Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Plaintiff wins $148,000 in data breach suit

    Courts

    On November 3, the U.S. District Court for the District of Minnesota granted a plaintiff technical consulting and software development company’s motion for summary judgment in a data breach suit. According to the order, an unknown bad actor gained unauthorized access to the email account of a plaintiff’s employee and created multiple “rules” that interfered with the proper receipt of incoming emails. The bad actor sent emails to and from the account, at times impersonating the employee and at times impersonating clients. The plaintiff issued two invoices to a particular client while these rules were in place: one invoice was for $137,000 for the plaintiff’s services, and the other invoice was for an additional $39,962. The bad actor emailed the client, posing as the employee, and wrote that it had “recently changed banks and our previous account . . . has been closed, hence, all payments effective immediately will be made directly to our new bank account in compliance with the policy of the company.” The bad actor requested confirmation as to when the client would pay the first invoice “so we can forward our new bank account details.” The client sent the payment to an account controlled by the bad actor. After discovering the bad actor’s conduct, the plaintiff recovered some of that money with the help of the U.S. Secret Service but sought insurance coverage for nearly $148,000, court records show. The defendant had insured the plaintiff under a technology professional liability (TPL) policy that incorporated a Data Breach Coverage Form, which included a “Cyber Business Interruption and Extra Expense” clause. The plaintiff submitted a claim to the defendant seeking coverage under the policy for the money lost to the bad actor. The defendant denied the plaintiff’s claim for coverage. The plaintiff sued, alleging that the defendant’s denial of coverage breached the TPL policy. The court found that using “‘impairment’ rather than ‘interruption’ in the Clause itself demonstrates that the TPL policy specifically grants coverage when a business suffers something less than a total suspension of operations.” The court further noted that the policy covers the loss, granted summary judgment to the plaintiff on its claim that the defendant breached the policy by denying coverage, and awarded the plaintiff nearly $148,000 in damages.

    Courts Privacy, Cyber Risk & Data Security Data Breach Cyber Insurance

  • FFIEC joint statement addresses role of cyber insurance in risk management programs

    Federal Issues

    On April 10, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement advising financial institutions to consider the role of cyber insurance as a component of their overall risk management programs in light of the increasing number of sophisticated cyber-attacks. While financial institutions are not required to have cyber insurance, the FFIEC stated that it can be an effective tool to help mitigate risk. However, the FFIEC emphasized that cyber insurance does not diminish the need for a sound control environment; rather, it “may be a component of a broader risk management strategy that includes identifying, measuring, mitigating and monitoring cyber risk exposure.” Additionally, cyber insurance may offset financial losses resulting from data breaches that may not be covered by traditional insurance policies. Considerations for financial institutions assessing the costs and benefits of adding cyber insurance include: (i) involving multiple stakeholders in the decision, (ii) conducting proper due diligence to understand coverage and identify any gaps; and (iii) reviewing cyber insurance as part of a financial institution’s annual insurance review and budgeting process.

    Federal Issues FFIEC Privacy/Cyber Risk & Data Security Cyber Insurance Risk Management

  • Treasury Deputy Secretary Raskin Delivers Remarks On Cybersecurity and Insurance

    Privacy, Cyber Risk & Data Security

    On September 10, Deputy Secretary of the Treasury Sarah Bloom Raskin delivered remarks at the Center for Strategic and International Studies Strategic Technologies Program in Washington, D.C. After summarizing threats posed to U.S. companies and strategic interests, citing to notable recent cyberattacks, Raskin laid out the roles governments, the insurance industry, and state insurance regulators can take in responding to cyberattacks.

    Raskin noted that governments can facilitate information-sharing related to cyber threats and deter incidents through law enforcement and diplomatic engagement as well as by imposing financial sanctions on wrongdoers overseas. The insurance sector can gauge the risks and costs posed by cyber incidents and provide an important risk mitigation tool by allowing policyholders to transfer some financial exposure associated with cyber events. The insurance qualification and underwriting process also encourages businesses to engage in increased cybersecurity and risk-mitigation activities. Finally, state insurance regulators can assist response by setting standards for cybersecurity and the protection of the sensitive information of policyholders at the entities that they regulate.

    Department of Treasury Cyber Insurance Privacy/Cyber Risk & Data Security

  • Treasury Deputy Secretary Raskin Delivers Remarks on Cybersecurity in the Financial Sector

    Privacy, Cyber Risk & Data Security

    On July 14, Deputy Secretary of the Treasury Sarah Bloom Raskin delivered remarks at the American Bankers Association Summer Leadership meeting in Baltimore. Speaking on cybersecurity and cyber-resiliency in banking and the financial sector generally, Raskin’s remarks continued her December 2014 remarks in Austin at the Executive Leadership Cybersecurity Conference regarding three main areas, including (i) baseline protections, (ii) information sharing, and (iii) response recovery. According to Raskin, since December the growing number of cyberattacks – including against health insurers and the federal government’s Office of Personnel Management – has made the government and public more mindful of the serious threat posed by cyberattacks. Accordingly, cybersecurity has seen a “profoundly positive cultural change,” moving beyond just the purview of IT specialists. Deputy Secretary Raskin’s most recent remarks added 10 follow-up questions for banks and financial entities to consider, including whether cybersecurity is incorporated into the bank’s governance systems, security controls are tailored to specific cyber risks presented (as opposed to a “one-size fits all” approach), enhanced controls are implemented and adequate training provided, and basic “cyber hygiene” practices (including multi-factor authentication) are followed.  Raskin also emphasized the need to appropriately tailor cyber risk insurance.

    Privacy/Cyber Risk & Data Security Department of Treasury Cyber Insurance

  • Treasury Official Urges Banks to Consider Cyber Insurance, Assess Cybersecurity Readiness

    Privacy, Cyber Risk & Data Security

    On December 3, Deputy Secretary Raskin delivered remarks at the Texas Bankers’ Association Executive Leadership Cybersecurity Conference. During her prepared remarks, Raskin noted recent data security breaches across many business sectors, including financial services, and presented ten questions for bank CEOs to consider when assessing their institutions’ cybersecurity readiness. Notably, Raskin urged the bank executives to consider relatively new cyber risk insurance for the financial recovery it provides because the underwriting processes could enhance other cybersecurity controls and provide helpful information for assessing a bank’s risk level. Currently, over 50 insurance carriers offer some form of cyber insurance coverage. Raskin’s remarks come only weeks after Congressional leaders sent a letter to financial institutions requesting that they provide information about their ability to protect consumers and safeguard personal information in the event of a data breach or cyber-attack.

    Department of Treasury Risk Management Cyber Insurance Privacy/Cyber Risk & Data Security

Upcoming Events