The Federal Financial Institutions Examination Council (“FFIEC”), a U.S. governmental body comprised of banking regulators, recently issued guidance to financial institutions directing them to consider implementing dedicated cyber insurance programs to offset financial losses resulting from cyber incidents. Financial institutions face a number of potentially crippling risks arising from cyber incidents, including financial, operational, legal, compliance, strategic, and reputational risks resulting from fraud, data loss, or disruption of service. While cyber insurance can mitigate these risks, it is not required by financial regulators, and thus many financial institutions may not have obtained such insurance specifically designed to cover their cyber risks. Nonetheless, the FFIEC now is urging financial institutions to include dedicated cyber insurance as part of a multi-faceted cyber risk management strategy and not to rely solely on traditional insurance. In addition, the FFIEC is recommending that financial institutions have their outside advisors review their potential cyber insurance coverage to ensure that it will cover the relevant risks.
May 25, 2018 should be a day circled on many company calendars. On that day, the European Union’s long-awaited Global Data Protection Regulation (“GDPR”) will go into effect. It is crucial for U.S. companies to prepare for the GDPR, as they, too, will be required to comply with a new set of data privacy rules if they are handling data from EU-based customers, suppliers, or affiliates. As long as you collect personal or behavioral data from someone in the EU, you must comply with the GDPR.
To follow up on our post last week recapping a recent Ninth Circuit decision regarding coverage for losses from a social engineering scheme, federal appellate courts continue to examine the coverage available for such losses. As Law360 highlighted, and as we previously reported (here, here, here, and here), appeals are pending in the Second, Sixth, and Eleventh circuits. These cases, some of which involve lower court findings of coverage while others do not, show that coverage for social engineering scams remains hotly contested, which means policyholders must carefully consider such coverage when purchasing insurance. While more and more insurers have introduced endorsements designed to specifically address social engineering schemes, as Hunton attorney Patrick McDermott recently pointed out in a separate Law360 piece, one issue policyholders ought to consider is “whether an endorsement providing coverage for losses resulting from social engineering schemes actually narrows the coverage available for those losses.”
On April 17, 2018, the Ninth Circuit affirmed a district court decision finding that an exclusion barred coverage for a $700,000 loss resulting from a social engineering scheme. Aqua Star (USA) Corp. v. Travelers Cas. & Surety Co. of Am., No. 16-35614 (9th Cir. Apr. 17, 2018). The scheme involved fraudsters who, while posing as employees, directed other employees to change account information for a customer. The employees changed the account information and sent four payments to the fraudsters.
As we and our sister blogs have previously reported (see here, here, and here), the New York State Department of Financial Services enacted Cybsersecurity Requirements for Financial Services Companies, 23 NYCRR 500, on March 1, 2017. The first certification of compliance with this regulation is due today, February 15, 2018.
In today’s interconnected society, a cyber breach is inevitable. For energy companies in particular, the threat is even more acute as cyber security improvements lag behind the rapid digitalization in oil and gas operations. One recent cyber security report stated that 68% of respondents reported that their organization experienced at least one cyber compromise. And, just last week, it was disclosed that hackers used sophisticated malware, called “Triton,” to take control of a key safety device at a power plant in Saudi Arabia. Find our analysis of this latest attack on the blog here .
In what has been described as a “watershed” cyber incident, hackers recently used sophisticated malware—dubbed Triton—to take control of a key safety device installed at a power plant in Saudi Arabia. One of the few confirmed hacking tools designed to manipulate industrial control systems, this new breach is part of a growing trend in hacking attempts on utilities, production facilities, and other critical infrastructure in the oil and gas industry. The Triton malware attack targeted the Triconex industrial safety technology made by Schneider Electric SE. The attack underscores the importance of mitigating this and other similar risks through cyber and other traditional liability insurance as part of a comprehensive cybersecurity program.
The U.S. District Court for the Middle District of Florida, in Innovak International v. The Hanover Insurance Co., recently granted summary judgment in favor of Hanover Insurance Company finding that it had no duty to defend Innovak against a data breach lawsuit. Innovak, which is a payroll service, suffered a breach of employee personal information, including social security numbers. The employees then filed suit against Innovak alleging it had negligently created a software that allowed personal information to be accessed by third parties. Innovak sought a defense for the lawsuit from its commercial general liability carrier, Hanover Insurance Company. Innovak argued that the employee’s allegations triggered the personal and advertising injury coverage part of the policy, which covers loss arising out of the advertising of the policyholder’s goods or services, invasion of privacy, libel, slander, copyright infringement, and misappropriation of advertising ideas. The court disagreed and found the employees’ allegations did not involve a publication that would trigger coverage under the commercial general liability policy.
In a recent brief filed in the Sixth Circuit, American Tooling Center, Inc. argued that the appellate court should reverse the district court’s decision finding no insurance coverage for $800,000 that American Tooling lost after a fraudster’s email tricked an employee into wiring that amount to the fraudster. As we previously reported here, the district court found the insurance policy did not apply because it concluded that American Tooling did not suffer a “direct loss” that was “directly caused by computer fraud,” as required for coverage under the policy. The district count pointed to “intervening events” like the verification of production milestones, authorization of the transfers, and initiating the transfers without verifying the bank account information and found that those events precluded a “finding of ‘direct’ loss ‘directly caused’ by the use of any computer.”