The Cyber Insurance Flip Side
We’ve covered denial of insurance coverage for trade secret misappropriation and affirming insurance coverage for copyright infringement. Now we turn our attention to the newer kid on the insurance block, cyber insurance.
AIG Commercial Insurance Co. offered a “Specialty Risk Protector” insurance policy. Larger companies could bundle a number of coverages in one policy such as coverage for specialty errors and omissions, network security and privacy, event management, crisis fund, network interruption, cyber extortion, media for publishers and broadcasters, media content, and employed lawyers’ professional liability.
SS&C Technologies Holdings, provides business process services fund administration to the financial industry all over the world. SS&C had a Specialty Risk Protector insurance policy from AIG. While providing fund managing services to one its clients, Tillage Commodities Fund LP, SS&C received six instructions to transfer Tillage’s funds totaling $5.9 million to bank accounts in Hong Kong. The problem? SS&C was the victim of spoofing. That’s where nefarious persons or entities mimic an email address and even the look of an email to fool someone into transferring money or property that evaporates into the pocket of the nefarious.
A few days after the transfers, SS&C discovered that it had been the victim of a spoofing. It immediately notified Hong Kong’s police and its insurer, AIG, of a potential lawsuit.
Sure, enough, Tillage filed suit against SS&C. AIG agreed to defend the suit but reserved the right to deny coverage and the cost of defense if the loss resulted from one of the insurance policy’s exclusions, including a “fraud” exclusion. The “fraud” exclusion flag had been raised because Tillage alleged in its complaint that an employee of SS&C had participated in the spoofing scheme. After the case was settled without an admissions, AIG denied coverage.
SS&C sued AIG for breach of contract and breach of the implied covenant of good faith hand fair dealing (a/k/a “bad faith”). The court denied AIG’s motion to dismiss. AIG’s chief argument was that it could deny coverage when fraud is involved, whether or not the insured committed the fraud. The court rejected that argument. Moving on the lack of good faith count, the court used the policy’s language and AIG’s reservation of rights letter against it. It was clear that AIG could only deny coverage if there was an adjudication that an employee had been involved in the fraud. Since the case was settled without admissions, AIG could tie a SS&C employee to the Tillage loss. So denying coverage could be considered bad faith.
WHY YOU SHOULD KNOW THIS. The court was able to interpret the policy exclusions in favor of the policy holder. That makes sense. SS&C had a reasonable expectation of coverage a fraud was committed by a third party. The bottom line is that an insurance policy is a contract. It should be interpreted like any other contract. Insurance companies who contort policy language to deny coverage can find themselves defending a bad faith claim.