After the National Bank of Blacksburg in Virginia suffered two data breaches—one in 2016 and one in 2017—executives must have been pleased that they had planned ahead and purchased cyberinsurance to cover exactly these types of incidents.
So it came as a shock to the bank when its insurer, Everest National Insurance Co., ultimately refused to pay out a significant portion of the bank’s claimed losses of $2.4 million, offering instead only $50,000 on the grounds that the breaches were not covered by National Bank’s computer and electronic crime insurance rider. In June, National Bank sued Everest for breach of contract and a larger portion of the breach costs in a lawsuit that highlights just how nebulous and unhelpful cyberinsurance policies can be, as well as how little the companies purchasing those policies typically understand about their coverage.
To understand the mess that National Bank now finds itself in, it’s helpful to know three things about the cyberinsurance market. First, while it’s still a relatively small market, it’s growing rapidly (unlike many sectors of the insurance business), and many insurers are eager to sell these policies in order to grow their business. Second, many insurance firms pitching the policies are also concerned about whether they have sufficiently robust models to predict and characterize cybersecurity incidents—they worry they may end up paying too many of these claims to stay profitable in the event of widespread cyberattacks. Third, there’s considerable (and increasing) overlap between cyber-related incidents and the types of events covered by other kinds of insurance. For instance, as cars and buildings incorporate more automated computer-controlled systems, the line between what types of incidents are covered by cyberinsurance as opposed to by auto insurance blurs; ditto the line between cyberinsurance and property insurance coverage.
In the case of National Bank, the central issue is whether the two breaches in May 2016 and January 2017 are covered under the computer and electronic crime rider of their insurance policy, which has a single loss limit liability of $8 million and a $125,000 deductible, or instead under the debit card rider, which has a significantly lower single-loss limit of $50,000 and a $25,000 deductible. Everest, upon investigating the National Bank breaches, classified both the 2016 and the 2017 incidents as a single event that was covered exclusively by the debit card rider, not the computer and electronic crime rider, and therefore eligible for a total of $50,000 in coverage, or slightly more than 2 percent of the bank’s estimated $2,433,632.82 in losses.
And yet, the National Bank incidents seem like textbook examples of computer and electronic crimes. Both were initiated by phishing emails that enabled intruders to install malware on servers belonging to National Bank, steal usernames and passwords, and then infiltrate ATMs and user accounts belonging to the bank in order to steal more than $569,000 in 2016 through fraudulent ATM transactions and another $1,833,984 in early 2017. (In between the two incidents, National Bank says it added several security controls, but that these were ultimately unsuccessful in preventing the second attack because the intruders were able to delete the evidence of their fraudulent debits so that their activity would go undetected by the bank’s security monitoring systems.) Investigations linked the malware and servers used by the hackers to Russia, and concluded that the two incidents were likely the work of the same criminal group.
Surely, it was precisely incidents like these that cybercrime insurance policies were intended to cover?
The computer and electronic crime rider in National Bank’s policy insured the bank against:
Loss resulting directly from an unauthorized party (other than an Employee) acting alone or in collusion with others, entering or changing Electronic Data or Computer Programs within any Computer System … operated by the Insured … [p]rovided that the entry or change causes: (1) property [e.g. money] to be transferred, paid or delivered, (2) an account of the Insured [National Bank], or of its customer, to be added, deleted, debited or credited, or (3) an unauthorized account or a fictitious account to be debited or credited.
Certainly, the 2016 and 2017 incidents fit those criteria—an unauthorized party changed the computer programs operated by National Bank in a way that caused money to be paid and bank accounts to be debited. However, the policy also included a slew of exclusions that carved out exceptions to this coverage. The computer and electronic crime rider specifically excluded coverage of any losses—like the National Bank’s—involving credit or debit cards or ATMs.
According to the National Bank’s suit, Everest justified its decision by pointing to two exclusions in particular. Exclusion (k) of the National Bank’s policy states that it does not cover:
loss resulting directly or indirectly from the use, or purported use, of credit, debit, charge, access, convenience or other cards (1) in obtaining credit or funds, or (2) in gaining access to automated mechanical devices which, on behalf of the Insured, disburse Money, accept deposits, cash checks, drafts or similar Written instruments or make credit card loans, or (3) in gaining access to point of sale terminals, customer-bank communication terminals, or similar electronic terminals of electronic funds transfer systems.
Meanwhile, exclusion (l) exempts Everest from covering:
loss involving automated mechanical devices which, on behalf of the Insured, disburse Money, accept deposits, cash checks, drafts or similar Written instruments or make credit card loans, unless such automated mechanical devices are situated within an office of the Insured which is permanently staffed by an Employee whose duties are those usually assigned to a bank teller, even though public access is from outside the confines of such office, but in no event shall the Underwriter be liable for loss (including loss of Property) (1) as a result of damage to such automated mechanical devices perpetrated from outside such office, or (2) as a result of failure of such automated mechanical devices to function properly, or (3) through misplacement or mysterious unexplainable disappearance of Property located within any such automated mechanical devices.
Since the losses in the 2016 and 2017 breaches involved the use of debit cards and automated mechanical devices, Everest concluded in its July 20 response to the lawsuit, National Bank’s claims are not eligible for the $8 million computer and electronic crime coverage. (It’s worth noting that in its response Everest also lays out several other exceptions built into the policy for costs it will not cover, including loss of potential income, costs associated with legal proceedings, and indirect losses such as fines or penalties.) Read through the full list of exceptions laid out by Everest and you will no longer wonder how its policy could fail to cover National Bank’s breaches—you will wonder how its policy could cover any computer crimes whatsoever.
Those exceptions, and the blurry lines distinguishing cyberinsurance from other forms of insurance, are what enable Everest to shift the cybercrimes perpetrated against National Bank under its $50,000 debit card rider, which covers losses “resulting directly from Debit Transactions, or automated mechanical device transactions, due to the fraudulent use of a lost, stolen or altered Debit Card or Counterfeit Debit Card used to access a cardholder’s deposit account through an electronic payment device or automated mechanical device.”
The irony of this decision is that the reason the debit card coverage is so much lower is presumably because the losses from fraudulent debit or ATM transactions aren’t expected to be very high: There are lots of protections in place to prevent someone from making lots of huge ATM withdrawals all at once. Except that, in this case, all of those automatic fraud protections were overridden through the compromise of the bank’s computer system.
The National Bank case is an unsurprising consequence of a cyberinsurance market in which insurers are eager to sell policies but extremely wary of having to make substantial payouts and have not yet disentangled their cyber coverage from all their other policies that involve computer systems of one form or another. For customers looking to buy cyberinsurance, it should serve as a strong reminder of how much time they should spend scrutinizing and customizing a boilerplate policy with an expert before agreeing to purchase anything. For insurers, the lesson might be that the bar for many cyberinsurance policies is really, really low right now, and it’s easy to carve out exceptions all over the place and designate cyber incidents under other, smaller policies to drive down claims. Unless, of course, National Bank wins its suit—in which case it may serve as a much-needed wake-up call in an industry rife with ambiguous, overlapping policies that customers can barely understand until it’s too late.