On September 21, 2021 and October 15, 2021, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued reminders of the sanctions risks for facilitating ransom payments to designated malicious cyber actors.  As discussed in our prior blogpost on OFAC’s October 1, 2020 advisory, OFAC has made clear that it is increasingly willing to bring enforcement actions against entities, including cyber insurers, that facilitate payments to sanctioned threat actors on behalf of corporate victims.
Continue Reading Key Takeaways From OFAC’s Recent Guidance: Carefully Scrutinize Insurance Coverage And Respond To Cyber Incidents With The Assistance of Experienced Advisors

The Indiana Supreme Court recently reversed a trial court’s finding and an affirming intermediate appellate court opinion regarding the interpretation of a policy providing coverage for cyber-crime. In G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., the state high court rejected the lower courts’ narrow interpretation of coverage and impractical view on causation. A copy of the decision can be found here.

Continue Reading Indiana Supreme Court Decrypts Computer Crime Coverage

The adage goes, “the best defense is a good offense.” This appears to be the approach that New York insurance regulators are advocating in response to what they deem “systemic risk[s] that occur when a widespread cyber incident damages many insureds at the same time, potentially swamping insurers with massive losses.” On February 4, 2021, the New York Department of Financial Services (“DFS”), which regulates the business of insurance in New York, has issued guidelines, in the Insurance Circular Letter No. 2 (2021) regarding “Cyber Insurance Risk Framework” (the “Guidelines”), calling on insurers to take more stringent measures in underwriting cyber risks. In the Guidelines, DFS cites the 2020 SolarWinds attack as an example of how managing growing cyber risk is “an urgent challenge for insurers.”

Continue Reading New York Regulators Call on Insurers to Strengthen the Cyber Underwriting Process

It’s a cautionary tale of cyber fraud.  A title agent in a real estate transaction receives an email ostensibly from the mortgage lender providing instructions for transferring the loan proceeds into a settlement bank account.  After transferring the funds ($520,000), it becomes apparent that the transfer instructions came from an email address that was one letter off from the mortgage lender’s actual email address – it was a scam.  But it’s too late, the scammer has already withdrawn the funds from the settlement account and cannot be traced.

Continue Reading Engineering Coverage for Social Engineering Schemes in Light of New Jersey Federal Court Opinion Finding No Errors and Omissions Coverage for Email Scam

Is it illegal for an insurer to pay the ransom demanded in a cyber extortion or ransomware attack on its insured? According to the US Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) October 1, 2020 advisory (“OFAC Advisory”), in certain situations, it may be.

Continue Reading While OFAC Cautions Cyber Insurers About Facilitating Ransomware Payments, Policyholders Should Ensure They’re Covered

A Maryland federal court recently awarded summary judgment to National Ink and Stitch, finding coverage for a cyber-attack under a non-cyber insurance policy after the insured’s server and networked computer system were damaged as a result of a ransomware attack.  We discussed the significance of the decision in a January 27 blog post that can be found here.

Continue Reading Hunton Insurance Partners Andrews and Levine Comment to Law360 and Business Insurance on Recent Ransomware Coverage Win for National Ink

A Maryland federal court awarded summary judgment last week to policyholder National Ink in National Ink and Stitch, LLC v. State Auto Property And Casualty Insurance Company, finding coverage for a cyber-attack under a non-cyber insurance policy after the insured’s server and networked computer system were damaged as a result of a ransomware attack.  This is significant because it demonstrates that insureds can obtain insurance coverage for cyber-attacks even if they do not have a specific cyber insurance policy.

Continue Reading Maryland Court Finds Coverage For Lost Data And Slow Computers After Ransomware Attack

The members of Hunton’s Insurance Recovery group present regularly on today’s hot topic insurance coverage issues. Upcoming insurance presentations for January 2020 include:

Energy industry: is your insurance sufficient to handle a major cyber event? Larry Bracken, Mike Levine, and I address this question and more in our recent article for Electric Light & Power, found here.  In the article, we identify three major gaps in cyber insurance that we routinely see when analyzing coverage for energy industry clients. The first major gap is coverage for bodily injury or property damage caused by a cyber event. Most cyber insurance policies exclude coverage for both bodily injury and property damage, even if caused by a cyber event. Meanwhile, many commercial general liability insurance policies now exclude cyber-related risks, thus creating a gap in coverage for these losses. The second gap we identify is coverage for fines and penalties, including those issued under the European Union’s General Data Protection Regulation (GDPR). Even where cyber insurance policies expressly purport to cover fines and penalties, it is unclear if these may be deemed uninsurable as a matter of public policy in certain jurisdictions. Finally, we identify a gap in coverage for business income losses when the insured’s network, or that of a vendor on which they rely, goes down. That coverage is a key component of a robust cyber program, but one that is typically only offered for an additional premium.

Continue Reading Hunton Insurance Lawyers Discuss Cyber Risks to the Energy Grid in Electric Light & Power

Equifax Inc. recently announced that it has agreed to pay up to $700 million to settle numerous government investigations and consumer claims arising out of a 2017 breach that exposed Social Security numbers, addresses and other personal data belonging to over 148 million individuals. Following the breach, Equifax faced investigations from the Federal Trade Commission, the Consumer Financial Protection Bureau, all 50 state attorneys general and consumers prosecuting nationwide multidistrict litigation. As part of the deal, Equifax will contribute approximately $300 million to compensate consumers, with the potential to increase to $425 million depending on the number of claims filed. Equifax also agreed to pay $175 million to state governments, plus another $100 million in civil penalties to the CFPB.
Continue Reading Equifax’s Hefty $700M Bill is a Powerful Reminder to Close Cyber & D&O Coverage Gaps