The reported losses potentially exceed US$1 billion. The criminal activity spans Russia, the United States, Europe and China, and is likely to involve Asia, the Middle East, Africa and Europe. The gang is believed to have members in Russia, Ukraine and other parts of Europe and China.

 

It is understood that the attacks began with a spear-phishing email designed to look like a legitimate communication. The email in fact delivered malware which was capable of exploiting vulnerabilities in certain Microsoft products, opening a back door to the bank's systems leading to the attackers seizing control of the ATMs and bank accounts.

 

The Kaspersky Report states that the stolen funds were transferred out of the targeted financial institutions to bank accounts in the US and China, taking two to four months to steal between $2.5 million and $10 million from each bank.

 

Aside from specialist cyber covers, insurance policies bought by banks may respond in different ways to such thefts depending on the wordings in each case.

 

Typically, E&O policies will cover economic damage to third parties (for example, the erroneous transmission of, or loss of, client funds) resulting from a failure of defined services only. However, some E&O policies may contain exclusions for the theft of monies.

 

Commercial crime policies may respond, although there may be questions as to whether it is the bank or the customer that has suffered a loss, depending on the way in which the money was extracted, and if so, whether the losses are direct financial loss.

 

Questions of aggregation may also be relevant given the scale, duration and different locations of the losses. Certain commercial crime policies in the financial institutions sector might permit aggregation by reference to the activities of groups of criminals.

 

It is not clear from the Kaspersky Report whether customer data was also stolen which may give rise to legal liabilities across jurisdictions. Nor is it clear how much the banks have spent on IT experts to investigate the crimes and repair electronic systems. Such first party legal and forensic costs might not be indemnified under E&O or commercial crime policies.

 

The scale of these thefts is a reminder of how such acts are a national threat with the ability to destabilise financial markets and systems. Understandably, cyber security is receiving considerable regulatory scrutiny. In November last year, the Financial Conduct Authority ("FCA") fined the RBS, NatWest, and Ulster Bank £42 million for IT failures which occurred in June 2012 when the banks’ customers could not access banking services. Although a different type of cyber issue, the FCA took that action for failing to put in place adequate systems and controls to identify and manage their exposure to IT risks.

 

In a similar fashion, it is conceivable that D&O insurance policies could come into play should regulators, the banks themselves or other third parties seek to hold the banks' directors responsible for failing to prevent the thefts reported by Kaspersky from happening.

 

There may be significant elements of these losses covered under one or more insurance products currently being bought by financial institutions. Claims arising from these remarkable cyber thefts will need to be closely scrutinised to determine precisely what cover is available. Insurers might also consider whether they are prepared to cover such losses, and whether their existing policy wordings require any adjustment accordingly.

 

Hans Allnutt 

DAC Beachcroft

 

---