Specialty Podcast: Safeguarding Against Phishing Attacks & Limitations of CGL
By Alliant Specialty
Join Steve Shappell and David Finz, Alliant Claims & Legal, as they utilize recent court decisions to uncover current trends and challenges within D&O and cyber. In this month’s podcast, the duo looks into the recent Blue Bell Listeria Litigation where the appellate court decision highlights the limitations of Comprehensive General Liability (CGL) coverage for directors and officers. Plus three steps to safeguard against phishing attacks following the Second Circuit's decision regarding data breach cases without pled harm.
Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.
Steve Shappell (00:09):
Good afternoon, and thank you for joining David Finz and me for our podcast following the Executive Liability Insight newsletter. The newsletter has quite a few stories in it. There's a lot of cyber in the newsletter again this month. A very hot topic in our recent newsletter is a topic that is near and dear to me, because we get this question a lot. There are a lot of private companies out there, sizable private companies, and the question often is, do I need D&O insurance? Why do I need D&O insurance? And the Blue Bell listeria claim and litigation is recent and a good example of why really want to make sure you're protecting your directors in particular, and also officers. You need to get D&O insurance. This case is an appellate decision this month.
We followed the trial court's decision on this, and it's a great reminder of the limitations of CGL cover. Because that's what the Blue Bell directors did in the face of a derivative lawsuit for the massive financial consequences of the listeria outbreak that they dealt with. They got derivative litigation and sought a defense and indemnity under a CGL policy, comprehensive general liability policy. And the court made short work of coverage here. They looked at it and while the trial court initially even said that the directors weren't even insureds under the policy for a derivative action, which is an action by shareholders in their capacity as shareholders on behalf of the entity against directors, the trial court had said the directors weren't even insureds under the CGL. The court of appeals changed that and said, of course there are insureds under this policy, but then proceeded to address the typical CGL analysis of this derivative action.
There's not an occurrence, there's not an accident under this policy. Directors who are accused of breach of fiduciary duty did not act accidentally. It was very deliberate conduct, which is something to keep in mind because the nuance there is to get past exculpatory provisions that protect directors, the derivative allegations need to be pretty deliberate conduct, intentional conduct, and the court used those allegations, the four corners of the complaint to conclude that this wasn't an accident, therefore not an occurrence under the policy. An excellent reminder that coverage for D&Os, directors and officers, needs to be provided under a directors and officers policy, which are very well crafted for this very exposure. One of the other things that we wanted to talk about today, as you know, David Finz constantly has his finger on the pulse of cyber events. And you know I think David wants to talk about three steps to safeguarding social engineering slash phishing issues.
David Finz (03:04):
Thanks Steve. Phishing is a particularly insidious form of social engineering, because it plays upon the trust of the recipient and their desire for some reward or their urge to be helpful to someone in distress. This could take the form of the email purporting to be from the CFO who's now asking for copies of every employee's W-2. Or it could be an external actor, like a vendor who supposedly is updating their payment or wire instructions. And we're seeing more and more of these claims. They aren't necessarily the largest cyber incidents out there, but it's sort of death by a thousand cuts. And regardless of the scheme that's used as a proportion of the number of claims that we see, it looms pretty large within the cyber threat landscape. In fact, CISA, the Cybersecurity and Infrastructure Security Agency says that phishing plays a role in more than 90% of all cyber attacks.
Now, there's no single solution to the problem because threat actors are constantly getting more sophisticated in their methods. But we have identified three steps that companies can take to reduce the likelihood that they will face a phishing attack and also what they can do to reduce the financial impact. The first is they need to have a good email filter that blocks or at least flags unknown senders and also attachments or links that look suspicious. Now, we're not going to recommend any one particular service here. There are several reputable companies out there that in the IT space are household names. All I would say is that folks should do their research, read the reviews, and choose a solution that's best for them. The cyber insurance underwriters also tend to be brand agnostic, but they do want to see that you have invested in some sort of filtering system beyond the free software that comes with Gmail or Microsoft Outlook.
The second step is to train your employees to recognize and to flag phishing emails. Even the best services are going to allow an occasional threat to get through, especially if it originates from a trusted sender who has themselves been hacked. Now, training is part of that, but also periodic testing and really instilling a culture of security awareness within the workforce. You want to make it easy for them to mark an email as suspicious, to block unfamiliar domains and to report phishing emails to your IT function. And last but not least, no discussion of social engineering would be complete without us talking about risk transfer. And that means cyber insurance. Many folks don't realize that there's also coverage available for social engineering typically under a company's crime policy. And it's important to line up these coverages to try to minimize any gaps around the types of exposures they're meant to cover and to determine which policy you want to have respond as your primary coverage in the event that they're both triggered by a particular law. So, it comes down to filtering cybersecurity awareness on the part of your workforce and also an effective risk transfer solution. Those are the three key areas that we would look for to help companies reduce their exposure to social engineering.
Steve Shappell (06:13):
Excellent insight. Further proof of Alliant is more rewarding way to manage risk. I'd be remiss if I didn't ask you, what's your take on the Second Circuit's decision to allow a case to proceed with no pled harm?
David Finz (06:29):
Right, so this is a significant decision because it is after all, overturning a trial court, a district court's ruling, and the defendant here is going to have to face allegations that they failed to safeguard the personal information of more than 7,000 of their employees and clients that were exposed to the state of breach two years ago. And what the court held here was that the mere risk of identity theft after a breach is enough to constitute a concrete injury. And that's sufficient in the court's view to establish Article Three standing, which is what you need to be able to proceed in a case such as this, you need to prove actual harm. And the court is saying that the mere risk of identity theft is enough. And in this case, disclosure of the victim's name and social security number. Now this is just one federal circuit.
And there are a dozen federal circuits that make up the U.S. judiciary. So, this is not a situation where this is the law of the land yet, but given the fact that this is a split with decisions that are coming out at least one other circuit that we're aware of, it's sort of setting things up for the Supreme Court to have to weigh in here. Now, some folks are opining, speculating that this could result in a flood of litigation on the part of plaintiffs’ attorneys. If in fact the threshold for establishing Article Three standing is effectively lowered. I think it's too soon to say that it's enough. I think at this point to say that given what is going on in the Second Circuit, which includes New York, which is a particularly litigious area of the country, there's quite a bit of litigation that's based out of New York, given it's the financial center of the nation, that we need to watch this very carefully. And I would not be surprised if there winds up being a Circuit Court split and this ends up before the U.S. Supreme Court. And at that point we can begin to try to determine what the impact is on businesses, both in terms of safeguarding against these lawsuits as well as the impact it could have on cyber insurance premiums.
Steve Shappell (08:42):
And we will keep our finger on the pulse of this. Because I was telling David just this morning, I read a decision from a federal trial court, which went the other way and did find that these allegations were not sufficient for Article Three standing. So, there is a split, and like I said, we'll keep our finger on the pulse of this because it's a big deal and it will allow us to track if we will see a flood of litigation. I want to thank everybody for taking the time to join David and me on this month's Alliant Claims and Legal podcast. Thank you.
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.
Thanks for your message.
We’ll be in touch shortly.
