Fraudulent email: Cyber insurance does not have to compensate for damage

High bank charges prompt a foreign supplier to change banks. He informs his customer of the new bank details by e-mail, who then initiates four transfers totaling 85,000 euros to the new account. Unfortunately, the alleged bank change is a trick by a fraudster who has hacked the supplier's exchange server and then sent e-mails using a known sender name. As the banks are unable to recover the money, the defrauded payer turns to his cyber insurance, which he has taken out for both network security breaches and fraud losses. But the insurance company does not pay out.

And rightly so, as a recent decision by the Hagen Regional Court shows (case no. 9 O 258/23). This is because the damage suffered by the policyholder is not an insured event at all.

Only attacks on your own network are covered

This is how it works: The insurance terms and conditions define network security breaches as "impairments to the availability, integrity and confidentiality of the policyholder's information technology systems, components or processes." However, the perpetrators have not compromised anything at the policyholder, but the Exchange server of a third party, namely the supplier. In addition, the insurance conditions contain examples of when there is no insured network security breach, including "impairments ... in third-party networks", even if the effects also occur at the policyholder, as well as "fake president attacks using a simulated email address" without interfering with the policyholder's network.

"From these standard examples, an average and reasonable policyholder can recognize that the present case, which has similarities to the aforementioned standard examples, is not one of the insured risks," explains the court. "The prerequisite for insurance cover remains a network security breach at the policyholder's premises, which does not exist."

However, cover for damage caused by deception does not apply either. According to the insurance terms and conditions, this applies if an employee is "misled into making payments due to an information security breach that constitutes a criminal offense". The term "information security breach" includes the aforementioned network security breaches in the policyholder's network as well as circumstances not present in the specific case. However, such a breach only occurred at the supplier, which is not covered by the insurance.

Clauses are transparent

The plaintiff company also tried to have the insurance conditions declared invalid with reference to Section 307 of the German Civil Code (BGB). These were general terms and conditions that were unreasonably disadvantageous. However, the court stated that the contested clauses do not restrict the insurance cover, but rather define what is covered in the first place.

In addition, the clauses are not intransparent and therefore permissible: "For cyber insurance, it is typical and recognizable for the average customer that only the risk of their own IT systems is to be protected and not worldwide hacker attacks, which can have an indirect impact on the policyholder. Otherwise, participation in e-mail traffic would be a major risk in itself, as no one is protected against –, even well forged – phishing e-mails. The insurance terms and conditions are clearly and comprehensibly formulated in this respect, namely that the network security breach must involve an impairment of the company's own networks."

The Hagen Regional Court did not have to deal with the question of whether the company can indemnify the foreign supplier whose email server was inadequately secured. This cannot be assessed from the outside, as it is not known whether the supplier has grossly neglected its server security and under which law the original contract between the German company and its foreign supplier was concluded. In standard cases of mail spoofing, customers who transfer money to false accounts are left with their losses if German law applies.

(ds)