An Alaska federal courtroom not too long ago dismissed a development firm’s lawsuit, accusing a D&O insurer of unhealthy religion refusal to offer protection for an e-mail spoofing scheme that resulted in practically $2 million in fraudulent wire transfers. Alaska Frontier Constructors, Inc., v. Vacationers Cas. and Sur. Co. of Am., No. 3:24-cv-00259 (D. Alaska, Nov. 11, 2024). Whereas the case was voluntarily dismissed earlier than the D&O insurer responded to the criticism, the policyholder’s allegations inform a well-known story and spotlight a number of areas of dispute that corporations face when navigating the fallout from cyber incidents.
Background
Alaska Frontier Constructors, Inc. (AFC) skilled a 2023 cyber incident the place an imposter tricked AFC into wiring $1.9 million right into a fraudulent checking account through e-mail. AFC’s CFO acquired an e-mail that appeared to have been despatched by the CFO of one other firm, Kuukpik, whom AFC labored intently with. The spoofed e-mail requested when a fee could be made for cash owed to Kuukpik by Nanuq, a completely owned subsidiary of Kuukpik that AFC labored with intently on many initiatives.
This e-mail was truly despatched by a black hat hacker presenting to be Kuukpik’s CFO. Kuukpik and AFC offered money funds to at least one one other frequently by an intercompany account shared by the 2.
The spoofed e-mail contained the same e-mail tackle to that of Kuukpik’s CFO, and the hacker later despatched directions through e-mail to AFC’s CFO to ship a wire to a financial institution in New Jersey. AFC’s controller initiated the automated clearing home switch to the New Jersey checking account as instructed by the hacker which prompted Nanuq’s financial institution to switch $1,915,448.32 into the fraudulent account. By the point AFC and Kuukpik realized the fee had been wired however not acquired by Kuukpik, the hacker and the cash have been gone.
Nanuq demanded that AFC compensate it for the cash it misplaced and despatched draft complaints with causes of motion for negligence and negligent supervision and coaching. AFC sought protection beneath its D&O coverage for the fraudulent wire switch that resulted from the spoofed e-mail. AFC’s D&O insurer denied AFC’s declare beneath a “Knowledge and Privateness Exclusion” endorsement that barred protection all claims primarily based upon or arising out of a listing of cyber-related occasions that included “any unauthorized entry to a pc system.”
The Protection Lawsuit
AFC filed go well with in Alaska, the place AFC is integrated and has its principal place of job. Its criticism alleged that the insurer breached the coverage in refusing to defend and failing to indemnify AFC’s losses and acted in unhealthy religion in adjusting and denying protection for the $1.9 million in losses flowing from the fraudulent e-mail scheme.
AFC asserted that, in denying protection beneath the information and privateness exclusion, the insurer ignored the Alaska Change Endorsement, which states claims can’t be denied if an excluded explanation for loss is secondary to a dominant lined explanation for loss in an unbroken chain of occasions resulting in the loss. The dominant explanation for loss, AFC alleged, was AFC’s failure to make use of cheap care when initiating the wire transfers and never the imposter CFO’s communication of wiring directions. Because of this, the Alaska Change Endorsement prevented the information and privateness exclusion from eliminating protection.
AFC additionally contended that the insurer didn’t account for the Knowledge and Privateness Exclusion endorsement’s carveback for claims beneath Insuring Settlement A for non-indemnified losses of insured individuals. The corporate asserted that this carveback utilized to the corporate’s CFO and Controller. Having been “deserted” by its insurer, AFC in the end settled the case for practically $1.7 million after which sought to get better these losses from the D&O insurer.
Earlier than the insurer filed its reply, AFC voluntarily dismissed the lawsuit with prejudice.
Takeaways
The early dismissal probably was the results of an out-of-court confidential settlement or different negotiated decision. However AFC’s voluntary dismissal, the dispute highlights a number of recurring protection points that may assist or hinder the possibilities of restoration if a declare happens.
Tackle cyber exclusions. Many D&O insurers routinely add “cyber” exclusions to D&O insurance policies, often by way of endorsement and often masking a laundry record of underlying cyber occasions. The intent is to shift “cyber” dangers to cyber insurance coverage insurance policies. However as with most insurance coverage points, the satan is within the particulars, and plenty of occasions cyber exclusions are written so broadly that they will embody D&O exposures with solely attenuated connections to the enumerated cyber incidents.
The cyber exclusion endorsement in AFC’s coverage was broad—it utilized to “any declare primarily based upon or arising out of,” amongst different issues, loss or theft of, disclosure of, or unauthorized entry to or use of non-public personal or confidential info, any unauthorized entry to pc methods, any approved entry to trigger intentional hurt to a pc system, or any violation of legislation relating to the safety, use, assortment, disclosure of, entry to, or storage of non-public personal or confidential info. Policyholders ought to fastidiously assess whether or not their D&O coverage has such an exclusion. If it can’t be eradicated totally, contemplate limiting its scope by, for instance, narrowing the broad causation language.
Coverage coordination can keep away from protection gaps. Whereas cautious evaluation and customization of D&O coverage language might help forestall sudden denials for cyber-related losses, specializing in a single line of protection for vital loss occasions, particularly cybersecurity incidents, might not be ample. D&O insurance policies ought to be reviewed alongside different complementary coverages—like cyber insurance policies—to make sure protection grants and exclusions are working as supposed and don’t lead to any unintended gaps.
The worldwide value of a knowledge breach within the US now has reached $4.88 million on common in 2024, a double-digit proportion enhance yr to yr and the very best complete ever. Given these staggering prices, negotiating strong legal responsibility coverages with an eye fixed in direction of cyber incidents is much more vital as a result of cyber insurance policies could also be shortly eroded and never out there to reply to follow-on litigation, investigations, and different claims arising out of a cyber incident.
Perceive governing legislation and its impression on protection. The AFC dispute additionally confirmed how insurance coverage outcomes can differ relying on governing legislation. As a result of AFC was an Alaskan firm, its coverage had an Alaska Change Endorsement that might intervene and protect protection primarily based on dominant and secondary causes of loss. However that evaluation might differ materially if a coverage is ruled by one other state’s legislation or has a distinct state amendatory endorsement making use of one other rule. Insurance policies might also have choice-of-law, choice-of-venue, and comparable provisions that additional impression what legislation governs the insurance coverage declare and what protection is obtainable beneath a selected coverage.
Evaluating these and different insurance coverage points in D&O and different legal responsibility insurance policies proactively as a part of common insurance coverage critiques might help place and renew stronger insurance policies, maximize restoration, and forestall sudden denials ought to a declare come up.