Federal Court Adopts Expansive View of Cyber Policy Business Interruption Coverage
The United States District Court for the District of Minnesota recently ruled that funds transferred pursuant to fraudulent payment instructions are lost “business income” and thus covered under a cyber coverage form’s business interruption coverage.
The recent case arose from a “man-in-the-middle” social engineering incident. An unknown bad actor compromised the e-mail account of Fishbowl Solutions, Inc.’s (the policyholder) senior staff accountant. The bad actor diverted billing e-mails sent to the accountant and, using the accountant’s legitimate business e-mail address, sent fraudulent payment instructions to Fishbowl’s customers. Pursuant to those instructions, one of Fishbowl’s customers sent $177,000 to a fraudulent account controlled by the bad actor, rather than to Fishbowl. Fishbowl was able to recover approximately $29,000 of the transferred funds, but not the remaining $148,000.
Fishbowl sought coverage under its Technology Professional Liability policy (which included a cyber coverage form) for the $148,000 that was not recovered. Fishbowl’s insurer, Hanover, denied coverage. Fishbowl sued Hanover in federal court in Minnesota. Fishbowl and Hanover each moved for summary judgment as to whether the funds were covered under the policy’s business interruption coverage part, which provided coverage for: “loss of ‘business income’…incurred by you…directly resulting from a ‘data breach’…which results in an actual impairment or denial of service of ‘business operations’ during the ‘policy period’.”
Hanover argued, among other things, that:
(i) there was no loss of “business income” because “business operations” only refers to income-generating activities (and invoicing clients does not generate income);
(ii) the compromise to the accountant’s e-mail account did not “impair” business operations because Fishbowl continued to conduct its income-generating activities; and
(iii) Fishbowl sought coverage for money that already had been earned, rather than money that would have been earned but for the data breach.
The Court denied Hanover’s motion for summary judgment and granted Fishbowl’s motion. In doing so, the Court acknowledged that the historical purpose of business interruption insurance was to “protect the prospective earnings of the insured business only to the extent that they would have been earned if no interruption occurred”; however, the Court concluded that the policy at issue afforded broader coverage than traditional business interruption coverages because it covered “impairment” of business operations, in addition to total suspension of operations.
The Court reasoned that the data breach “impaired” Fishbowl’s business operations by preventing the accountant from communicating with Fishbowl’s customers and by preventing Fishbowl from receiving payment for work it had performed. The Court further concluded that:
(i) the policy did not explicitly restrict “business operations” to income-generating activities; and
(ii) Fishbowl was prevented from “earning” the transferred funds because it did not receive them (i.e., that Fishbowl had already performed the work entitling it to the funds was immaterial).
The Court also rejected Hanover’s argument that the loss did not “directly result” from the data breach because of intervening factors (specifically, Fishbowl’s customer’s negligence and breach of contract in sending the funds to the bad actor).
The breadth of Hanover’s business interruption coverage is not an outlier in the cyber market, as it is common for cyber policies to cover impairment to business operations, in addition to a complete interruption of those operations. The Fishbowl ruling highlights the unintended results that are possible based on the commercially-friendly state of cyber wordings in the marketplace.
This said, the effects of the Fishbowl decision can be mitigated by ensuring that the definitions of “business income” and “business operations” are narrowly tailored and that each policy addresses how, if at all, it intends to cover social engineering, financial fraud, or invoice manipulation. Notably, the Hanover policy at issue in Fishbowl did not include any separate coverage for social engineering or cybercrime, nor did it expressly exclude coverage for such losses, which gave the Court the latitude to conclude that the loss fell within the business interruption coverage.
Please contact Pablo Gonzalez, Caroline Crosby or any member of the Phelps Insurance team if you have questions or need advice or guidance.
