Cyber insurance policies are difficult to understand but must fit the individual nature of the individual insured’s business. Adding another layer of complexity, cyber risks continue to evolve with the methods and desired end-states of the bad actors. As result, this novel insurance market often results in the insured parties unable to collect on their insurance benefits.
In October 2023, two Louisiana car dealerships, namely Benoit Ford and Benoit Nissan, suffered extensive business losses after bad actors used fraudulent and stolen identities online to steal cars. Benoit’s virtual buying process allowed a prospective buyer to purchase a vehicle online by submitting a credit application to suggested lenders. If the loan application was approved, the buyer and Benoit then completed the registration, title, and paperwork electronically, after which the lender would tender the purchase price to Benoit. Benoit then assigned the credit agreement to the lender, and the buyer would then arrange the transportation of the car from the respective dealership.
According to In Benoit Ford LLC v. Lexington Ins. Co., 2023 WL 6450545 (W.D. La. 2023), 5 cars were shipped to locations across the country after stolen and fake identities were used to complete the credit applications through Benoit’s virtual buying process. When lenders realized that the cars were stolen, it required Benoit to pay the notes in full.
Benoit had cyber insurance coverage for funds transfer fraud and certain coverage for losses suffered by third parties. However, the insurance company refused to pay the loans on the stolen vehicles as the cyber-crime did not fit Benoit’s categories coverage. And, unfortunately, the Western District of Louisiana sided with the insurance company, dismissing Benoit’s lawsuit. According to the District Court, the funds transfer fraud was committed against the lenders, not Benoit and the third-party coverage did not address the type of losses sustained.
Famously stated by former President Theodore Roosevelt, “Complaining about a problem without posing a solution is called whining.” And everyone hates whiney people.
The take-away from Benoit is to ensure that the types of covered losses match the perils facing the individual business. Benoit needed globo coverage for third-party losses that included obligations on contracts triggered by online fraud (not just funds transfer fraud). The only reliable categorical rule for purchasing cyber insurance coverage, aside from tailoring it to the individual business needs, is to always procure “Betterment” coverage.
Betterment coverage is often the most expensive but important category of coverage for businesses. Betterment coverage generally means that the insurance company will pay the expenses required to improve the cybersecurity and information technology infrastructure of the business following a cyber-attack or exploitation. Often, although not always, cyber-attacks highlight rooms for significant improvement for a business’s cyber practices and security equipment.
For example, Entity A suffers a cyber-attack. During the response, cyber incident response teams strongly recommended that Entity A update its firewall equipment (which is very costly), purchase new servers, incorporate security logging and storage, and improve endpoint detection software. However, Entity A only has Restoration coverage and not Betterment coverage. Therefore, the insurer only pays the depreciated value of the current assets if they are damaged. The insurer does NOT pay for enhanced or improved cybersecurity solutions to prevent future attacks. Suffering one cyber-attack and making an insurance claim also causes Entity A’s cyber insurance premiums to rise the following year.
Therefore, and because necessary cybersecurity enhancements are very expensive and not covered by insurance, Entity A merely employs the same outdated cybersecurity software and equipment. Entity A is then immediately reinfected as its previous defenses already proved insufficient. Entity A again suffers another set business interruption expenses, loss of goodwill, economic losses, and subsequently, reports another claim to its insurer and pays another deductible to repeat the same costly, ineffective process. Oh, and wait…because Entity A suffered a second cyber-attack, it eventually becomes uninsurable.
Alternatively, had Entity A been offered and purchased Betterment coverage, enhancements to prevent future attacks would be covered benefits, likely preventing a second cyber-attack and maintaining Entity A's insurability.
Comentários