August 14, 2022

Volume XII, Number 226

Advertisement
Advertisement

August 12, 2022

Subscribe to Latest Legal News and Analysis

August 11, 2022

Subscribe to Latest Legal News and Analysis

Don’t Put All Your Eggs in the Silent-Cyber Basket

The Eastern District of Pennsylvania recently gave another reminder why cyber insurance should be part of any comprehensive insurance portfolio.  In Construction Financial Administration Services, LLC v. Federal Insurance Company, No. 19-0020 (E.D. Pa. June 9, 2022), the court rejected a policyholder’s attempt to find coverage under its professional liability insurance for a social engineering incident that defrauded over $1 million.

Construction Financial Administrative Services, which goes by CFAS, disburses funds to contractors.  One of its clients, SWF Constructors, was hacked, and a bad actor posing as the client asked CFAS to distribute $600,000 to a sham third party.  John Follmer, an executive at CFAS and the only person authorized to approve distribution of funds, approved it.  The next day, the bad actor, again posing as the client, asked Follmer to transfer an additional $700,000.  Follmer approved that distribution too.

Although Follmer approved both distributions, he did not follow the proper protocol for doing so.  The third party was not listed in the approved budget; CFAS never received a copy of an agreement between the client and the third party; CFAS never received a disbursement voucher for the payment; CFAS never received a waiver from the client; and CFAS never received the additional information it needed to account for the disbursement.  Even so, Follmer approved the payment.

After the fraud was discovered, CFAS tried to recover the funds it had been tricked into giving up, but it was too late.  It recovered only $120,000 of the $1,300,000 it lost. 

CFAS filed a claim under its errors and omissions policy—presumably because it did not have separate cyber coverage.  Some non-cyber policies include “silent cyber coverage,” which is coverage not primarily intended to cover cyber losses, but which nonetheless applies to cyber-related losses based on broadly worded insuring agreements.  Federal, CFAS’s insurer, attempted to exclude that sort of silent cyber coverage by including an unauthorized access exclusion in its policy.  That exclusion bars claims “based upon, arising from or in consequence of any unauthorized or exceeded authorized access to, use of or alteration of, any computer program, software, computer, computer system.”

CFAS, in an apparent attempt to avoid that exclusion, did not make a claim for silent cyber coverage; in fact, it did not attempt to claim losses based on the bad actor’s actions at all.  Instead, CFAS claimed that its losses were covered because Follmer had acted negligently by making the disbursements without collecting all of the necessary information.  Although creative, that argument ultimately failed.

The court ruled that CFAS could not escape the broad language of the exclusion—eliminating coverage for all losses “in consequence of any . . . unauthorized access to  . . . computers”—by rebranding the loss as arising from negligence.  Under the law of North Carolina, which controlled, so long as the loss “follows as an effect of” the bad actor’s unauthorized access, it was “in consequence of” the unauthorized access and was therefore excluded.

Construction Financial Administration Services serves as a reminder to policyholders to ensure that proper, comprehensive insurance coverage is in place to cover all reasonably anticipated risks of loss.  In today’s technology-dependent society, that must include robust cyber protection.  Although some policies have traditionally provided “silent cyber coverage,” new, broad exclusions are being introduced to curtail such coverage, making it all the more important for businesses to ensure that their insurance portfolio specifically targets cyber risks.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 186
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

William P. Sowers Jr. Associate Hunton Andrews Kurth
Associate

Will represents clients in complex commercial litigation and appeals, with a focus on insurance coverage litigation.

As an associate on the insurance coverage team, Will represents commercial policyholders in all types of insurance matters from property to errors and omissions to reinsurance. Will specializes in briefing complex topics at both the trial and appellate level, and he has led the drafting in case-dispositive motions and briefs, including in the Eleventh and Ninth Circuit Courts of Appeals.

Prior to...

804-344-7974
Michael S. Levine Insurance Lawyer Hunton Andrews Kurth
Partner

Mike has more than 20 years of experience litigating insurance disputes and advising clients on insurance coverage matters.

Mike Levine is a partner in the firm’s Washington, DC office and a member of the firm’s Insurance Recovery team. Mike’s policyholder representation focuses on:

  • Property damage and business interruption claims, including COVID-19 losses
  • Event cancellation insurance counseling
  • Representations and warranties coverage
  • ...
202 955 1857
Advertisement
Advertisement
Advertisement