An Alaska federal courtroom just lately dismissed a building firm’s lawsuit, accusing a D&O insurer of dangerous religion refusal to supply protection for an e-mail spoofing scheme that resulted in practically $2 million in fraudulent wire transfers. Alaska Frontier Constructors, Inc., v. Vacationers Cas. and Sur. Co. of Am., No. 3:24-cv-00259 (D. Alaska, Nov. 11, 2024). Whereas the case was voluntarily dismissed earlier than the D&O insurer responded to the criticism, the policyholder’s allegations inform a well-recognized story and spotlight a number of areas of dispute that firms face when navigating the fallout from cyber incidents.
Background
Alaska Frontier Constructors, Inc. (AFC) skilled a 2023 cyber incident the place an imposter tricked AFC into wiring $1.9 million right into a fraudulent checking account by way of e-mail. AFC’s CFO acquired an e-mail that appeared to have been despatched by the CFO of one other firm, Kuukpik, whom AFC labored intently with. The spoofed e-mail requested when a fee can be made for cash owed to Kuukpik by Nanuq, a completely owned subsidiary of Kuukpik that AFC labored with intently on many initiatives.
This e-mail was truly despatched by a black hat hacker presenting to be Kuukpik’s CFO. Kuukpik and AFC offered money funds to at least one one other regularly by an intercompany account shared by the 2.
The spoofed e-mail contained the same e-mail handle to that of Kuukpik’s CFO, and the hacker later despatched directions by way of e-mail to AFC’s CFO to ship a wire to a financial institution in New Jersey. AFC’s controller initiated the automated clearing home switch to the New Jersey checking account as instructed by the hacker which prompted Nanuq’s financial institution to switch $1,915,448.32 into the fraudulent account. By the point AFC and Kuukpik realized the fee had been wired however not acquired by Kuukpik, the hacker and the cash had been gone.
Nanuq demanded that AFC compensate it for the cash it misplaced and despatched draft complaints with causes of motion for negligence and negligent supervision and coaching. AFC sought protection beneath its D&O coverage for the fraudulent wire switch that resulted from the spoofed e-mail. AFC’s D&O insurer denied AFC’s declare beneath a “Knowledge and Privateness Exclusion” endorsement that barred protection all claims primarily based upon or arising out of a listing of cyber-related occasions that included “any unauthorized entry to a pc system.”
The Protection Lawsuit
AFC filed swimsuit in Alaska, the place AFC is integrated and has its principal office. Its criticism alleged that the insurer breached the coverage in refusing to defend and failing to indemnify AFC’s losses and acted in dangerous religion in adjusting and denying protection for the $1.9 million in losses flowing from the fraudulent e-mail scheme.
AFC asserted that, in denying protection beneath the information and privateness exclusion, the insurer ignored the Alaska Change Endorsement, which states claims can’t be denied if an excluded reason for loss is secondary to a dominant coated reason for loss in an unbroken chain of occasions resulting in the loss. The dominant reason for loss, AFC alleged, was AFC’s failure to make use of cheap care when initiating the wire transfers and never the imposter CFO’s communication of wiring directions. Consequently, the Alaska Change Endorsement prevented the information and privateness exclusion from eliminating protection.
AFC additionally contended that the insurer did not account for the Knowledge and Privateness Exclusion endorsement’s carveback for claims beneath Insuring Settlement A for non-indemnified losses of insured individuals. The corporate asserted that this carveback utilized to the corporate’s CFO and Controller. Having been “deserted” by its insurer, AFC finally settled the case for practically $1.7 million after which sought to get better these losses from the D&O insurer.
Earlier than the insurer filed its reply, AFC voluntarily dismissed the lawsuit with prejudice.
Takeaways
The early dismissal seemingly was the results of an out-of-court confidential settlement or different negotiated decision. However AFC’s voluntary dismissal, the dispute highlights a number of recurring protection points that may assist or hinder the probabilities of restoration if a declare happens.
Handle cyber exclusions. Many D&O insurers routinely add “cyber” exclusions to D&O insurance policies, often by way of endorsement and often masking a laundry listing of underlying cyber occasions. The intent is to shift “cyber” dangers to cyber insurance coverage insurance policies. However as with most insurance coverage points, the satan is within the particulars, and plenty of instances cyber exclusions are written so broadly that they will embody D&O exposures with solely attenuated connections to the enumerated cyber incidents.
The cyber exclusion endorsement in AFC’s coverage was broad—it utilized to “any declare primarily based upon or arising out of,” amongst different issues, loss or theft of, disclosure of, or unauthorized entry to or use of private personal or confidential info, any unauthorized entry to pc methods, any approved entry to trigger intentional hurt to a pc system, or any violation of legislation concerning the safety, use, assortment, disclosure of, entry to, or storage of private personal or confidential info. Policyholders ought to rigorously assess whether or not their D&O coverage has such an exclusion. If it can’t be eradicated fully, think about limiting its scope by, for instance, narrowing the broad causation language.
Coverage coordination can keep away from protection gaps. Whereas cautious evaluation and customization of D&O coverage language will help stop surprising denials for cyber-related losses, specializing in a single line of protection for vital loss occasions, particularly cybersecurity incidents, will not be adequate. D&O insurance policies needs to be reviewed alongside different complementary coverages—like cyber insurance policies—to make sure protection grants and exclusions are working as meant and don’t end in any unintended gaps.
The worldwide value of an information breach within the US now has reached $4.88 million on common in 2024, a double-digit share improve yr to yr and the very best whole ever. Given these staggering prices, negotiating strong legal responsibility coverages with an eye fixed in direction of cyber incidents is much more vital as a result of cyber insurance policies could also be shortly eroded and never obtainable to reply to follow-on litigation, investigations, and different claims arising out of a cyber incident.
Perceive governing legislation and its influence on protection. The AFC dispute additionally confirmed how insurance coverage outcomes can differ relying on governing legislation. As a result of AFC was an Alaskan firm, its coverage had an Alaska Change Endorsement that might intervene and protect protection primarily based on dominant and secondary causes of loss. However that evaluation may differ materially if a coverage is ruled by one other state’s legislation or has a special state amendatory endorsement making use of one other rule. Insurance policies might also have choice-of-law, choice-of-venue, and comparable provisions that additional influence what legislation governs the insurance coverage declare and what protection is obtainable beneath a selected coverage.
Evaluating these and different insurance coverage points in D&O and different legal responsibility insurance policies proactively as a part of common insurance coverage critiques will help place and renew stronger insurance policies, maximize restoration, and forestall surprising denials ought to a declare come up.
