An interesting cyber insurance coverage case was filed recently in the the Northern District of Atlanta involving bitcoin payment processor Bitpay. Bitpay’s CFO was spear phished, leading to an improper transfer of bitcoins valued at $1.8 Million. Bitpay had been issued a Commercial Crime Policy by Hanover Insurance Group, which included coverage for “Computer Fraud,” as follows:
We will pay for loss of or damage to ‘money’, ‘securities’ and ‘other property’ resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’:
a. To a person (other than a ‘messenger’) outside those ‘premises’; or
b. To a place outside those ‘premises.’
Hanover denied the claim because, according to Hanover, the transfer of bitcoins as a result of spear phishing did not “directly” result from the use of a computer. This kind of spear phishing attack, Hanover stated in its denial letter, does not entail “a hacking or unauthorized entry into Bitpay’s computer system fraudulently causing a transfer of Money.” Hanover further argued that “there is an important distinction between fraudulently causing a transfer, as the Policy language requires, and causing a fraudulent transfer, which is what occurred upon the CEO’s approval of the bitcoin transactions after receiving the fictitious emails.” Finally, Hanover argued that “the term ‘premises’ is defined in the policy as, ‘the interior of that portion of any building you occupy in conducting your business'” and does not over bitcoins “held online, and transferred online.” After further attempts to obtain coverage were unsuccessful, Bitpay filed the coverage action.
If the case does not settle, it will be interesting to see how the court construes the disputed terms in the context of this bitcoin spear phishing scam.