Following two separate cyberattacks in eight months, The National Bank of Blacksburg is suing its insurance provider, which has determined that the bank’s computer and electronic crime rider does not apply.
In May 2016 and January 2017, the Virginia-based bank fell victim to phishing attacks which allowed hackers – according to forensics companies hired by the bank, likely the same Russia-based group in both cases – to steal a total of over $2.4 million.
By compromising workstations with access to specific systems and software (notably the STAR interbank network), the hackers were able to bypass protections against fraud and theft in order to transfer cash to specific accounts, from which it was withdrawn via hundreds of ATMs across North America.
According to the National Bank’s lawsuit, it attempted to recover the losses via the insurance policy it had with Everest National Insurance Company. This policy provided two types of coverage against cybercrime losses, the first being a computer and electronic crime rider, and the second being a debit card rider which covered against losses resulting directly from the use of lost, stolen, altered or counterfeit debit cards. The former had a single loss limit liability of $8 million with a $125,000 deductible; the second had a single loss limit liability of $50,000 with a $25,000 deductible and an aggregate limit of $250,000.
The lawsuit states that the computer and electronic crime rider contained two exclusions which Everest determined meant that neither breach could be covered by it. These exclusions ruled out coverage for losses involving the use of cards or “automated mechanical devices which, on behalf of the Insured, disburse Money”. Everest also determined that the two breaches should be considered a single event, likely because of the conclusion that the same group was responsible and had used very similar methods in both cases.
As a result, the maximum payout Everest was willing to make was $50,000.
However, in Everest’s response and defense, it “denies that National bank [sic] has accurately or fully explained the basis the for [sic] Everest’s coverage decision”, and further “denies that Everest has breached its contract with National Bank, denies that it acted in bad faith, and denies that National Bank is entitled to any damages from Everest”.
Warren Buffett of Berkshire Hathaway commented earlier this year that one of the factors complicating cyberinsurance is the interpretation of policies. This lawsuit certainly seems to support his case.