Randy Sadler

Principal, CIC Services LLC

The website Business Insurance.com recently reported that Traveler’s Insurance was not required to pay for losses due to spoofing (a form of cyber-attack). According to a lower court and a federal appeals court, Traveler’s computer fraud policy had an exclusion that saved the insurer from paying over $700,000 for a cyber loss by a Seattle based seafood company. It is believed the hacker responsible for the loss originated out of China. (An email address spoofing a Chinese seafood supplier requested a bank account change; they simply substituted a “1” for the letter “i,” in the email address and siphoned off over $700,000.)

As we regularly contend in Captivating Thinking, the issue here is not whether or not the courts were correct in denying the insured’s cyber claim. Instead, the issue is why commercial insurance is often a poor choice for cyber risk, and a captive insurance approach can provide a far more robust solution.  Commercial cyber/computer fraud policies are typically layered with exclusions, rendering them worthless in many cases. (See our article from the Risk Management Society Conference 2017)

The Danger of Spoofing

What is spoofing? In writing about the cyber loss, Business Insurance.com described spoofing:

…(The Insured’s) computer system was hacked in the summer of 2013, according to court papers. The hacker apparently monitored email exchanges between an (insured’s) employee and a (vendor’s) employee before beginning to intercept the email exchanges and sending fraudulent emails using spoofed email domains that appeared similar to the employees’ actual email, for instance by substituting the number 1 for the lower-case i.

The hacker directed the (insured’s) employee in these emails to change the bank account information for (the vendor) for future wire transfers, and the (insured’s) employee complied, resulting in the company being defrauded of $713,890.

Cyber risk is rapidly evolving, and businesses must be vigilant about protecting their systems, data and employees. This emerging threat also requires meaningful employee training. Consider the list of emerging and evolving threats below:

  • Hacking
  • Spamming
  • Phishing
  • Data theft
  • Data loss
  • Malware
  • Ransomware
  • Spyware
  • Spoofing
  • And the list goes on...

Is this a good time to have insurance that is riddled with policy exclusions?

In addition to vigilance and employee training, small and mid-market businesses need cyber insurance that really works for them and is there when they need it. The customizable nature of captive insurance and ability to reduce or severely limit exclusions makes it a superior approach for many companies.

The primary reason for forming a captive is ALWAYS risk management.

All risk management is financial. A financially strong captive is a more powerful risk management tool.

Please call or e-mail theauthor to discuss any questions you may have about building your liquid reserves and captive insurance companies: l-865-599-6104 or e-mail