As e-commerce and use of the Internet for commercial transactions has grown, so too has the sale of so-called “cyber-insurance.” This insurance product began to develop in the 1990s as companies increasingly recognized that failure to engage in commercial Internet transactions put them at an enormous competitive disadvantage, both with respect to the ability to service consumers and clients and in the ability to collect data regarding consumer interests and needs. Well-established “hard” companies like Borders Books and others fatally failed to keep pace with their competitors’ electronic presence and transactions. Clearly, there is now a critical dependence on e-commerce.
Dependence on e-commerce, however, comes with risks. The Internet was designed—to the extent it was designed—as a method of transmitting data across multiple networks. The use of such a system necessarily requires that a company grant access to others, over whom it has no control, to at least some aspects of the company’s transmitted data. And participation in the system necessarily requires that others, over whom one has no control, for at least a while input data into at least part of a system upon which one depends. Using e-commerce therefore subjects a company to the risk that others will take control over its ability to communicate and to engage in transactions with its consumers and clients. Hence the need for insurance designed to address the risk associated with e-commerce.
Not surprisingly, as more and more companies are subjected to and become aware of the risk of being a part of interconnected electronic networks, more and more insurers are offering to cover that risk in exchange for a premium. Unfortunately, many of these insurers, whether intentionally or not, appear to be structuring their products in a manner that does not reflect the nature of e-commerce and its risks. If cyber-insurance is to play a role in protecting companies against these risks, then it is incumbent on policyholders, insurers and ultimately the courts to understand the nature of cyber-risk and to structure their decisions and opinions regarding cyber-insurance in a manner that gives effect to the reasonable expectations of all involved.
The recent Universal American v. National Union Fire Insurance decision is a case in point. There, Universal American bought an insurance policy presumably to cover its e-commerce risks. Universal American is a health insurance company. It makes payments to medical providers who provide goods and services to patients insured by Universal. The providers are contractually authorized to access Universal’s computer system in order to submit a request for payment. In connection with this underlying business model, the insurance policy provided coverage for:
Loss resulting directly from a fraudulent
(1) entry of Electronic Data or Computer Program into, or
(2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System…provided that the entry or change causes
(a) Property to be transferred, paid or delivered,
(b) an account of the Insured, or of its customer, to be added, deleted, debited or credited, or
(c) an unauthorized account or a fictitious account to be debited or credited.1
On a purely literal reading of these terms, the policy should cover loss resulting from a “fraudulent…entry of Electronic Data…provided that the entry…causes…[p]roperty to be transferred, paid or delivered [or] an unauthorized account or a fictitious account to be debited or credited.” In 2008, Universal lost more than $18 million as a result of perpetrators’ fraudulently entering data into its computer system. This was accomplished in several different ways.
Most of these claims were submitted, by providers, directly into Universal’s computer system and processed through the system. In some cases, the perpetrators enrolled new members in the MA-PFFS plan with the person’s cooperation, in return for which the member received a kickback from the provider. In some cases, the provider used the member’s personal information without that person’s knowledge. In either event, the provider itself did not enroll in the plan. Instead, they were able to submit claims after obtaining a National Provider Identifier (NPI) from CMS. In some cases, the NPI was obtained for a fictitious provider, in other cases it was fraudulently taken from a legitimate provider.2
Upon discovery of these losses, Universal then submitted the claim to National Union. The claim was denied. National Union argued that the intent of the policy was “to provide coverage against computer hackers, i.e., situations in which an unauthorized user accessed the system and caused money to be paid out.”3 The trial court agreed, reasoning that the term “fraudulent entry” of data as used in the policy did not encompass fraud committed by those who were authorized to access the computer system for non-fraudulent reasons. The appellate division recently affirmed.4
National Union’s interpretation of its obligations, although so-far upheld by the courts, derives from a misunderstanding of “cyber-risks” and undermines the purpose for which companies purchase cyber-insurance. There are at least two things wrong with the courts’ and National Union’s positions and that, if continued to be accepted, would severely restrict the usefulness of cyber-insurance policies. First, the cause of Universal’s loss, at least in part, appears to have been squarely within the sort of e-commerce risk that policyholders should expect to be covered by cyber-insurance. The loss was, at least in part, the result of persons gaining access to Universal’s computer system and causing the system to transfer funds from Universal to other accounts. Second, those who accessed the system, although nominally authorized, did so under false pretenses. Further, they appear to have gained access to the system, using the very sort of hacking techniques often used to gain illegitimate access to a company’s system for profit. Universal’s system, in other words, was the victim of a computer hacking, notwithstanding the courts’ and National Union’s contention to the contrary. The hack, at least so far as we can tell from the opinions, involved social engineering techniques, rather than malicious code, but the system was hacked nonetheless and hence the resulting loss should have been covered by a policy providing cyber-insurance.
As the court noted, access was gained to Universal’s system by the providers “sub-mit[ting] claims after obtaining a National Provider Identifier (NPI) from CMS. In some cases, the NPI was obtained for a fictitious provider, in other cases it was fraudulently taken from a legitimate provider.” Nothing in National Union’s policy excludes coverage for such social engineering hacks; nor should it. Social engineering is one of the more significant risks facing companies engaged in e-commerce and they undoubtedly purchase cyber insurance policies expecting protection from such events. Indeed, it was apparently a social engineering tactic—a “phishing” email—that led to the recent inability of subscribers to access The New York Times webpage, which received so much publicity. Especially given the language of the National Union policy, and the absence of any exclusion of coverage for social engineering hacks, a reasonable insured would have expected coverage for a loss such as Universal’s.
Part of the problem may be National Union’s exploitation of a misconception of what is involved in a typical hacking incident. As one commentator has put it: “While the public pictures hacking as glamorous or mysterious, the reality is that hacking doesn’t look like it does in the movies. Attackers will occasionally leverage a zero-day exploit—an attack that exploits a previously unknown vulnerability. But most attacks are much less sexy. They leverage social engineering, misconfigurations, trust relationships between systems and a general lack of security monitoring.”5 In short, while the popular version of a successful hack involves a software genius exploiting vulnerabilities in lines of code from a faraway basement location, the reality is much different, with many hacks involving ordinary social engineering tactics—better known as “fraud.” This is by no means to denigrate the coding skills of hackers employing social engineering: a successful social engineering attack can require exceptional knowledge of code and electronic systems. But not always. “Once a foothold has been gained through social engineering or a compromised server, attackers exploit critical business applications…by utilizing the same methods that legitimate users and admins use to access the systems.”6
A typical social engineering hack involves the hacker, or a co-conspirator, fooling a legitimate user of a system into providing the hacker with the user’s credentials or with the ability to obtain legitimate user credentials. In either event, the goal is for the hacker to be able to enter data and otherwise use the system as a legitimate user would. This is no minor risk. The 2013 Verizon Investigation of Data Breaches, for example, reported that 29 percent of data breaches involved social engineering techniques. Those techniques are apparently at least in part what enabled the perpetrators to transfer funds from Universal to their accounts. E-commerce risks are by no means limited to the infiltration of a computer system by malicious code. E-commerce risks include the infiltration of a system through social engineering—pretending to be someone else, an information technology administrator, for example, or a service provider; or by exploiting seemingly authorized access to cause the system to perform fraudulent transfers of money. By contending that such hacks are outside the scope of its policy, National Union in effect eliminated one of the critical coverages that an insured would reasonably have expected when it paid the premium. Computer security, experts report, is not merely a matter of managing computer code or protecting a system against the risks of malicious code. Also important is managing legitimate users’ use of the computer system and preventing the system from being tricked into providing others with credentials legitimizing the use of the system. Those risks, as well as the risks of malicious code, should be covered by cyber-insurance.
Lon A. Berk and Robert J. Morrow are partners at Hunton & Williams in New York, where they are members of the insurance counseling and recovery practice. Mr. Berk also practices in the Virginia office.
1. Universal American v. National Union Fire Insurance of Pittsburgh, Pa., Index No. 6501613/2010 (Jan. 7, 2013) Slip Op. at 2.
2. Slip Op. at 2.
3. Slip Op. at 3.
4. Index 650613/10 (Oct. 1, 2013) Even if policy term “fraudulent entry” of data could be understood as limited to unauthorized entries of data, fraudulent entry of data could also reasonably be understood to include the entry of fraudulent data by authorized users. At a minimum, the court should have followed the fundamental insurance law principle that when policy language has more than one reasonable meaning, the interpretation proving coverage for the insured prevails.
5. John Sawyer, “How Attackers Target and Exploit Critical Business Applications,” InformationWeek Dark Reading Reports, at 6 (July 2013)