The City of Saskatoon made national headlines in August, 2019 for reasons they would rather forget. City Administration admitted an employee had changed payment information for an existing construction partner, only to later discover the change instructions were fake. As a result, over $1 million was paid to accounts apparently controlled by a fraudster.
Within a week or two, the City had managed to identify most of the bogus accounts and had apparently retrieved or locked down the money before it was completely gone. This is good news for Saskatoon taxpayers, but an interesting sidebar to the story involves insurance.
When the wrongful payment was disclosed, City officials noted they had filed a claim with their insurer. This was an obvious step, but if the money can be retrieved otherwise, the claim will not need to proceed. What if insurance is required? In other words, could the City successfully recover the loss from its insurance company?
We don’t know the details of the City’s insurance policy, so that question cannot be answered now. Yet there are a couple of recent cases which show such insurance claims can be challenging. They are useful to demonstrate why you might want to review your own cyberinsurance to ensure it meets your needs.
A 2017 case from Alberta, Brick Warehouse LP v. Chubb Insurance Company of Canada involved facts very close to Saskatoon’s. Brick transferred more than $330,000 to a fraudster after they called the company and pretended to be an employee of Toshiba. The company made an insurance claim, but Chubb denied it. The problem for Brick was they issued the actual changed banking instructions. As the court noted, there was nobody forcing the employee to issue the instructions, no threats of violence or other harm. The employee was only a pawn in the fraudster’s claim. Since the transfer was not done by a third party, the court held it was outside the insurance policy’s wording.
In another case, Dentons Canada LLP v. Trisura Guarantee Insurance Company , an associate of Dentons was misled by fraudsters and transferred $2.5 million into a Hong Kong bank account. They recovered about $800,000, but the insurer refused to pay out the balance. Their view was that the transfer was not itself fraudulently caused and that no computer was used to fraudulently cause any of the transfer. Therefore, the insurer claimed the loss was outside the protective wording of the policy. An application by Dentons has been converted into a full lawsuit and is proceeding.
The denial of coverage by the insurers in each case is a warning that one should carefully review the terms of their insurance policies to confirm what is covered and what is not. Merely describing a clause as “cyberinsurance” is not enough. As the cases show, there may be a massive difference between a hacker breaking into a system and stealing data compared to a social engineering exploit where employees are convinced to do something which causes a loss. Those latter cases might be insurable, but they could require separate riders or additional insurance premiums to provide coverage.
With online fraud increasing and becoming more sophisticated, there should be constant review of insurance policies to make sure the most common, and expensive, avenues of attack are considered.