Coverage Disputes Over Online Attacks Grow

A federal court has ruled that an insurer’s professional liability policy must pay out $6 million for a company’s losses from a business e-mail compromise scam, even though the business lacked cyber coverage.

The ruling is part of a growing trend of businesses that haven’t purchased cyber insurance seeking coverage for cyber-related losses from other policies they do have, such as business liability, professional liability, and directors & officers (D&O) coverage.

Seeking coverage for cyber losses and for e-mail compromise scams from other than cyber policies is not often successful, and whether the insurer will pay out can depend on the nature of the loss.

In this latest case however, a judge in the U.S. District Court in the Southern District of New York ruled that American International Group must cover $5.9 million that a company had been duped out of by Chinese hackers in 2016.

AIG had disputed the claim saying that the professional liability policy the business had does not cover “criminal acts,” adding that it had never sold the company a cyber policy.

These disputes are becoming more common and you should pay attention to your policy exclusions, as well as consider cyber insurance, if you have assets that could be exposed through a cyber attack or fraud.

 

How was the business scammed?

SS&C Technologies received spoof e-mails that purported to come from one of the company’s clients, Tillage Commodities Fund, a commodities investment firm. The e-mails instructed the company to make six wire transfers to a bank account in Hong Kong.

The scammers masqueraded as Tillage employees with e-mail addresses that spelled “Tillage” as “Tilllage.”

But according to court documents, there were telltale warning signs that the e-mails were fishy:

  • One e-mail asking SS&C to wire $3 million contained only the words “How was your weekend?” and then the wire transfer details.
  • E-mails included grammatical errors and unusual syntax like “Let’s round up business today.”

 

Based on the above, staff at SS&C were not too diligent in looking out for possible

business e-mail compromise scams involving a third party hacker posing as someone else (a client, a vendor or even a manager or president of the targeted company) via e-mail and requesting a wire transfer into a bank account.

This type of scam, which cost organizations $300 million every month in 2018, according to the U.S. Department of Treasury, is covered by a standard cyber insurance policy.

SS&C did not have a cyber policy, so it sought coverage under its professional liability policy for the losses it sustained when transferring those funds. AIG did pay for SS&C’s legal defense costs after Tillage Commodities sued, but refused to cover the $5.9 million in stolen funds.

According to court documents, AIG’s policy included a clause that it would not provide indemnity coverage for losses arising from “dishonest, fraudulent or criminal acts.”

 

What this means for your firm

While this case worked out for the insured party, businesses should not rely on their non-cyber insurance policies to continue paying claims. As costs for cyber attacks like ransomware, malware, stolen data and business e-mail compromise scams grow, insurers are increasingly including clauses that explicitly exclude coverage for those risks.

If you have any important company assets in digital form and/or make or receive payments online, it would be wise to secure a cyber insurance policy.

If you don’t, you can try to seek coverage under other policies. That it may be difficult to obtain, but not impossible.

For example, if your company has D&O liability insurance and/or crime insurance, it may be able to seek coverage for any ransomware events since those policies will typically include coverage for kidnapping and ransom.

Some insurers are now providing – either deliberately or unintentionally – kidnapping and ransom coverage that applies to ransoms paid in response to cyber extortion. Among the events that these policies may consider cyber extortion are:

  • Threats to poison a computer system with malware.
  • Threats to change, damage or destroy programs or data stored on a system if the owner does not pay a ransom.

 

That said, many insurers who provide this coverage likely did not anticipate covering ransomware losses and have started changing their D&O and crime policies to specifically exclude ransomware.

Other insurers have added deductibles to the coverage, mirroring the terms of cyber policies, while others have capped the amount of business interruption coverage they will provide for cyber-extortion losses.

Why Directors and Officers Coverage is Essential for all Nonprofit Organizations

Being a volunteer on a board of directors is not as easy as it once was. While the position used to be one people chose to make a difference, it has become one that could very well hurt a person’s finances and livelihood today. From negligence to wrongful acts, there are several different allegations these individuals often face. This also places others they work with in compromised positions, so directors and officers liability coverage is essential. There are many reasons a claim on this type of policy would be made, but there are a few that are especially common.

Fundraising And Grants Most nonprofit organizations rely on grants for their funding. People often voice concerns about how the money is being used, and this may result in lawsuits. Organizations should always consider the requirements associated with any grant before applying for it. Any promises made should be reasonable and attainable. If an organization is targeted for mismanaging funds, it could be targeted through legal action, adverse publicity or loss of grant funds.

Financial Oversight Or Fraud In recent years, the media has been focusing more on nonprofit fraud incidents than for-profit fraud incidents. Some large organizations have failed to provide proper oversight of funding control, which means the money is vulnerable to abuse. Lack of oversight is a breach of fiduciary duty. In addition to grant recipients facing lawsuits, foundations that make the grants may also be targeted in some cases.

Employment Practices Directors and officers policies for nonprofit organizations usually include coverage for employment-related claims. Employment practice liability claims rank highest as the cause of directors and officers claims toward nonprofit organizations. They also make up a significant amount of the overall liability issues these individuals face. Researchers found that there were nearly 10,000 discrimination charges filed in 2010 against nonprofit and for-profit organizations. This figure includes both actual and alleged acts of retaliation, harassment, discrimination and wrongful termination. Employment-related lawsuits have increased since the Civil Rights Act passed, which gave people the right to punitive damages and jury trials for emotional stress and anguish. While employment practice liability coverage is included in most nonprofit directors and officers policies, it should be supplemented with other forms of coverage. There should be risk management strategies implemented to keep future claims from happening. This should start at the level of the board of directors, and they should be the ones to question the executive director as well as other officials about policies. They should always know whether there is uniformity throughout the organization and if the policies are being carried out properly. The board should have a system set to accurately analyze the effectiveness of the policies.

Liability risks faced by nonprofit boards are serious issues to consider, and they are issues that continue changing as time passes. In the past, charities were seen as innately good, so there were rarely lawsuits brought against them. However, accountability, higher transparency and the growth of a litigious society took its toll on board members. To keep an organization healthy today, every nonprofit should have a good directors and officers policy in place. Directors and officers coverage was expensive in the past, but insurance is much more affordable today. It is not a product that is uniform for every policyholder. Protection varies based on exclusions and limitations.  If your organization would like to discuss your options, call ACBI at 203-259-7580.

Director’s and Officer’s Insurance Coverage – The Basics

Lawsuits against corporate officers and those who serve on the boards of corporations – both for profit and tax-exempt – are rising sharply. According to a 2011 study by Towers Watson, nearly 7 out of 10 publicly traded companies had a shareholder suit against the Board of Directors in the last ten years. Private companies weren’t exempt either: More than one privately-held corporation in five reported a lawsuit against the board over the last 10 years.

These lawsuits can come from any direction: From shareholders themselves, from executives or former executives, from disgruntled middle managers and employees, both current and former, and from public interest groups.

Anyone who serves on the Board of Directors is a possible target for a variety of lawsuits and complaints about their conduct – particularly if the public or if plaintiff’s attorneys perceive them to have “deep pockets.”

This can lead to devastating consequences for board members and directors who are unprepared: While corporations typically protect stockholders against personal liability arising from claims against the corporation, board members can be and are held personally liable for the consequences of their behavior as directors, both intended and unintended. Examples of common claims against directors include, but are not limited to:

 

  • Violations of fiduciary duty to stockholders
  • Failure to provide services
  • Failure to disclose conflicts of interest
  • Discrimination claims
  • Mismanagement of company or organization assets

… and much more.

Even where claims are unfounded, directors often find the costs of mounting a defense to be a significant burden on their personal finances, running to hundreds of thousands of dollars in some cases. On average, these lawsuits cost defendants over $308,000 each.[1] Most board members don’t even know where to find the best attorneys for their own defense.

History of Directors and Officers Insurance

D&O insurance was first sold by Lloyd’s in the 1960s, though it didn’t become popular until the 1980s, when plaintiff’s lawyers made a cottage industry of targeting board members involved in a slew of mergers and acquisitions that had been occurring over the previous decade.

Basic Structures

Today, the there are three basic kinds of D&O coverage on the market. The variety you want depends on the structure of your organization, your role in it, and the management and other liability coverages already in place.

 

  • Side-A.  This kind of policy covers directors and officers who are not indemnified by the corporation. Essentially, this is individual coverage.

 

  • Side B. This coverage protects a corporation when it indemnifies directors and board members. Under this structure, the company agrees to take on the risk normally borne by individuals on the board, and then protects itself against that risk by purchasing Side B. coverage.

 

  • Side C. This kind of policy covers claims brought specifically under securities laws. It would be appropriate only for publicly-traded companies and some very large privately held companies. Smaller companies may wish to purchase “entity coverage” which provides somewhat broader protections.

 

Individual board members can also purchase a Broad Form Side A DIC (Difference in Conditions) policy, to supplement any Side A coverage in place, and to fill the gaps in coverage already in place between Side A and B.

If you own or are on the Board of a corporation, D&O insurance is a must. Just finding the right attorney can be a daunting challenge to those who aren’t experts in director liability litigation. With D&O insurance in place, you can limit your liability and risk with just a small premium.

D&O Carriers are experienced at managing and limiting claims – frequently protecting your professional reputation at the same time.

Application

In the United States, D&O insurance is generally purchased by the corporation to protect both itself and its directors and officers, rather than as an individual purchase by the directors themselves. Corporations do this in order to ensure that they are attracting the most qualified people to serve in these crucial positions. Many top professionals in most industries would not agree to serve on a Board of Directors or as a corporate officer unless the corporation agreed to put this protection in place.

Claims-Made vs. Occurrence Provisions

One of the central provisions that differentiate policies is whether the policy will provide protection for claims made for actions or omissions that began before coverage was in place. For example, a board member commits a tort, allegedly, in 2013. In 2014 the company switches D&O coverage or initiates coverage. In 2015 the tort is discovered and someone sues the director or directors, or the officers or both. A claims-made policy provides protection if the lawsuit is filed while coverage is in place. An occurrence policy pays benefits based on when the accident or omission leading to the lawsuit took place. The kind of policy that is best for you depends on the structure and type of coverage that was in place before.

Additionally, you may want to purchase an extended reporting period, or ERP, to keep coverage in place after a policy is cancelled. This provides coverage for events that may have already taken place, but for which no lawsuit has yet been filed.

The transition from one type of carrier to another is often tricky, and some important coverage decisions need to be made. Your agent should be able to walk you through how to coordinate current and prior coverages to avoid gaps in protection.

Exclusion of Criminal Acts

D&O insurance is very closely related to errors and omissions insurance, which is often purchased by professionals such as attorneys, financial advisors, accountants and other white collar, licensed individuals. As such, it does not cover intentional criminal acts, such as embezzling or fraud. Generally, however, policies do cover other acts considered “wrongful” including misstatements or omissions made while working on behalf of the organization. Look carefully at covered acts and exclusions while shopping for policies: The best deal isn’t always the one with the lowest premiums.  To learn more about this important coverage and be sure you are adequately protected, call the experienced team of professionals at ACBI at 203-259-7580 or visit our website.

How Prepared Is Your Business For A Cyber Attack?

Only 36% of public companies purchased cyber liability insurance in 2012, and only 6% of private companies had cyber liability insurance in 2010.

Why don’t more companies purchase cyber insurance?

Chubb Insurance asked nonbuyers this question, and the #1 response—from 47% of private company respondents and 37% of public company respondents—was “low risk/no exposure.”*

FBI Director Robert Mueller might have had corporate denial in mind when he told a conference of security professionals earlier this year: “There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.” (Source: CNNMoney)

Facts are well-known

A well-publicized Ponemon Institute study** reported that the typical data breach in 2011 resulted in:

  • 28,349 breached records.
  • Total costs of $194 per record (including notification, call centers, forensics and other direct expenses).
  • $561,495 in notification costs.
  • $5.5 million in total organizational costs.

Furthermore, 46 states have enacted legislation requiring companies to notify customers if their personal information may have been compromised.

Cyber risks—and awareness—are growing

Cyber exposures are growing, and awareness of those risks seems to be growing, as well, as indicated by the fact that purchase rates of cyber insurance are slowly rising. More companies are realizing that they may be vulnerable to potentially costly cyber exposures, including cyber liability and cyber crime expense.

The same maybe true for directors and officers (D&O) liability, thanks in part to the October 2011 SEC guidance that companies must consider information security when disclosing risks to investors. As attorney Kevin LeCroix, executive vice president, RT ProExec, said in his blog, The D&O Diary (September 24, 2012), “With increasing scrutiny on companies’ cybersecurity preparedness and disclosure comes the increasing possibility that companies experiencing cybersecurity incidents-and their directors and officers-may face claims from shareholders and other constituencies that they failed to implement appropriate cybersecurity measures or made misrepresentations about their cybersecurity preparedness.”

Although most companies aren’t yet buying cyber insurance, a majority of public companies are at least taking notice, according to Chubb’s survey:

  • Public company decision makers cited cyber risk as their #1 concern from a list of exposures, with 63% expressing some level of concern.
  • 71% of the public companies have an incident response plan (IRP) for an electronic security breach.***
  • 52% of the companies are allocating more financial or human resources toward mitigating the risk of a cyber breach than they did a year ago. Only 3% are allocating fewer resources for this purpose.
  • 24% of respondents said it was likely the company would experience a cyber event sometime in the next 12 months.

ACBI can help you protect your business from this debilitating threat.  We have options for public and private companies, large businesses or small, professional services and non-profits.  Contact us today to find out how we can help.

The Cost Drivers of Directors & Officers Liability Insurance

Directors and Officers Liability (D&O) insurance is a fundamental component of any company’s risk management program. A lack of D&O insurance may dissuade talented individuals from seeking an executive position at your company, as they don’t want to put their personal assets at risk in the event of a lawsuit.

As a savvy business owner looking to protect your bottom line, how do you weigh the cost of insurance to protect your senior leadership with the potential risk of a lawsuit? As regulatory investigations and defense expenses increase, prices for D&O insurance have gone up as well. Corporate indemnification provides the first line of liability protection; but certain circumstances—most notably, if the company goes bankrupt— necessitates that additional protection is offered to directors and officers.

A variety of factors determine the price of a company’s D&O insurance. Some low-risk companies pay pennies on the dollar; others pay a lot more, but they understand it’s a lot less than the expenses they’d incur in a lawsuit. Recognizing the cost drivers of D&O insurance—a company’s exposures, legislation and trends in D&O lawsuits—can help you decide what coverage your company needs to mitigate its unique exposures.

Company Characteristics and Exposures

Public, private and nonprofit corporations with assets of all sizes purchase D&O Liability insurance. To determine the cost of premiums and the limits of coverage, insurers review several facets of the company’s structure and price D&O insurance accordingly. Some of these attributes include the following:

  1. Is the company mature or young and developing? Companies with less experience and a shorter history of proven effective management can be a riskier policy to underwrite than well-developed companies that have experienced directors and officers.
  2. Is the company planning on going public soon? Initial public offerings, the most common way to  the company’s performance fails to meet expectations, are significant risks for directors and officers during this process.
  3. Does your company have employees? From nonprofits to large, publicly held companies, employment-related claims are the primary cause of lawsuits against an organization’s directors and officers.
  4. Does the company operate in foreign markets? Conducting business internationally can complicate the D&O insurance needed. For example, in addition to domestic laws, European countries have their own set of regulations to follow.
  5. What is the company’s history of past litigation?  Insurers will analyze a company’s history of pervious lawsuits and any adverse business developments and executive management changes.
  1. What industry is the company involved in? Operating in certain industries, such as investment banking and securities, may expose their executive management to more risks than those for the board members of a small nonprofit.
  2. Is the company financially stable? Insurers consider the amount of debt a company has. Corporate indemnification usually protects directors’ and officers’ personal assets. However, if the company’s finances are unstable, they have an increased chance of becoming insolvent during a lawsuit.

Current and New Legislation

Securities Exchange Commission (SEC) regulations continue to impact the cost of D&O insurance. Publicly held companies especially must be cognizant and keep current on SEC disclosure obligations and provisions in the Sarbanes-Oxley (SOX) Act of 2002, which was enacted in response to the corporate scandals of Enron, Tyco, WorldCom and others.

Also recent changes to the Dodd-Frank Wall Street Reform and Consumer Protection Act have caused a spike in whistleblower reporting, bringing to light many D&O claims and increasing the need for D&O insurance. The new whistleblower provision in the Act now gives whistleblowers a “bounty,” or monetary compensation

if the lawsuit results in more than $1 million in monetary sanctions. Given this new incentive, there has already been an increase in the number of whistleblowers that have emerged since the Act added the provisions in early 2011.

Trends in D&O Lawsuits

Even after a thorough assessment of a company’s risks, D&O insurance continues to be a high-severity product, as carriers are often hit unexpectedly with catastrophic claims. It’s no surprise that as litigation increases, the price of D&O insurance increases as well. In addition, as the litigation process grows lengthier and if multiple lawsuits erupt from a single transaction, a company can quickly exhaust its primary layer of D&O coverage.

Some types of lawsuits occur less often, but result in catastrophic losses. Other types result in smaller payouts, but occur more frequently. Nonetheless, defense expenses can cost millions of dollars, even if the director or officer is not found liable. Some of the types of lawsuits that affect directors and officers include:

  • Breach of fiduciary duty lawsuits
  • Employee Retirement Income Security Act (ERISA) lawsuits
  • Employment-related lawsuits
  • Mergers and acquisitions (M&A) and “merger objection” lawsuits
  • Securities class-action lawsuits
  • Shareholder derivative suits

Within the last few years, there has been an increase in M&A lawsuits. In 2011, there were more than 350 lawsuits regarding M&A. Some M&A cases involve multiple lawsuits and a lengthy litigation process, which can deeply cut into a company’s primary D&O policy.

Know What Your Policy Covers

While many companies usually focus on the cost of their D&O policy, understanding the scope of the policy is even more critical. Most D&O policies are renewed yearly, and the terms and conditions can change. Read through your policy carefully. Be aware of the following:

  • Look at the limits of your liability. Are they enough to cover your exposures? Companies with a lot of risk exposures usually find that they need more than just the primary coverage, and purchase excess insurance as well.
  • Be aware of exclusions; most D&O policies do not cover claims that arise from fraudulent or criminal acts.
  • For some insurance carriers, Employment Practices Liability (EPL) insurance and Fiduciary Liability insurance are policies that are purchased separately from primary D&O insurance. Don’t assume they are automatically included in your D&O policy.

For more information on D&O coverage options for your company, contact Associated Community Brokers, Inc. today.