An Alaska federal courtroom lately dismissed a development firm’s lawsuit, accusing a D&O insurer of unhealthy religion refusal to supply protection for an electronic mail spoofing scheme that resulted in almost $2 million in fraudulent wire transfers. Alaska Frontier Constructors, Inc., v. Vacationers Cas. and Sur. Co. of Am., No. 3:24-cv-00259 (D. Alaska, Nov. 11, 2024). Whereas the case was voluntarily dismissed earlier than the D&O insurer responded to the criticism, the policyholder’s allegations inform a well-known story and spotlight a number of areas of dispute that firms face when navigating the fallout from cyber incidents.
Background
Alaska Frontier Constructors, Inc. (AFC) skilled a 2023 cyber incident the place an imposter tricked AFC into wiring $1.9 million right into a fraudulent checking account through electronic mail. AFC’s CFO obtained an electronic mail that appeared to have been despatched by the CFO of one other firm, Kuukpik, whom AFC labored intently with. The spoofed electronic mail requested when a cost could be made for cash owed to Kuukpik by Nanuq, a completely owned subsidiary of Kuukpik that AFC labored with intently on many tasks.
This electronic mail was really despatched by a black hat hacker presenting to be Kuukpik’s CFO. Kuukpik and AFC supplied money funds to 1 one other regularly by an intercompany account shared by the 2.
The spoofed electronic mail contained the same electronic mail handle to that of Kuukpik’s CFO, and the hacker later despatched directions through electronic mail to AFC’s CFO to ship a wire to a financial institution in New Jersey. AFC’s controller initiated the automated clearing home switch to the New Jersey checking account as instructed by the hacker which brought about Nanuq’s financial institution to switch $1,915,448.32 into the fraudulent account. By the point AFC and Kuukpik realized the cost had been wired however not obtained by Kuukpik, the hacker and the cash have been gone.
Nanuq demanded that AFC compensate it for the cash it misplaced and despatched draft complaints with causes of motion for negligence and negligent supervision and coaching. AFC sought protection beneath its D&O coverage for the fraudulent wire switch that resulted from the spoofed electronic mail. AFC’s D&O insurer denied AFC’s declare beneath a “Information and Privateness Exclusion” endorsement that barred protection all claims based mostly upon or arising out of an inventory of cyber-related occasions that included “any unauthorized entry to a pc system.”
The Protection Lawsuit
AFC filed swimsuit in Alaska, the place AFC is integrated and has its principal place of work. Its criticism alleged that the insurer breached the coverage in refusing to defend and failing to indemnify AFC’s losses and acted in unhealthy religion in adjusting and denying protection for the $1.9 million in losses flowing from the fraudulent electronic mail scheme.
AFC asserted that, in denying protection beneath the information and privateness exclusion, the insurer ignored the Alaska Change Endorsement, which states claims can’t be denied if an excluded explanation for loss is secondary to a dominant coated explanation for loss in an unbroken chain of occasions resulting in the loss. The dominant explanation for loss, AFC alleged, was AFC’s failure to make use of cheap care when initiating the wire transfers and never the imposter CFO’s communication of wiring directions. Because of this, the Alaska Change Endorsement prevented the information and privateness exclusion from eliminating protection.
AFC additionally contended that the insurer didn’t account for the Information and Privateness Exclusion endorsement’s carveback for claims beneath Insuring Settlement A for non-indemnified losses of insured individuals. The corporate asserted that this carveback utilized to the corporate’s CFO and Controller. Having been “deserted” by its insurer, AFC in the end settled the case for almost $1.7 million after which sought to recuperate these losses from the D&O insurer.
Earlier than the insurer filed its reply, AFC voluntarily dismissed the lawsuit with prejudice.
Takeaways
The early dismissal seemingly was the results of an out-of-court confidential settlement or different negotiated decision. However AFC’s voluntary dismissal, the dispute highlights a number of recurring protection points that may assist or hinder the probabilities of restoration if a declare happens.
Deal with cyber exclusions. Many D&O insurers routinely add “cyber” exclusions to D&O insurance policies, normally by way of endorsement and normally overlaying a laundry record of underlying cyber occasions. The intent is to shift “cyber” dangers to cyber insurance coverage insurance policies. However as with most insurance coverage points, the satan is within the particulars, and lots of occasions cyber exclusions are written so broadly that they will embody D&O exposures with solely attenuated connections to the enumerated cyber incidents.
The cyber exclusion endorsement in AFC’s coverage was broad—it utilized to “any declare based mostly upon or arising out of,” amongst different issues, loss or theft of, disclosure of, or unauthorized entry to or use of private non-public or confidential info, any unauthorized entry to pc techniques, any approved entry to trigger intentional hurt to a pc system, or any violation of regulation relating to the safety, use, assortment, disclosure of, entry to, or storage of private non-public or confidential info. Policyholders ought to rigorously assess whether or not their D&O coverage has such an exclusion. If it can’t be eradicated completely, think about limiting its scope by, for instance, narrowing the broad causation language.
Coverage coordination can keep away from protection gaps. Whereas cautious evaluation and customization of D&O coverage language can assist stop sudden denials for cyber-related losses, specializing in a single line of protection for important loss occasions, particularly cybersecurity incidents, is probably not enough. D&O insurance policies ought to be reviewed alongside different complementary coverages—like cyber insurance policies—to make sure protection grants and exclusions are working as meant and don’t end in any unintended gaps.
The worldwide value of an information breach within the US now has reached $4.88 million on common in 2024, a double-digit proportion improve 12 months to 12 months and the best whole ever. Given these staggering prices, negotiating sturdy legal responsibility coverages with an eye fixed in the direction of cyber incidents is much more essential as a result of cyber insurance policies could also be shortly eroded and never obtainable to answer follow-on litigation, investigations, and different claims arising out of a cyber incident.
Perceive governing regulation and its influence on protection. The AFC dispute additionally confirmed how insurance coverage outcomes can differ relying on governing regulation. As a result of AFC was an Alaskan firm, its coverage had an Alaska Change Endorsement that might intervene and protect protection based mostly on dominant and secondary causes of loss. However that evaluation might differ materially if a coverage is ruled by one other state’s regulation or has a unique state amendatory endorsement making use of one other rule. Insurance policies may additionally have choice-of-law, choice-of-venue, and related provisions that additional influence what regulation governs the insurance coverage declare and what protection is offered beneath a selected coverage.
Evaluating these and different insurance coverage points in D&O and different legal responsibility insurance policies proactively as a part of common insurance coverage evaluations can assist place and renew stronger insurance policies, maximize restoration, and forestall sudden denials ought to a declare come up.
