Protection offered by some cyber insurance may not be as comprehensive as clients are led to believe.
Internet payment processor BitPay, recently learned this lesson the hard way after their claim for $1.8 million was denied by the Massachusetts Bay Insurance Company. The online bitcoin transaction mediator was victim of a $1.8 million phising scheme after a hacker, posing as the company’s CFO’s, requested over 4,000 bitcoins be transferred to a fraudulent account.
BitPay had acquired a cyber-protection policy from Massachusetts Bay prior to the cyber-attack; however, the company denied the claim because “the loss incurred byBitPay was not a direct loss.” Attorneys for MBIC noted that “since there was not a hacking or unauthorized entry into Bitpay’s computer system fraudulently causing a transfer of money,” the insurer is not liable for the loss. “[I]nstead, the computer system of David Bailey, Bitpay’s business partner, was compromised resulting in fictitious emails being received by Bitpay.” Since David Bailey did not have personal cyber protection to protect his account from a hacking incident, the loss was not covered.
BitPay feels misled by their coverage and is currently contesting MBIC’s denial of their claim. If cyber protection does not provide comprehensive coverage for theft, companies will have a difficult time justifying purchasing cyber policies.