Login Register Subscribe
Current Issue

No insurance payout for real estate broker in cyber hack loss

Reprints

A CNA Financial Corp. unit is not obligated to compensate a real estate brokerage for losses it suffered from a cyber hack under the malicious code exclusion in its property, liability and crime policy, says an appellate court in upholding a lower court ruling.

Transportation Insurance Co., a unit of Chicago-based CNA, had issued a policy in 2011 to Atlanta-based Metro Brokers Inc. that provided property, liability and crime coverage, according to court papers in Metro Brokers Inc. vs. Transportation Insurance Co.

Metro used its bank’s online system to make payments from its accounts, according to Thursday’s ruling by the U.S. Court of Appeals for the 11th Circuit in Atlanta.

In December 2011, thieves logged into the bank’s online banking system using a Metro employee’s access ID and password and authorized various payments totaling more than $188,000 from a Metro client escrow account to several other bank accounts. More than $154,000 of the stolen funds remains unrecovered, according to the ruling.

Available evidence suggests the thieves used a virus known as “Zeus” to gain access to the ID and password information, according to the ruling.

Metro filed a claim for the loss under its insurance policy, but Transportation Insurance denied coverage based on the policy’s malicious-code and system-penetration exclusions. Metro contended the loss was not excluded and is covered under the policy’s fraud and alteration endorsement. The U.S. District Court in Atlanta agreed with Transportation Insurance and granted it summary judgment dismissing the case.

The appellate court upheld the lower court’s ruling. The loss is not covered under the policy’s fraud and alteration policy because forgery is defined in the policy as “the signing of the name of another person or organization with intent to deceive,” but Metro has failed to demonstrate the theft involved name signing as required under this definition, said the ruling. The theft also did not involve a check, draft promissory note or bill of exchange, as defined in the policy, it said.

The appeals court said also it agrees with the lower court that the claim falls under the policy’s malicious code exclusion. The policy defines malicious code as including, among other things, computer viruses, says the ruling.

Although Metro argues that the computer virus did not cause the loss because of the thieves’ intervening conduct, the policy “states unambiguously that it does not cover losses ‘caused directly or indirectly’ by malicious code ‘regardless of any other cause or event that contributes concurrently or in any sequence to the loss,’ ” said a unanimous three-judge panel in upholding the case’s dismissal.