On June 27, 2017, the skies over New Jersey were clear and the ground steady. But Merck & Co., a New Jersey-based pharmaceutical company, was under attack. Malware ripped through its computers, damaging 40,000 of them and causing over $1.4 billion in losses.
Merck was not the sole target. Dubbed “NotPetya,” the virus tore through the US economy, and did an estimated $10 billion in damage. (This post describes losses experienced by other companies.) The US Department of Justice charged six Russian nationals, alleged officers of Russia’s Intelligence Directorate (the GRU), for their roles in the NotPetya attack, among others.
Continue Reading Boots on the Ground or Hands on a Keyboard: Merck and Insurers Battle Out the War Exclusion

A recent settlement filed by the Federal Trade Commission (FTC) and GoodRx may merit a review of your cyber insurance coverages. Earlier this month, the FTC took enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug provider, GoodRx, for failing to notify consumers of its unauthorized disclosures of personal health information.

As detailed in a February 27 Hunton client alert, the Health Breach Notification Rule generally requires that vendors not covered by the Health Insurance Portability and Accountability Act (HIPAA) of personal health records give notice in the event of a “breach of security,” which is defined to include “unauthorized acquisition” of personal health records.
Continue Reading Recent FTC Enforcement Action Merits Cyber Insurance Coverage Review

Hunton Andrews Kurth LLP insurance partner, Andrea DeField, was recently interviewed by Courtney DuChene for Risk & Insurance magazine for their article, Cyber Captives 101: Is Self-Insuring the Right Risk Mitigation Choice for Your Business? As we’ve discussed previously on the blog, the cyber insurance market has become increasingly difficult, see here, here

Recently, the Ninth Circuit dealt with a case involving a scenario that is becoming all too common. In Ernst & Haas Mgmt. Co., Inc. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022), a property management company’s accounts payable clerk received several e-mails from her supervisor instructing her to pay some invoices. Unbeknownst to the clerk, these e-mails did not originate with her supervisor, but were actually part of a fraudulent scheme to elicit fraudulent bank transfers. The clerk paid off hundreds of thousands of dollars in “invoices” before becoming suspicious but, by then, it was too late and the damage was done.
Continue Reading A Win for Policyholders Who Are Victims of Fraudulent Bank Transfer Schemes

Hunton insurance attorneys, Walter Andrews, Andrea DeField, and Sima Kazmir, recently published an article in the Daily Business Review, discussing the scrutiny that companies face as a result of increased cyberattacks as well as tips for your next cyber insurance renewal.
Continue Reading Hunton Andrews Kurth Attorneys Weigh In On How To Minimize Cyberattack Risks With Insurance

A commentator recently summed up the risk of ransomware attack in 2022: “we’re all screwed.” True enough. But that’s all the more reason to prepare right now. After all, the only thing worse than a ransomware attack is not having adequate insurance coverage when it occurs. The time to prepare is now.
Continue Reading As Ransomware Proliferates, Insurance Can Help

On September 21, 2021 and October 15, 2021, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued reminders of the sanctions risks for facilitating ransom payments to designated malicious cyber actors.  As discussed in our prior blogpost on OFAC’s October 1, 2020 advisory, OFAC has made clear that it is increasingly willing to bring enforcement actions against entities, including cyber insurers, that facilitate payments to sanctioned threat actors on behalf of corporate victims.
Continue Reading Key Takeaways From OFAC’s Recent Guidance: Carefully Scrutinize Insurance Coverage And Respond To Cyber Incidents With The Assistance of Experienced Advisors

The Indiana Supreme Court recently reversed a trial court’s finding and an affirming intermediate appellate court opinion regarding the interpretation of a policy providing coverage for cyber-crime. In G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co., the state high court rejected the lower courts’ narrow interpretation of coverage and impractical view on causation. A copy of the decision can be found here.
Continue Reading Indiana Supreme Court Decrypts Computer Crime Coverage

The adage goes, “the best defense is a good offense.” This appears to be the approach that New York insurance regulators are advocating in response to what they deem “systemic risk[s] that occur when a widespread cyber incident damages many insureds at the same time, potentially swamping insurers with massive losses.” On February 4, 2021, the New York Department of Financial Services (“DFS”), which regulates the business of insurance in New York, has issued guidelines, in the Insurance Circular Letter No. 2 (2021) regarding “Cyber Insurance Risk Framework” (the “Guidelines”), calling on insurers to take more stringent measures in underwriting cyber risks. In the Guidelines, DFS cites the 2020 SolarWinds attack as an example of how managing growing cyber risk is “an urgent challenge for insurers.”
Continue Reading New York Regulators Call on Insurers to Strengthen the Cyber Underwriting Process

It’s a cautionary tale of cyber fraud.  A title agent in a real estate transaction receives an email ostensibly from the mortgage lender providing instructions for transferring the loan proceeds into a settlement bank account.  After transferring the funds ($520,000), it becomes apparent that the transfer instructions came from an email address that was one letter off from the mortgage lender’s actual email address – it was a scam.  But it’s too late, the scammer has already withdrawn the funds from the settlement account and cannot be traced.
Continue Reading Engineering Coverage for Social Engineering Schemes in Light of New Jersey Federal Court Opinion Finding No Errors and Omissions Coverage for Email Scam