In December, BitPay, one of the leading BitCoin payment processors, was the victim of a social engineering attack.
A hacker successfully spearphished the CFO’s email account information. The criminal was then able to spoof emails to the CEO and managed to transfer 5,000 BitCoins, worth $1,850,000, before the company realized what had happened.
The company assumed that their insurer, with whom they had a cyber policy with a $1 million limit, would certainly cover much of that loss. (It should be noted that some reports cite it as a crime policy.) They were mistaken.
The matter is in litigation, and while we have no specific insight as to how the court will rule, what the complaint illustrates is the gap between what insureds expect from their cyber policies and how insurance companies interpret their offering when it comes to protection from social engineering hacks. Those familiar with cyber policies will not be surprised that many policies specifically exclude social engineering attacks.
BitPay’s insurer, Massachusetts Bay Insurance, responded to the company’s complaint, stating that,
“The Policy requires that the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises. “Direct” means without any intervening step i.e. without any intruding or diverting factor. The Computer Fraud Insuring Agreement is only triggered by situations where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer of Money to an outside person or place.” [emphasis added]
The insurer contends that since the criminal never gained access to the company’s system, they were within their rights to deny their claim. BitPay is suing, claiming breach of contract and bad-faith failure to pay.
While FinTech clients are quite technologically savvy, they may not recognize that social engineering hacks are quite distinct from direct attacks – at least that’s the contention of certain insurers.
Buyers of cyber policies need to address the question of how their specific coverage will treat social engineering. Spearphishing is as much a threat as direct computer hacking and that risk needs to be addressed. Holders of cyber policies need to investigate social engineering coverage gaps well in advance of any potential claims.