Phishing has been around for decades.  But now, the long-lost ancestor claiming to be a foreign prince is stealing more than your grandmother’s savings.  Phishers are targeting corporations—small and big, private and public—stealing sensitive data and money.  When Policyholders take the bait, they had better have a tailored insurance policy to keep their insurers on the hook as well.

Texas property management company RealPage, Inc. is the latest company to fall victim to a targeted phishing scam.  RealPage uses and controls a software to accept money from residential clients and transfer that money to its property manager clients.  After a phishing scam obtained employee credentials, more than $10 million in funds were diverted from client accounts to the phisher.  RealPage was insured under a $5 million primary insurance policy issued by National Fire Insurance Company of Pittsburgh, Pa. (AIG), and a $5 million excess policy issued by Beazley Insurance Company, Inc., which included coverage for computer fraud, funds transfer fraud, and loss to property that RealPage “owns” and “hold[s] for others.”  Despite the seemingly comprehensive coverage, however, the primary insurer denied coverage based on a lack of ownership of the diverted funds.  RealPage filed suit on June 5, 2019, in the Northern District of Texas against AIG and Beazley, seeking declaratory relief and bringing claims for breach of contract, anticipatory breach of contract, violations of good faith under the Texas Insurance Code.

Insurance coverage disputes for phishing scams and cybercrimes generally are new to Texas, with very few of these suits actually being litigated.  The RealPage dispute serves as reminder that ‘form’ crime and cyber insurance policies may sound good in name, but may not provide coverage suitable for all businesses, including midstream service providers like RealPage.  Policyholders can attempt to protect their information and assets through robust employee training.  But, the best way to not get hooked may be through a comprehensive and tailored cyber insurance policy that fits the policyholders’ particular business model so that coverage is available when employees unknowingly take the bait.