Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Bank, insurer fight over coverage for cyber attack

Reprints
Bank, insurer fight over coverage for cyber attack

A Virginia bank and its insurer have squared off in federal court to determine the scope of coverage for a multimillion-dollar cyberattack.

The case of National Bank of Blacksburg v. Everest National Insurance Co. was filed June 28 in U.S. District Court in Roanoke, Virginia.

At issue, according to court records, is whether the cyberattack should be covered under the bank’s computer and electronic crime rider, which would result in a larger payout, or the bank’s debit card rider, which has a much lower coverage limit.

“(Everest) is saying this was not a hacking fraud, that this was an ATM or debit card fraud,” said Adam Ziffer, a principal at McKool Smith L.L.P. in New York, who is not involved in the case. “It’s not uncommon for insurance companies to take the most aggressive exposure-shrinking position possible, at the outset at least.”

Everest National Insurance Co., a subsidiary of Everest Re Group Ltd., filed a response in federal court on July 20. Everest Re did not respond to a request for comment.

The Blacksburg, Virginia-based bank said it had been hacked twice in less than a year and suffered total losses of $2.4 million. The first incident occurred in May 2016 and the second occurred in January 2017. A security review determined that both attacks were likely committed by the same group of hackers in Russia using phishing emails, court papers say.  

Hackers were able to fraudulently credit more than $2 million to certain National Bank customer accounts, the bank said.

Court records said the bank argues it was covered by a computer and electronic crime rider to its insurance policy with Everest National that had a single-loss limit of liability of $8 million, with a $125,000 deductible and a debit card rider that provided coverage for losses that result directly from the use of lost, stolen or altered debit cards or counterfeit cards.

The debit card rider has a single loss limit of liability of $50,000, with a $25,000 deductible and an aggregate limit of $250,000, records said.

The bank said in its complaint that “none of the losses arise from a National Bank customer’s debit card being stolen, or from their debit card information being stolen directly from a National Bank customer’s possession without their knowledge or permission.”

“Despite the foregoing facts, Everest has denied coverage for the losses set out in National Bank’s proof of loss claims under the Bond’s C&E Crime Rider; claiming instead that National Bank’s losses fall under the Bond’s Debit Card Rider and its much lower coverage limit,” the bank said in its complaint.

Everest National Insurance, the bank said, “determined that the 2016 Intrusion and the 2017 Intrusion were a single event, and thus, pursuant to the debit card rider, National Bank’s total coverage under the Bond was $50,000 for both intrusions.”

In its response, Liberty Corner, New Jersey-based Everest National admitted that “National Bank suffered a sophisticated computer system intrusion and hackings” but denied “that Everest has breached its contract with National Bank, denies that it acted in bad faith, and denies that National Bank is entitled to any damages from Everest.”