If you bought cyber insurance so you’d be covered if you were hacked, and then had $1.8 million stolen after being hacked, wouldn’t you expect your insurance claim to be paid? If so, then think again as the claim can be denied due to the wording of the risk insurance contract.
BitPay, a Bitcoin payment processor, had purchased cyber insurance from Massachusetts Bay Insurance Company (MBIC), but BitPay was in for a rude awakening.
In December 2014, an unknown hacker pulled off a social engineering attack; he spearphished BitPay’s Chief Financial Officer, managed to capture corporate credentials, then used the hacked email account to spoof emails to the CEO; the hacker tricked BitPay into making three separate transfer transactions over two days to the tune of 5,000 bitcoins, which were valued at $1,850,000. Well at least the company had cyber insurance, right? No; the insurance company denied the claim due to the wording in the contract; BitPay then sued the insurance company.
The policy, which supposedly covered BitPay for a million dollars, stated (pdf):
We will pay for loss of or damage to “money,” “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”: a. To a person (other than a “messenger”) outside those “premises”; or b. To a place outside those “premises.
According to court documents obtained by the Atlanta Business Chronicle, BTC Media CEO David Bailey’s computer had been hacked at some point and his email compromised. Bailey had been in negotiations with BitPay about buying BitPay’s magazine yBitcoin. The hacker, posing as Bailey, sent an email to BitPay's CFO Bryan Krohn. The email asked Krohn to review the negotiation modifications on the attached Google document.
Krohn clicked the link and entered his credentials. One court document (pdf) says after he opened his Google Docs account, his Google account password and authentication codes were compromised, while another (pdf) says Krohn provided the credentials for his BitPay corporate email account. Yet Krohn received an error message after entering his credentials; he did not know the link led “to a website controlled by the hacker.”
After gaining control of the CFO’s corporate email, the attacker allegedly studied Krohn’s emails to discover how BitPay conducted business, “including the fact that Second Market was the sole purchaser of bitcoins with whom BitPay did not require advance payment.” Later that day, the hacker – using Krohn’s email – sent an email to BitPay CEO Stephen Pair; that email, which appeared to contain a purported email chain between Krohn and Second Market, asked the CEO to transfer 1,000 bitcoins to a specific wallet. Two hours later, another email allegedly from Krohn, asked the CEO to transfer another $1,000 from BitPay’s hot wallet to the same wallet address allegedly belonging to Second Market.
Apparently that worked so well for the attacker that he tried it again; the next day another email supposedly from Krohn asked the CEO to send 3,000 bitcoins to Second Market at a different blockchain wallet address. The CEO sent an email to Krohn to check the validity of the request since it exceeded “the usual 1,000-2,000 bitcoin amount between the companies.” After the attacker, again posing as Krohn, replied that the request was valid, the CEO transferred the 3,000 bitcoins.
But this time the CEO carbon copied a Second Market employee when he sent an email confirming the bitcoins had been sent. She replied that she did not send the prior email and that Second Market did not purchase the 3,000 bitcoins.
BitPay claimed that when the attacker “illegally hacked” Krohn’s computer to send authorizations, “it is this hacking which fraudulently caused the transfers of bitcoin and therefore the loss to Bitpay of bitcoin valued at $1,850,000.”
According to court documents, the insurance company refused to pay and claimed:
The Policy requires that the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises. "Direct" means without any intervening step i.e. without any intruding or diverting factor. The Computer Fraud Insuring Agreement is only triggered by situations where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer of Money to an outside person or place. The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into Bitpay's computer system fraudulently causing a transfer of Money. Instead, the computer system of David Bailey, Bitpay's business partner, was compromised resulting in fictitious emails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured.
Attorneys for MBIC insurance also noted the “important distinction between fraudulently causing a transfer, as the Policy language requires, and causing a fraudulent transfer, which is what occurred upon the CEO’s approval of the bitcoin transactions after receiving the fictitious emails. The loss incurred by BitPay was not a direct loss.” In other words, the insurance company claims it doesn’t have to pay because an authorized system user triggered a transfer.
But that’s not all, as apparently the word “premises” in the cyber insurance policy meant insurance doesn’t have to pay for a bitcoin transfer that occurs online and not on BitPay’s physical property. What kind of Commercial Crime Policy (pdf) cyber insurance doesn’t cover theft that occurs in the cyber world? Andreas Baumhof, CTO of ThreatMetrix, told CSO's Steve Ragan, “Cyber insurances are a bit of a rip-off. Think of car insurance—if it is insured for theft, it doesn’t matter how the theft was executed. In the cyber world, it seems it does matter.”
BitPay is now suing MBIC for breach of contract, bad faith failure to pay and statutory damages; it is seeking $950,000 in damages plus court fees.