An Alaska federal court docket just lately dismissed a development firm’s lawsuit, accusing a D&O insurer of unhealthy religion refusal to supply protection for an e mail spoofing scheme that resulted in almost $2 million in fraudulent wire transfers. Alaska Frontier Constructors, Inc., v. Vacationers Cas. and Sur. Co. of Am., No. 3:24-cv-00259 (D. Alaska, Nov. 11, 2024). Whereas the case was voluntarily dismissed earlier than the D&O insurer responded to the grievance, the policyholder’s allegations inform a well-recognized story and spotlight a number of areas of dispute that firms face when navigating the fallout from cyber incidents.
Background
Alaska Frontier Constructors, Inc. (AFC) skilled a 2023 cyber incident the place an imposter tricked AFC into wiring $1.9 million right into a fraudulent checking account by way of e mail. AFC’s CFO acquired an e mail that appeared to have been despatched by the CFO of one other firm, Kuukpik, whom AFC labored carefully with. The spoofed e mail requested when a cost can be made for cash owed to Kuukpik by Nanuq, a completely owned subsidiary of Kuukpik that AFC labored with carefully on many tasks.
This e mail was really despatched by a black hat hacker presenting to be Kuukpik’s CFO. Kuukpik and AFC supplied money funds to at least one one other regularly by an intercompany account shared by the 2.
The spoofed e mail contained an analogous e mail tackle to that of Kuukpik’s CFO, and the hacker later despatched directions by way of e mail to AFC’s CFO to ship a wire to a financial institution in New Jersey. AFC’s controller initiated the automated clearing home switch to the New Jersey checking account as instructed by the hacker which prompted Nanuq’s financial institution to switch $1,915,448.32 into the fraudulent account. By the point AFC and Kuukpik realized the cost had been wired however not acquired by Kuukpik, the hacker and the cash have been gone.
Nanuq demanded that AFC compensate it for the cash it misplaced and despatched draft complaints with causes of motion for negligence and negligent supervision and coaching. AFC sought protection beneath its D&O coverage for the fraudulent wire switch that resulted from the spoofed e mail. AFC’s D&O insurer denied AFC’s declare beneath a “Knowledge and Privateness Exclusion” endorsement that barred protection all claims primarily based upon or arising out of an inventory of cyber-related occasions that included “any unauthorized entry to a pc system.”
The Protection Lawsuit
AFC filed swimsuit in Alaska, the place AFC is included and has its principal workplace. Its grievance alleged that the insurer breached the coverage in refusing to defend and failing to indemnify AFC’s losses and acted in unhealthy religion in adjusting and denying protection for the $1.9 million in losses flowing from the fraudulent e mail scheme.
AFC asserted that, in denying protection beneath the information and privateness exclusion, the insurer ignored the Alaska Change Endorsement, which states claims can’t be denied if an excluded reason for loss is secondary to a dominant coated reason for loss in an unbroken chain of occasions resulting in the loss. The dominant reason for loss, AFC alleged, was AFC’s failure to make use of affordable care when initiating the wire transfers and never the imposter CFO’s communication of wiring directions. In consequence, the Alaska Change Endorsement prevented the information and privateness exclusion from eliminating protection.
AFC additionally contended that the insurer did not account for the Knowledge and Privateness Exclusion endorsement’s carveback for claims beneath Insuring Settlement A for non-indemnified losses of insured individuals. The corporate asserted that this carveback utilized to the corporate’s CFO and Controller. Having been “deserted” by its insurer, AFC finally settled the case for almost $1.7 million after which sought to get better these losses from the D&O insurer.
Earlier than the insurer filed its reply, AFC voluntarily dismissed the lawsuit with prejudice.
Takeaways
The early dismissal possible was the results of an out-of-court confidential settlement or different negotiated decision. However AFC’s voluntary dismissal, the dispute highlights a number of recurring protection points that may assist or hinder the probabilities of restoration if a declare happens.
Tackle cyber exclusions. Many D&O insurers routinely add “cyber” exclusions to D&O insurance policies, often via endorsement and often masking a laundry checklist of underlying cyber occasions. The intent is to shift “cyber” dangers to cyber insurance coverage insurance policies. However as with most insurance coverage points, the satan is within the particulars, and lots of occasions cyber exclusions are written so broadly that they will embody D&O exposures with solely attenuated connections to the enumerated cyber incidents.
The cyber exclusion endorsement in AFC’s coverage was broad—it utilized to “any declare primarily based upon or arising out of,” amongst different issues, loss or theft of, disclosure of, or unauthorized entry to or use of non-public personal or confidential info, any unauthorized entry to pc programs, any approved entry to trigger intentional hurt to a pc system, or any violation of legislation relating to the safety, use, assortment, disclosure of, entry to, or storage of non-public personal or confidential info. Policyholders ought to fastidiously assess whether or not their D&O coverage has such an exclusion. If it can’t be eradicated fully, think about limiting its scope by, for instance, narrowing the broad causation language.
Coverage coordination can keep away from protection gaps. Whereas cautious evaluation and customization of D&O coverage language might help stop sudden denials for cyber-related losses, specializing in a single line of protection for important loss occasions, particularly cybersecurity incidents, is probably not ample. D&O insurance policies ought to be reviewed alongside different complementary coverages—like cyber insurance policies—to make sure protection grants and exclusions are working as supposed and don’t lead to any unintended gaps.
The worldwide price of a knowledge breach within the US now has reached $4.88 million on common in 2024, a double-digit proportion improve yr to yr and the best whole ever. Given these staggering prices, negotiating strong legal responsibility coverages with an eye fixed in direction of cyber incidents is much more vital as a result of cyber insurance policies could also be shortly eroded and never out there to answer follow-on litigation, investigations, and different claims arising out of a cyber incident.
Perceive governing legislation and its impression on protection. The AFC dispute additionally confirmed how insurance coverage outcomes can differ relying on governing legislation. As a result of AFC was an Alaskan firm, its coverage had an Alaska Change Endorsement that would intervene and protect protection primarily based on dominant and secondary causes of loss. However that evaluation may differ materially if a coverage is ruled by one other state’s legislation or has a distinct state amendatory endorsement making use of one other rule. Insurance policies might also have choice-of-law, choice-of-venue, and comparable provisions that additional impression what legislation governs the insurance coverage declare and what protection is on the market beneath a selected coverage.
Evaluating these and different insurance coverage points in D&O and different legal responsibility insurance policies proactively as a part of common insurance coverage evaluations might help place and renew stronger insurance policies, maximize restoration, and stop sudden denials ought to a declare come up.
