An Alaska federal court docket just lately dismissed a development firm’s lawsuit, accusing a D&O insurer of unhealthy religion refusal to supply protection for an electronic mail spoofing scheme that resulted in almost $2 million in fraudulent wire transfers. Alaska Frontier Constructors, Inc., v. Vacationers Cas. and Sur. Co. of Am., No. 3:24-cv-00259 (D. Alaska, Nov. 11, 2024). Whereas the case was voluntarily dismissed earlier than the D&O insurer responded to the criticism, the policyholder’s allegations inform a well-recognized story and spotlight a number of areas of dispute that firms face when navigating the fallout from cyber incidents.
Background
Alaska Frontier Constructors, Inc. (AFC) skilled a 2023 cyber incident the place an imposter tricked AFC into wiring $1.9 million right into a fraudulent checking account by way of electronic mail. AFC’s CFO acquired an electronic mail that appeared to have been despatched by the CFO of one other firm, Kuukpik, whom AFC labored carefully with. The spoofed electronic mail requested when a cost could be made for cash owed to Kuukpik by Nanuq, an entirely owned subsidiary of Kuukpik that AFC labored with carefully on many tasks.
This electronic mail was truly despatched by a black hat hacker presenting to be Kuukpik’s CFO. Kuukpik and AFC supplied money funds to 1 one other frequently by an intercompany account shared by the 2.
The spoofed electronic mail contained an identical electronic mail deal with to that of Kuukpik’s CFO, and the hacker later despatched directions by way of electronic mail to AFC’s CFO to ship a wire to a financial institution in New Jersey. AFC’s controller initiated the automated clearing home switch to the New Jersey checking account as instructed by the hacker which precipitated Nanuq’s financial institution to switch $1,915,448.32 into the fraudulent account. By the point AFC and Kuukpik realized the cost had been wired however not acquired by Kuukpik, the hacker and the cash had been gone.
Nanuq demanded that AFC compensate it for the cash it misplaced and despatched draft complaints with causes of motion for negligence and negligent supervision and coaching. AFC sought protection beneath its D&O coverage for the fraudulent wire switch that resulted from the spoofed electronic mail. AFC’s D&O insurer denied AFC’s declare beneath a “Information and Privateness Exclusion” endorsement that barred protection all claims primarily based upon or arising out of an inventory of cyber-related occasions that included “any unauthorized entry to a pc system.”
The Protection Lawsuit
AFC filed swimsuit in Alaska, the place AFC is included and has its principal place of job. Its criticism alleged that the insurer breached the coverage in refusing to defend and failing to indemnify AFC’s losses and acted in unhealthy religion in adjusting and denying protection for the $1.9 million in losses flowing from the fraudulent electronic mail scheme.
AFC asserted that, in denying protection beneath the info and privateness exclusion, the insurer ignored the Alaska Change Endorsement, which states claims can’t be denied if an excluded explanation for loss is secondary to a dominant coated explanation for loss in an unbroken chain of occasions resulting in the loss. The dominant explanation for loss, AFC alleged, was AFC’s failure to make use of affordable care when initiating the wire transfers and never the imposter CFO’s communication of wiring directions. In consequence, the Alaska Change Endorsement prevented the info and privateness exclusion from eliminating protection.
AFC additionally contended that the insurer didn’t account for the Information and Privateness Exclusion endorsement’s carveback for claims beneath Insuring Settlement A for non-indemnified losses of insured individuals. The corporate asserted that this carveback utilized to the corporate’s CFO and Controller. Having been “deserted” by its insurer, AFC in the end settled the case for almost $1.7 million after which sought to get better these losses from the D&O insurer.
Earlier than the insurer filed its reply, AFC voluntarily dismissed the lawsuit with prejudice.
Takeaways
The early dismissal probably was the results of an out-of-court confidential settlement or different negotiated decision. However AFC’s voluntary dismissal, the dispute highlights a number of recurring protection points that may assist or hinder the possibilities of restoration if a declare happens.
Tackle cyber exclusions. Many D&O insurers routinely add “cyber” exclusions to D&O insurance policies, normally by means of endorsement and normally masking a laundry checklist of underlying cyber occasions. The intent is to shift “cyber” dangers to cyber insurance coverage insurance policies. However as with most insurance coverage points, the satan is within the particulars, and lots of occasions cyber exclusions are written so broadly that they’ll embody D&O exposures with solely attenuated connections to the enumerated cyber incidents.
The cyber exclusion endorsement in AFC’s coverage was broad—it utilized to “any declare primarily based upon or arising out of,” amongst different issues, loss or theft of, disclosure of, or unauthorized entry to or use of private personal or confidential data, any unauthorized entry to laptop programs, any approved entry to trigger intentional hurt to a pc system, or any violation of regulation concerning the safety, use, assortment, disclosure of, entry to, or storage of private personal or confidential data. Policyholders ought to rigorously assess whether or not their D&O coverage has such an exclusion. If it can’t be eradicated completely, take into account limiting its scope by, for instance, narrowing the broad causation language.
Coverage coordination can keep away from protection gaps. Whereas cautious evaluation and customization of D&O coverage language may help stop surprising denials for cyber-related losses, specializing in a single line of protection for important loss occasions, particularly cybersecurity incidents, might not be enough. D&O insurance policies ought to be reviewed alongside different complementary coverages—like cyber insurance policies—to make sure protection grants and exclusions are working as supposed and don’t lead to any unintended gaps.
The worldwide value of a knowledge breach within the US now has reached $4.88 million on common in 2024, a double-digit share improve yr to yr and the best complete ever. Given these staggering prices, negotiating strong legal responsibility coverages with a watch in direction of cyber incidents is much more vital as a result of cyber insurance policies could also be rapidly eroded and never accessible to reply to follow-on litigation, investigations, and different claims arising out of a cyber incident.
Perceive governing regulation and its impression on protection. The AFC dispute additionally confirmed how insurance coverage outcomes can differ relying on governing regulation. As a result of AFC was an Alaskan firm, its coverage had an Alaska Change Endorsement that might intervene and protect protection primarily based on dominant and secondary causes of loss. However that evaluation may differ materially if a coverage is ruled by one other state’s regulation or has a distinct state amendatory endorsement making use of one other rule. Insurance policies may additionally have choice-of-law, choice-of-venue, and related provisions that additional impression what regulation governs the insurance coverage declare and what protection is offered beneath a specific coverage.
Evaluating these and different insurance coverage points in D&O and different legal responsibility insurance policies proactively as a part of common insurance coverage critiques may help place and renew stronger insurance policies, maximize restoration, and stop surprising denials ought to a declare come up.
