Financial Institutions Face Risks Regarding Coverage for Cyber Risks Under GL Policy

By Karen Painter Randall

In a recent decision from the United States District Court for the Western District of Pennsylvania, the Court found a that bank who made a voluntary reimbursement to its client for an unauthorized wire transfer, pursuant to state statute, should not have their policy disclaimed on this basis.

In First Commonwealth Bank v. St. Paul Mercury Insurance Company, Civil Action No. 14-10 (W.D. Pa. Oct. 6, 2014), the District Court denied St. Paul Mercury Insurance Co.’s (St. Paul) Motion to Dismiss a declaratory judgment coverage action filed by First Commonwealth Bank (FCB).  In First Commonwealth Bank, FCB’s client was the victim of malware that allowed a hacker to gain access to their client’s computer system.  The hacker was able to obtain a senior VP’s online banking user name and password, and then accessed the client’s bank account with FCB.  Thereafter, three unauthorized wire transfers were sent to various locations around the world.  Two days later after one of the transactions was detected, the client demanded an immediate refund/credit of the withdrawn funds, and within four days FCB refunded the client for the full amount taken.  FCB then notified its general liability insurer a month later, who denied coverage based on the voluntary payment condition under the general liability policy at issue.

FCB and its parent corporation commenced a declaratory judgment coverage action against St. Paul.  In response, St. Paul filed a Motion to Dismiss contending that FCB voluntarily reimbursed its client for the unauthorized wire transfers without first obtaining St. Paul’s consent as required under the Policy.  The District Court denied the Motion holding that FCB did not allege that it made a voluntary payment, but rather was required by law to refund their client pursuant to one of Pennsylvania’s anti-fraud statutes.  Thus, the District Court was unable to agree that FCB’s payment to its client was voluntary.

The FCB decision reaffirms that financial institutions, as well as brokers, and insurers must continue to develop a better understanding of the risks and exposures involved with data breaches.  Moreover, as regulations continue to evolve in response to data breaches financial institutions must be cognizant of these developments and adjust their policies accordingly.