How Insurers Can Refuse To Cover Hacker Payments

Insurers sometimes make the argument that paying ransomware or putting out money after falling for an email scam do not constitute “direct lost” and therefore are not covered, according to a post on the Ervin Cohen & Jessup website. The contention of the carrier would be that such losses are “occasioned through some action by the company.” In addition, some policies specifically exclude coverage when “any transfer, payment of or delivery of Money, Securities or Property [is] approved by an Employee…”

There have been cases supporting this type of argument, the writer notes, but more recent cases have been more friendly to insureds. Those include a recent case involving a ransomware payment, and a case where the Ninth Circuit, reversing a district court, held that an accounts payable clerk’s processing of a payment to a scam recipient, at the behest of a party who was impersonating her superior, did constitute a direct loss from fraud.