By Elise Linscott
When a hacker stole Bitpay CFO’s credentials and stole 5,000 bitcoins, equal to $1.85 million, the company expected its cyber insurance company would cover the losses. But Bitpay, a global bitcoin processing center, was in for a rude awakening.
Atlanta court documents show that in Dec. 2014, a hacker obtained the credentials of the company’s chief financial officer, then sent emails posing as the CFO to the company’s chief executive officer, requesting three bitcoin transfer transactions over the course of two days.
According to MBIC’s commercial crime insurance policy (which would have covered up to $1 million minus a $50,000 deductible), MBIC “will pay for loss of or damage to ‘money,’ ‘securities’ and ‘other property’ resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’: a. To a person (other than a ‘messenger’) outside those ‘premises’; or b. To a place outside those ‘premises,’ court documents show.
After MBIC refused to pay, Bitpay sued, claiming bad faith, failure to pay and statutory damages. But a recent court ruling sided with the insurance company.
The company alleges it doesn't owe Bitpay the nearly $1 million in claims, stating that: “The Policy requires that the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises. ‘Direct’ means without any intervening step i.e. without any intruding or diverting factor. The Computer Fraud Insuring Agreement is only triggered by situations where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer of Money to an outside person or place. The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into Bitpay's computer system fraudulently causing a transfer of Money. Instead, the computer system of David Bailey, Bitpay's business partner, was compromised resulting in fictitious emails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured,” website Network World reported.
Agents and their clients can learn from this incident by carefully reading and understanding exactly what is – and most importantly, what is not – covered in a cyber insurance policy. Some policies, though labeled as “cyber” coverage, may only cover thefts on the physical “premises” of the business, in which case certain aspects of the cyber insurance policy may be effectively useless.
The bottom line: When it comes to cyber insurance, the way in which the theft occurred matters, often more so than with other types of insurance.
