Everyone has received fraudulent or phishing email in which the sender attempts to obtain sensitive information or payments from an unsuspecting recipient. For this reason, many businesses now have cyber insurance which protects the business from the repercussions of such phishing emails. Like many insurance policies, what is covered under such policies is not always clear, but a recent court decision from the United States District Court for the District of Minnesota provided some clarity.[1]

In that case, the policyholder’s accountant’s email was hacked and sent fraudulent invoices to the policyholder’s customers. Unfortunately, one customer sent $148,000 to the hackers. The policyholder sought coverage for the loss under its Technology Professional Liability policy, which included a cyber coverage provision. The insurance company denied coverage which led to a lawsuit.

The policy provided coverage for “loss of business income” incurred by the policy holder as the direct result of a data breach which results in an actual impairment or denial of service of “business operations.” The insurance company argued that there was no loss of income and that the hacking of the accountant’s email address did not impair the policyholder’s business operations. In addition, the insurance company argued that the policyholder sought coverage for money that had already been earned rather than for money which would have been earned had the hacking not occurred.

The Court disagreed with the insurance company’s arguments and held that the term “impairment” afforded the policyholder broader coverage than typical provisions which only cover a complete suspension of business operations. The Court explained that the policyholder’s business operations were impaired because it was unable to receive payment from its customers for the work it had already performed, and the accountant was unable to use his email account. Furthermore, the policyholder was prevented from earning money for which it had already performed work.

This decision signifies the importance of the specific language in insurance policies as they relate to coverage for cybercrimes, phishing, etc. Some policies include specific cybercrimes or social engineering provisions while others include language similar to that of the case discussed here. If your company is the victim of a cybercrime, you should immediately notify all insurance companies.

[1] Fishbowl Sols. v. The Hanover Ins. Co.