselves from Cyber related exposures, and Cyber Risk Insurance is one of a number of protections against cyber-attacks. Cyber Risk Insurance is easy to obtain, can provide broad protection and is inexpensive.
Tennant Risk Services is a specialty wholesale broker and underwriting manager, and delivers expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability insurance (E&O, D&O, EPL, Cyber). We are an expert is Cyber Risk Insurance, and excel at hard to place accounts.
Specialty Insurance Expertise: Tennant Risk Services
Content © Tennant Risk Services Insurance Agency, LLC, 2005 - 2018 | All Rights Reserved.