On Thursday, 15 September 2022, the European Commission proposed the first-ever EU-wide Cyber Resilience Act regulating essential cybersecurity requirements for products with digital elements and ensuring more secure hardware and software for consumers within the single market.
According to the Commission, cybersecurity of the entire supply chain is maintained only if all its components are cyber-secure. The existing EU legal framework covers only certain aspects linked to cybersecurity from different angles (products, services, crisis management, and crimes), which leaves substantial gaps in this regard, and does not determine mandatory requirements for the security of products with digital elements.
The proposed rules determine the obligations of the economic operators, manufacturers, importers, and distributors to abide by the essential cybersecurity requirements. Indeed, the rules would benefit different stakeholders; by ensuring secure products, businesses would maintain customers’ trust and their established reputation. Further, customers would have detailed instructions and necessary information while purchasing products which would in turn assure data and privacy protection.
According to the proposal, manufacturers must ensure that cybersecurity is taken into account in the planning, design, development, production, delivery, and maintenance phase, and cybersecurity risks are documented, further, vulnerabilities and incidents are reported. The regulation also introduces stricter rules for the duty of care for the entire life cycle of products with digital elements. Indeed, once sold, companies must remain responsible for the security of products throughout their expected lifetime, or a minimum of five years (whichever is shorter). Moreover, smart device makers must communicate to consumers “sufficient and accurate information” to enable buyers to grasp security considerations at the time of purchase and to set up devices securely. Importers shall only place on the market products with digital elements that comply with the requirements set out in the Act and where the processes put in place by the manufacturer comply with the essential requirements. When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements of the Regulation. Non-compliance with the cybersecurity requirements and infringements by economic operators will result in administrative fines and penalties (Article 53). Indeed, market surveillance authorities will have the power to order withdrawals or to recall non-compliant devices.
The Regulation defines horizontal cybersecurity rules while rules peculiar to certain sectors or products could have been more useful and practical. The new rules do not apply to devices whose cybersecurity requirements have already been regulated by the existing EU rules, such as aviation technology, cars, and medical devices.
The Commission’s press release announced that the new rules will have an impact not only in the Union but also in the global market beyond Europe. Considering the international significance of the GDPR rules, there is a potential for such an expected future. On another note, attempts to ensure cyber-secure products are not specific only to the EU, but different states have already taken similar measures. By comparison, the UK launched consultation ahead of potential legislation to ensure household items connected to the internet are better protected from cyber-attacks.
While the EU’s proposed Act is a significant step forward, it still needs to be reviewed by the European Parliament and the Council before it becomes effective, and indeed, if adopted, economic operators and the Member States will have twenty-four months (2 years) to implement the new requirements. The obligation to report actively exploited vulnerabilities and incidents will be in hand a year after the entry into force (Article 57).
Following the Lloyds Performance Management Supplemental Requirements & Guidance, published July 2020, all insurance and reinsurance policies written at Lloyd’s must exclude all losses caused by war and nuclear, chemical, biological or radioactive risks (NCBR), except in limited circumstances. This reinforces the exclusion of war and NCBR in hull and cargo and most cyber policies. Both cyber security data and privacy breach (CY) and cyber security property damage (CZ) polices are among the exempted class of business which would be allowed to write war risks. However, when writing these cyber policies, the terms and scope of the cover must be unambiguously stated. If there is an extension of the policy to include war, that extension must not override any NCBR exclusions contained within the cyber policy. It is customary to follow local law or regulation on how coverage should be provided for in policy documentation and for the exempted classes of business, it is recommended to follow local market practice. In light of these guidelines several war exclusions in varying degree of liability were developed to be endorsed on or attached to commercial cyber policies. It is not yet clear if the same clauses are or will become applicable to non cyber policies but the discussion is relevant considering current geopolitical conflicts and imminent threats to businesses and states.
The exclusions (LMA5564, LMA5565, LMA5566, LMA5567) are very similar in terms of the language used and excludes loss of any kind directly or indirectly occasioned by, happening through or in consequence of war or a cyber operation. The burden is on the insurer to prove that the exclusion applies. An obvious difference is the causal language used in each clause. ‘Happening through’ is not language commonly used in the marine sector, as such its meaning and what needs to be established to fulfil this causal effect requires clarification. Clauses 3-5 of each exclusion refer to the attribution of a cyber operation to a state and the definition of war and cyber operation are both related to the acts of a state against another state. War is defined as the ‘use of physical force by a state against another state’ thus excluding cyber incidents / attacks which may have the same effect but without physical use of force and not by a state against another state. Cyber operations means ‘the use of computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer systems of another state’. The emphasis on ‘states’ means that the exclusion would not be applicable to private acts of civilians who are not acting on behalf of their government or another state. Furthermore it is doubtful whether cyber operation would extend to the damage loss of cargo, vessel or financial losses since the subject of a cyber operation is the ‘information in a computer system’.
In attributing cyber operation to a state, the primary but not exclusive determinant is whether the government of the state in which the computer system affected is physically located has attributed the cyber operations to another state or those acting on its behalf. Pending a decision, the insurer may rely on an inference which is objectively reasonable as to attribution of the cyber operation but no loss shall be paid during this time. If the government of the state in which the affected computer system is located takes too long to decide, or is unable to declare or does not determine attribution, the responsibility shifts to the insurer to determine attribution by using other evidence available to it. There are several problems with the terms of LMA5564, there is no explanation of the type and source of information the insurers should rely on to develop an inference and what will qualify as objectively reasonable and importantly who will sit as ‘objective person’. Furthermore, the reference to the insurer using ‘such other evidence as is available’ suggest that the insurer is permitted to rely on any source, type / quality of evidence available that will support his position that the exclusion does apply. In other words, the acceptable standard of evidence to support the insurer’s ‘inference’ and to discharge his burden that the exclusion does apply is low and therefore prejudicial to the assured.
The second war, cyber war and cyber operation exclusion (LMA5565) differs from LMA5564 in that LMA5565 clause 1.1 to 1.3 list the conditions under which war and cyber operations are excluded. These are war or cyber operation carried out in the course of war and or retaliatory cyber operations between any specified state (China, France, Germany, Japan, UK or USA) and or a cyber operation that has a detrimental impact on the functioning of the state due to the direct or indirect effect of the cyber operation on the availability, integrity or delivery of an essential service in that state and or the security or defence of a state. Clause 3 introduces the agreed limits recoverable in relation to loss arising out of one cyber operation and a second limit for the aggregate for the period of insurance. If the limits are not specified, there will be no coverage for any loss arising from a cyber operation. Noteworthy is the fact that similar limits have not been introduced for loss arising from a war or cyber war, so the limit would be based on the insured value of the subject matter insured. The definition of essential service creates uncertainty because what is categorised as ‘essential for the maintenance of vital functions of a state’ may vary across states. While examples are provided which includes financial, health or utility services, unless the parties stipulate and restrict this category to only the services named in the policy, there is potential contention between the parties over what will qualify as an essential service and what is a vital function to a state. It is expected that the marine sector will be among the list of essential services, however it is unlikely that an attack on a commercial private vessel or onshore facilities would qualify as harm to an essential service, vital for function of the state.
A third form of the war, cyber war and cyber operations exclusion LMA5566 is identical to LMA5565 except that there is no equivalent to the clause on limits of liability for each cyber operation or aggregate loss in LMA5566. The fourth form of exclusion LMA5567 expounds on the conditions mentioned in LMA5565 and LMA55666, particularly the exclusion or loss from retaliatory cyber operations between any of the specified states leading to two or more of those states becoming impacted states. The exclusion of cyber operation that has a major impact an essential service or the security of defence of a state shall not apply to the direct or indirect effect of a cyber operation on a bystanding cyber asset. LMA5567 introduces the concepts of impacted states and bystanding asset, thus expanding the effect of the exclusion clause. Impacted states means any state where the cyber operation has had a detrimental impact on the functioning of that state due to its effect on essential services and or the security or defence of that state. The bystanding cyber assets are computer systems used by the insured or its third party provider that is not located in the impacted state but is affected by the cyber operation. As an exemption to the exclusion, the consequence is that the insurer will be exposed to liability for loss to assets that are not owned by the insured or its third party providers. The only requirement being that these bystanding cyber assets / computer systems are used by the insured or its third party providers which could be an extensive list of unidentified assets and liabilities. Another problem with the definition of bystanding cyber asset is it does not declare for what purpose the said asset should be used by the insured or by the third party provider. The presumption is the use should be related to the subject matter / business of the insured but without clarification, there are doubts about the scope and limits of the term. Interestingly and of concern is the use of the words ‘cyber war’ in the title of each exclusion but is not repeated in any of the four clauses nor is there a description of the meaning of a cyber war and how it differs from a cyber operation and war as defined in the clauses.
A guidance on the correct interpretation of the exclusion clauses was not published and given their deficiencies, the effectiveness of each exclusion clause is reduced. In terms of their application to marine activities, the insurer will find that he is liable to indemnify the assured for his loss from cyber-attack unless there is evidence to attribute the cyber act to a state. The exclusions will be more effective in scenarios where terrorist or political groups are involved. War is limited to acts between states and significant emphasis is placed on damage to essential services of a state. Despite the deficiencies discussed above, the importance and take up of any variation of the exclusion clause will increase as the political security of nation states and businesses continue to be of concern to insurers. The constant threats and warning in the news of cyber-attacks being used as weapons of war will affect market response and which will sometimes be reflected in strictness of language / variations of the war exclusions used in insurance policies. Other stakeholders must be proactive and ensure that they have adequate insurance protection against cyber war risks and war risks generally and mitigate their risks of loss by implementing and maintaining good cyber hygiene based on industry specific best practices.
 Michael N Schmitt, ‘The Use of Force’ in Tallin Manual 2.0 on the International Law Applicable to Cyber Operations ( 2nd edition Cambridge University Press 2017)The Tallin Manual is nonbinding legal source which explains how international law applies to cyber operations. It is in the process of a five (5) year review for the launch of Tallinn Manual 3.0.
Cyber criminals have been exploiting the ‘privacy’ features of crypto-assets to target businesses and individual accounts to steal and unlawfully demand the transfer of crypto-currencies through ransomware attacks. In addition to the distinctive features of cryptocurrencies which gives cyber criminals a false sense of anonymity, the rapid rise in cryptocurrency fraud and ransomwares are also the product of very lax or non-existent international regulation. In 2020, 57.9% of the organizations in the UK and 78.5% in the USA were affected by a ransomware. The targets of major ransomware attacks in 2021 included Colonial Pipeline and JBS meat processing in the US, Health Services Executive in Ireland and Hackney Borough Council in England. The business types targeted is an indication of the threat to critical national infrastructure. Some ransom demands are made in fiat currency while others are in cryptocurrencies. The average ransom paid by medium sized organizations was US$170,404 and the average costs to rectify and respond to a ransomware was US$1.85 million.
International and Government Response
Prior to the creation of the Ransomware Task Force in December 2020, there was no coordinated effort among states and the private and public sector to tackle the serious and growing threat from ransomware attacks.
Equally problematic is the lack of clarity on the legality of paying ransom / ransomware demands.
England and Wales
The payment of a ransom is not illegal in England and Wales provided they are not paid to or have any association with terrorist groups (s. 15 (3) Terrorism Act 2000), persons subject to economic sanctions or used to finance a criminal act and there is nothing illegal about the contracts between the parties. The National Cyber Security Centre in their guidance on mitigating malware and ransomware attacks emphasised that law enforcement does not encourage, endorse or condone the payment of ransom demands.
United States of America
The US has not outlawed the payment of ransoms but have issued an advisory on potential sanctions risks for facilitating ransomware payments. The advisory warned that companies including insurance firms, financial institutions and those specialising in digital forensics and incident response that facilitates the payment of ransom may risk breaching OFAC Regulations. These companies are encouraged to contact the relevant government agencies if they reasonably believe that the person making the ransom demand may be sanctioned or in connection with sanctioned individual or entity.
France has unofficially declared their refusal to pay ransomware demands. Consequently, AXA insurers in France announced they would temporarily halt writing cyber insurance with a clause to indemnify customers for ransom paid.
Efforts to recover cryptocurrency?
Seizure / Recovery of cryptocurrency
Bitfinex: The authorities in the US have been able to successfully trace and recover crypto-assets stolen or paid for ransom. The most recent is US$5bn worth of stolen bitcoin seized by the US Department of Justice reported on Tuesday (08/02/2022). The bitcoin was stolen in 2016 after hackers breached the Bitfinex cryptocurrency exchange. The money was then transferred to digital wallets said to be operated by a couple in New York. At the time, the bitcoin valued about US$71 million but its current value is upwards US$5 billion. Various methods were employed by the couple to launder about US$25, 000 of the bitcoins. The couple will be charged for federal crimes of conspiracy to defraud the US and conspiracy to commit money laundering.
The length of the probe (5yrs) and the coordinated efforts of investigators from across the U.S and Germany highlights the resources governments and private investigators are willing to invest to ensure cyber criminals are not allowed to steal and launder cryptocurrencies gained unlawfully.
Colonial Pipeline: The authorities were also able to recover some of the cryptocurrencies paid as ransom by Colonial Pipeline Company following a ransomware attack in 2021. Colonial paid the cyber-criminals US$4.4 million in cryptocurrency to release the system, which they made a claim to recover from their cyber insurers. The U.S authorities recover US$2.3 million of the ransom.
AA v Unknown and others :The claimants were UK insurers whose customer, a Canadian insurance company computer system was hacked and encrypted. A ransom demands of US$950,000 in bitcoins to a specific address was made by the hackers. The Claimants agreed to pay the ransom. Some of the money was transferred into fiat currency while 96 bitcoin was sent to an address linked to an exchange operated by the 3rd and 4th defendants. The first Defendant was the persons unknown who made the demand. The second Defendant was the owner / controller of the 96 Bitcoins. The insurers retained the services of an incident response company that specialises in the negotiation of crypto currency ransom payments to negotiate with the hackers to regain access to the customer’s data and systems. The ransom was paid but further investigations were carried out by the insurers with the assistance of Chainalysis Inc, a blockchain investigations company who also provides software to track the payment of cryptocurrency. The investigations successfully revealed the location of the Bitcoins, 96 of which was found at an address operated by the 3rd and 4th Defendants while some was transferred to a fiat currency account. The insurers successfully made an application to the High Court for a proprietary injunction over the cryptocurrency. It was held by the court that cryptocurrencies are ‘property’ and could be the subject of a proprietary injunction as they met the four criteria of property; ‘being definable, being identifiable by third parties, capable in their nature of assumption by third parties and having some degree of permanence’. The decision was an adoption of points presented in the Legal statement on cryptoassets and smart contracts by the UK Jurisdiction Taskforce.
ION Science Ltd v Persons Unknown and others: The case concerned the fraudulent inducement of the claimants to make an investment equivalent to 64.35 bitcoin and pay for commission to receive profits from the said investment. The company referred by the Respondent was operating without Swiss authorisation. The bitcoins were transferred to two cryptocurrency exchanges each located in the US and Cayman Islands. The court granted orders against the first Respondent (Persons Unknown) in the form of a proprietary injunction, a worldwide freezing order and an ancillary disclosure against persons unknown. There was also a Bankers Trust order which could be served on two cryptocurrency exchanges outside of the Jurisdiction.
Remarks: These cases are examples of the instances where cyber-criminal are held responsible for the theft of or laundering of cryptocurrencies. Cyber criminals are subject to the application of money laundering and Terrorism. Crypto-assets illegally acquired can be the subject of an injunction, a worldwide freezing order and seized even if the investigation takes years to complete. Cyber insurance and incident response companies do have an obligation to ensure they are not facilitating the payment of ransoms to terrorists, sanctioned person or governments and their affiliates. The abovementioned orders are methods victims of a cryptocurrency fraud or ransomware attack can use in their effort to recover their crypto-assets. However while these methods have been successful for traceable currencies (Bitcoins and Ethereum), the same may not be very effective to recover non-traceable cryptocurrencies (Monero).
The 2Cs, COVID-19 and cyber risks, 2 plagues of our generation, both of which command global interest and competes in both print and online media for daily headlines. They also have one thing in common, they are highly misunderstood and mutates ever so often. For these and other reasons, governments and business stakeholders have invested heavily in developing safety guidelines to mitigate the loss and damages arising directly or indirectly from cyber risks and COVID19. While governments have made some progress in the fight against COVID-19 through the vaccine administration, cyber risks on the other hand is mutating at such a rate where it almost impossible to keep up and the shipping and insurance industries are just as vulnerable to cyber risks as any other industry. Here we will briefly discuss phishing, often described as the most widespread and pernicious cyber-attack technique, but the discussion will be centered around the decision of the U.S. District Court for the Northern District of Texas in RealPage v National Union Fire Insurance Company of Pittsburgh and Beazley Insurance Company.
BIMCO in its guidelines on cybersecurity risks onboard ships describes phishing as encompassing the sending of emails to many potential targets asking for pieces of sensitive or confidential information. The email may also contain a malicious attachment or request that a person visits a fake website using a hyperlink included in the mail. A distinguishing feature of phishing is that attackers pretend to be a real and trusted person or company that the victim usually or have had business relations. It is reported in the Cyber Security Breaches Survey 2020, that phishing attacks are the most common attack vector used by cyber criminals and that between 2017 and 2020 there has been a rise in the number of businesses experiencing a phishing attacks from 72% to 86% whereas there has been a fall in viruses and other malware from 33% to 16%. Since phishing is such a constant threat to businesses, it is understandable why insurers see the need to cater for this risk in their cyber insurance policies and or other commercial crime policies.
Facts of RealPage case:
RealPage provides several services for their clients who are property owners and managers of real estate. The clients entered contracts with RealPage authorizing it to act as agents on their behalf, and to manage and collect monies debited from their customers’ accounts, and to credit the client’s identified bank account. The tenants authorized the transactions processed by RealPage and this was communicated to RealPage by their clients. RealPage then contracted with Stripe to provide software services that enable payment processing and related functions.
The payment process involved the following:
A tenant would log in to an interface called “Resident Passport” to make a payment to one of RealPage’s clients.
Upon initiation of a payment by a tenant, RealPage would send application programming interface (API) calls to Stripe’s server either through Stripe Dashboard or the On-Site application.
Upon receipt of an API call, for an automated clearing house (ACH) transaction, Stripe would send instructions to its bank, Wells Fargo to process the ACH transfer that would pull money from the tenant’s bank account and place these funds in Stripe’s Wells Fargo bank account.
Thereafter, Stripe would direct Wells Fargo to complete another ACH transfer to pay these funds to the clients in accordance with RealPage’s instructions.
The funds held in Stripe’s accounts were for the benefit of its users and merchants such as RealPage. If there was a balance owed to a client of RealPage, the funds for that client in Stripes account would be for the benefit of the said client. RealPage had no rights to the funds held in Stripes account. RealPage was not entitled to draw funds and did not receive interest from funds maintained in the account. RealPage contracts describes the relationship with Stripes as independent contractors. One exception where Stripe operates as an agent is holding funds that are owed to RealPage
The hackers used targeted phishing to obtain and alter the account credential of a RealPage employee. They then used those credentials to access the Stripe Dashboard and alter RealPage’s fund disbursement instructions to Stripe. The hackers diverted over $10 million that was not yet disbursed to clients. RealPage discovered the fraud, contacted Stripe and directed them to reverse the payments and freeze outgoing payments. RealPage was unable to recover over $6 million of the funds. RealPage refunded clients for lost funds.
Insurance Policies with National Union and Beazley
At the time of the attack, RealPage had a commercial crime policy with National Union and an Excess Fidelity and Crime Policy from Beazley. The Excess Policy provides a $5,000,000 limit of liability “for any loss which triggers coverage under the Commercial Crime Policy. Therefore, any recovery under the Excess policy was dependent on RealPage successfully making a claim under the Commercial Crime Policy. The following provisions of the Commercial Crime Policy are the most relevant
Ownership of Property; Interests Covered:
The property covered under this policy is limited to property:
(1) That you own or lease; or
(2) That you hold for others whether or not you are legally liable for the
loss of such property.
We will pay for loss of or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:
a. To a person (other than a “messenger”) outside those “premises”; or
b. To a place outside those “premises”.
Funds Transfer Fraud:
We will pay for loss of “funds” resulting directly from a “fraudulent instruction” directing a financial institution to transfer, pay or deliver “funds” from your “transfer account”.
Insurance Claims and Responses
RealPage claim for the funds lost under the policy but National Union was only willing to reimburse the transactional fees owed to Real Page. With respect to the diverted funds that were owed to RealPage clients, National Union concluded that based on their preliminary analysis, RealPage did not own or hold the funds and thus was not entitled to coverage. As a result of National Union’s denial of coverage, RealPage filed a claim seeking a declaration of judgment for the funds fraudulently diverted and lost as a result of the phishing attack.
The main issue for the court was ‘whether RealPage is entitled to coverage under commercial crime insurance policies for the loss of its clients’ funds which were diverted through a phishing scheme’? In answering this question, the central issue is whether RealPage held these funds despite its use of a third-party processor, Stripe Inc? After an extensive discussion of the meaning given to the word ‘hold’, it was accepted that there must be possession and not necessarily ownership of an item. Accordingly, the court held that RealPage did not suffer a direct loss as required under the policy as they did not hold the funds at the time of the phishing attack and in so doing the court decided in National Union and Beazley’s favour granting them summary judgment.
RealPage argued that the policy was expansive enough to cover property they held. They also reasoned that since they had the authority to direct Stripe as to where the funds should go, they ‘held’ the funds. The court rejected this line of reasoning by stating ‘hold’ cannot be reduced to simply the ability to direct but required some sort of possession of property. By applying the ordinary meaning of ‘hold’, Real page was not in possession of the funds. The funds were in Stripes account at Well Fargo and not RealPage up to the time it was diverted to the hackers account. RealPage ability to direct the transfer of the funds does not amount to holding the funds. Furthermore, RealPage had no rights to the funds in the account, could not withdraw the funds and held in the same account as those of other Stripe users.
RealPage had to also establish that they had suffered loss resulting directly from computer fraud or funds transfer fraud. Since RealPage did not hold the funds, its loss resulted from its decision to reimburse its clients. Accordingly, RealPage did not suffer a direct loss as required under the Policy.
While we acknowledge that this decision is not binding on the courts in the UK, it cannot be denied that many of the practices within the UK cyber insurance market are influenced by what happens in the more mature US market. Furthermore, many of the insurance companies including Beazley who are leading the way in the UK as cyber insurance providers also have parent companies, branch offices or subsidiaries operating in the USA. So, while the decision is not binding, it will certainly be persuasive or at the very least leave an indelible lesson for both assureds and insurers to seek clarity and modify policy clauses relating to loss or damage from phishing or other social engineering attacks.
If a higher court was to approve this judgement and a similar practice is adopted in the UK by insurers, it will be very difficult for assureds who use third party providers to assist them with payment transfers and other transactions to successfully claim an indemnity from their insurers relying on similar policy wording. This would mean even though the assured’s system was breached when the employee inadvertently shared their confidential account details and though the phishing diverted funds belonging to clients of the assured, a policy bearing similar clauses as those provided above, would not respond since the outcome of the claim would be totally dependent on the definition of ‘hold’ and what was considered to be in the possession of the assured as per the requirement of the policy at the time the funds were fraudulently diverted.
To prevent such a harsh outcome for assureds, it is recommended that assures negotiate with their brokers for their cyber insurance policies or commercial crime policies to include words which would cover situations where funds are being held in the account of an agent or third-party contractor. In so doing, the policy wording could be modified to include not just funds the assured ‘hold or owns’ but to also cover ‘loss of funds for which they have authority to direct’.
We will indemnify you in respect of the following for loss by theft committed on or after the Retroactive Date stated in the schedule which is first discovered during the period of insurance and notified to us in accordance with Claims conditions applicable to Section B:
i) assets due to any fraudulent or dishonest misuse or manipulation by a third party of the computer system operated by you
ii) your funds or those for which you are responsible at law from an account maintained by you at a financial institution following fraudulent electronic, telegraphic, cable, telephone or email instructions todebit such account and to transfer, pay or deliver funds from such account and which instructions purportto have come from you but which are fraudulently altered, transmitted or issued by a third party or are
In the event that any party other than an insured person enters into an agreement with a third party entity pretending to be you we will pay reasonable fees and costs to establish that such fraud has occurred should the third party seek to enforce such agreements against you provided that such loss is first discovered and is notified to us during the period of insurance.
The words provided in clause 1a (ii) will cause a different outcome when compared to how property was defined and what was decided by the court in RealPage. In RealPage the National Union insurance policy defined ‘property’ as that i) owned or leased by the assured or ii) that you hold for others whether or not you are legally liable for the loss of such property’. Whereas, under Section B- Crime, clause 1a (ii) of Zurich Cyber Policy, the assured will be indemnified for ‘your funds or those for which you are responsible at law from account maintained by you at a financial institution following fraudulent electronic … or email instructions to debit such account and to transfer…’. The difference with the Zurich policy is that unlike the National Union policy in RealPage, there is no requirement for the assured to ‘hold’ the funds in the literal sense of the word. Furthermore, under the Zurich policy the insurer will only indemnify the assured if funds are either his or those for which he is responsible at law. This is different in RealPage as the National Union policy will cover property that the assured hold for others whether or not he is legally liable for the loss. Another distinguishing feature between the two policies is that in the Zurich policy the insurer will cover funds from an account maintained by the assured at a financial institution.
This latter feature has similar meaning to ‘hold’ as interpreted by the court in RealPage. If we consider for example, maintenance of a bank account, this includes holding and transferring funds within the account and the execution of other control mechanisms to ensure that the account remains active and in good financial standing. However, others may argue that ‘an account maintained by the assured at a financial institution’ should be given a wider meaning in that even accounts owned or held by a third party at a financial institution may be maintained by the assured. In other words, maintenance of an account does not necessarily mean that the funds must be held or are being held by the assured as was decided in RealPage. If this interpretation should be applied to the facts in RealPage, it is reasonable to conclude that the insurers would have been held liable to indemnify the assured since the monies in the account held by Stripe Inc was the legal responsibility of RealPage. Moreover, if the account was used solely to hold funds related to RealPage business there should be no logical explanation as to why it cannot be accepted that RealPage is maintaining the account in accordance with Zurich policy wording. Either way, the ambiguity and possibility of a trial will be removed if the parties clearly defined and explained what it meant by ‘maintenance of account’.
For those businesses without a cyber insurance policy, coverage may be acquired under their commercial crime policy. Below is an example of a clause covering this type of loss that can be found in most crime policies:
1. loss of or damage to Money, Securities or Property resulting directly from
Computer Fraud committed solely by a Third Party; or
2. loss of Money or Securities contained in a Transfer Account at a Financial Institution resulting directly from Funds Transfer Fraud committed solely by a
“Funds Transfer Fraud” means fraudulent written, electronic, telegraphic, cable, teletype
or telephone instructions by a Third Party issued to a Financial Institution directing such
institution to transfer, pay or deliver Money or Securities from any account maintained by
an Insured at such institution, without the Insured’s knowledge or consent.
Some crime policies in their definition section provide that a “Transfer Account” means an account maintained by the Insured at a Financial Institution from which the Insured can initiate the transfer, payment or delivery of Money or Securities.” Like the Zurich policy, the implications of the clause will turn on the meaning assigned to ‘maintenance of an account’ as discussed above.
Funds transfer fraud is also covered in Beazley Commercial Crime Insurance Module:
Fund transfer fraud means the transfer of money, securities or other property due to electronic data, computer programs or electronic or telephonic transfer communications within a computer system operated by the insured having been dishonestly, fraudulently, maliciously or criminally modified, replicated, corrupted, altered, deleted, input, created, or prepared.
Fund transfer fraud does not include loss due to social engineering fraud.
Based on this definition and the exclusion of social engineering from Fund transfer fraud, an assured in RealPage’s position could not rely on the Funds transfer clause under their commercial crime policy. Instead, the assured would need to rely on the social engineering fraud clause (where not excluded), variations of which are found in most cyber insurance policies.
Social Engineering Fraudmeans the insured having authorised, directed or acknowledged the transfer, payment, delivery or receipt of funds or property based on:
an electronic or telephonic transfer communication which dishonestly, fraudulently, maliciously or criminally purports to be, but is not, from a customer of the insured, another office or department of the insured, a financial organisation or vendor; or
a written or printed payment instruction obtained by fraudulent impersonation.
In some policies for example Zurich Cyber Policy, an obligation is placed on the assured to confirm the validity of the transfer instructions before actions are taken to send the funds to the account mentioned in the purported instructions. The confirmation must include ‘either verification of the authenticity or accuracy of the transfer instruction by means of a call back to a predetermined number or the use of some other verification procedure and the assured must keep a written record of the verifications along with all elements of the fraudulent transfer instruction’. It is imperative for assureds to check their cyber insurance and or commercial crime policies to ensure they have adequate protection against phishing and other types of social engineering attacks as cyber criminals will continue to use these attack vectors to steal from companies.
 Civil Action No. 3:19-cv-1350-b (ND Tex Feb 24, 2021)
Trailfinders v Travel Counsellors  EWHC 591 (IPEC) represented the first opportunity for judicial scrutiny of the UK Trade Secrets (Enforcement, etc.) Regulations 2018 (SI 2018/597).
The approach adopted by HH Judge Hacon was provisions of the EU Directive on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (EU Dir. 2016/943), especially Chapter II and Articles 6, 7 and 16, had already been implemented – without the need for these Regulations – into our law under common law and equity. Hacon J accordingly, “assumed that the substantive principles governing the protection of confidential information under English law, including that afforded by terms implied into contracts of employment and by equitable obligations of confidence, are unaffected by the Directive. However, the Directive shines an occasional light on those principles.” [para.9]
In particular, Hacon J found,”the best guide tothe distinction between information which is confidential and that which is not is now to be found in the definition of ‘trade secret’ in Article 2(1) of the Directive 2016/943.” [para.29]
This would imply that the established three stage common law test for confidentiality of: (1) the information itself must have the necessary quality of confidence; (2) the information must have been imparted in circumstances importing an obligation of confidence (either expressly, or which ought reasonably to have been understood by the recipient) and; (3) there must be an unauthorised use of that information to the detriment of the rights holder; now needs to be updated in line with the new statutory definition of a ‘trade secret’ being information which: (1) is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among, or readily accessible to, persons within the circles that normally deal with the kind of information in question; (2) has commercial value because it is secret, and; (3) has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.
However, the difficulties inherent within this interplay between the new statutory definition of a ‘trade secret’ and the old common principles of confidentiality can be illustrated by Hacon J’s legal treatment of the two terms, ‘secret’ and ‘reasonable steps’.
The preamble to the EU Trade Secrets Directive makes clear that its definition, “excludes trivial information and the experience and skills gained by employees in the normal course of their employment, and also excludes information which is generally known among, or is readily accessible to, persons within the circles that normally deal with the kind of information in question.” [para.14]
Mr La Gette and Mr Bishop as the defendants in this case had argued that Trailfinder’s information on clients’ names, nationalities, interests, contact details and past bookings was already in the public domain and was therefore ‘readily accessible’ to them. Trailfinders held this client information on two systems: Viewtrail was an online portal used to record booking details and Superfacts was a software system which recorded information about clients. Bishop had admitted using the Superfacts system to assemble, for about six months before he left Trailfinders, a ‘contact book’ about clients and both he and La Gette admitted accessing Viewtrail after they had left Trailfinders.
Hacon J took the view that the Trailfinder information had met the statutory threshold for being ‘secret’ but went further adding, “Lewison LJ observed in Force India Formula One Team Ltd v Aerolab Srl  EWCA Civ 780;  RPC 36 (with whom Briggs LJ and Sir Stanley Burton agreed): “It is certainly not a defence [to an allegation of breach of confidence] that the person in breach of confidence could have obtained the information elsewhere if he did not in fact do so.” (at ) [para.35]
Wearing the ‘clean hands’ spectacles demanded of equity Hacon J felt able to find that although, “[T]he protection may not have been as rigorous as it should have been [but] Trailfinders clearly took steps to ensure that the Client Information was not openly available to anyone by requiring the use of a password or, in the case of Viewtrail, limiting access to information to clients only if their name and booking reference was known”. [para.73]
This approach would appear to be at variance with that adopted by judicial counterparts in the USA, who, whilst not requiring of perfection, on the whole would take a dim view of any failure on the part of a holder of trade secrets not to identify and label confidential information as such, nor take any steps to restrict ex-employee online access. It is worthy of note that the origins for the broad definition for a ‘trade secret’ under the UK Regulations ultimately lies within American jurisprudence, where State and now Federal Courts have had decades of experience in its interpretation.
The issue may lay in the fact that Hacon J categorised the confidential information at play in this case as class 2 information acquired during the normal course of employment which remains in the employee’s head and becomes part of his own experience and skills (not class 3 information, namely specific ‘trade secrets’ requiring of a higher degree of confidentiality) – see Goulding J’s classification in Faccenda Chicken Ltd v Fowler  1 All ER 724, albeit the Court of Appeal ultimately differed with Goulding J’s analysis of where to draw the line between classes 2 and 3. This begs the unanswered question, would Hacon J have demanded more in the way of ‘reasonable steps’ from Trailfinders had he categorised the confidential information as class 3?
Given the EU Trade Secrets Directive does not replace English common law, the overall effect was said to be that a UK trade secret holder could apply for remedies under the common law of confidentiality either in addition, or as an alternative, to the remedies provided under the Trade Secrets Regulations (i.e. in instances where the English common law provided for ‘wider remedies’ – Regulation 3). It will be interesting to see in the future whether our more senior judicial brethren continue to follow Hacon J’s approach of an interplay between the two. But for the time being at least the new Trade Secrets Regulations, and Regulation 2 in particular, can (merely) be viewed as an aid to common law interpretation, illuminating what information now has ‘the necessary quality of confidence’ under both classes 2 and 3, as categorised in the Faccenda Chicken case.
Although cyber risks insurance in the London market is fast growing, more clarity is needed as various types of clauses drafted by different insurers are in use creating an enormous degree of confusion for assureds as to the scope of the cover on offer. With the objective of providing added clarity, from 1 January 2020, Lloyd’s underwriters will be required to clarify whether first-party property damage policies affirm or exclude cyber cover.
This is certainly a positive development and with the aim to assisting in this process, the Lloyd’s Market Association (LMA) has recently published a number of new clauses for the property and marine markets that can be used with traditional lines of business, e.g. hull & machinery policies, war risks insurance policies for vessels and other offshore structure. It should be noted that clauses published by LMA are designed to act as “models” and are distributed for the guidance of its members, who are free to agree to different conditions or amend as they see fit.
The new clauses published by the LMA comprise a cyber endorsement (LMA5400) and exclusion clause for Property D&F (LMA5401) and a cyber endorsement (LMA5403) and exclusion clause for Marine (LMA5402). All clauses explicitly supersede or replace conflicting policy wording related to cyber loss and data.
Both the property endorsement and exclusion clauses exclude coverage for any cyber loss, as well as any costs related to the use or replacement of data. The endorsement does, however, affirm coverage for physical loss or damage to property caused by fire or explosion that results directly from a cyber incident, as well as coverage for physical damage related to data processing media owned by a policyholder.
The marine clauses, meanwhile, rule out coverage for any loss or expense related to the “failure, error or malfunction of any computer, computer system, computer software programme, code, or process or any other electronic system.” Similarly, they exclude coverage for “the use or operation, as a means for inflicting harm, of any computer, computer system, computer software programme, malicious code, computer virus or process or any other electronic system.” However, marine cyber endorsement clause makes it clear that if the clause is used with policies covering risks of war, civil war, revolution, rebellion, insurrection, or civil strife arising therefrom, or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive, the cover will be available for losses arising from the use of any computer, computer system or computer software programme or any other electronic system in the launch and/or guidance system and/or firing mechanism of any weapon or missile.
It should be noted that liability and treaty reinsurance policies will also be required to clarify whether they affirm or exclude cyber cover and these requirements will come into effect in two phases during 2020 and 2021.
The article addresses the reintroduction of the Active Cyber Defense Certainty Act (ACDC) to the 116th U.S. Congress in June 2019 and concludes with the call for a common platform to be agreed on the more aggressive defensive cyber actions (hacking back/Offensive Cyber/legal right to bear cyber arms) that SMEs should and should not be permitted to conduct in defence of trade secrets.
Reading the IP Wales SME Guide to IP Cybersecurity, underpinned by Beale A., Ratcliffe S., Tettenborn A., The Protection of Data in our Digital Age  Journal of Business Law, Issue 6, 2017 p.461-472, has resulted in each of the following businesses seeking to adopt new methodologies and processes to protect their online commercial activities:-
Benchmark Skincare Limited (Managing Director: Peter Friswell) “By seeking to be certified for Cyber Essentials will enable our business to become “GDPR compliant, protect itself from phising emails, protect itself from external cyberattacks, creating an effective and robust backup data storage process.”
Boyns Information Systems (Director: Robert Boyns) “Reading the IP Wales SME Guide to IP Cybersecurity helped increase our awareness on the importance of cybersecurity in the field intellectual property. As a result, we have adopted new methodologies and processes to allow Boyns Information Systems to grow our cybersecurity infrastructure, whilst protecting us from online harm. Being awarded the IP Wales grant assisted our bid to achieve the Cyber Essentials Plus accreditation, preparing us more fully to mitigate any cyberattack.”
Cadmhas Limited (Director of Services: Elfed Williams) “We are a registered charity and company limited by guarantee and as the Director of Services of CADMHAS I have a duty of care and responsibility to both my Directors, Staff and Service Users that we mitigate the threat of a Cyber Attack. I have spoken to our suppliers Boyns Information Systems Ltd., and they have assured me that by following the 5 pillars of the Cyber Essentials Scheme this will help towards my goal of having a system secured to government guidelines. By having the certification and adhering to it, I will be able to focus on the development of our day to day operations and plan towards the future with a good IT foundation to move forward.”
Castell Howell Foods Limited (Head of IT: Paul Rankin) “Having read the IP Wales SME Guide to Cybersecurity, we decided to increase our protection to Cyber Essentials Plus to reduce the risk of being infiltrated or having data breaches in line with GDPR. With an ever-increasing rise in cybercrime it makes sense to do as much as we can to prevent attacks on our company. I can honestly say that I feel much more confident in our security now and would highly recommend others to carry out this process. Thanks again for considering us for the funding, much appreciated.”
CCTV Wales Limited (Compliance Supervisor: Steve Gallagher) “…to ensure that all customer data and company information is properly protected allowing the company to enhance their service and support Cybersecurity in the area.”
David W.Harris & Co. Solicitors (Practice Manager: Neil Startup) “We are now in the process of undertaking risk analysis and management relating to cyber security. We have updated our internal governance to include more detail on IT security, such as: maintenance of an asset register to include the addition or removal of any assets, Updated IT security and systems policies, Implementation of remote access control, Implementation of a protocol to manage remote devices with access to exchange accounts, Implementation of server password policies, Implementation of automatic screen lock down through user inactivity, Introduction of periodic penetration testing, Password Protection introduced for all electronic documents.”
Daydream Education (Operations Director: Wesley Paetel) “Reviewing and updating all internal cybersecurity awareness and reporting processes, reviewing all third-party anti-virus and malware applications, ensuring system security is reviewed regularly, and reviewing our disaster recovery processes as well as educating staff members about the dangers of cybersecurity and how to become more aware of threats.”
Guardian Property Services Limited (Business Development: Lauren Thomas) “It’s apparent that cybersecurity should be a priority of any business, irrespective of size. Having the right level of knowledge and preparation is vital to minimise and control damage, as well as an understanding of the consequences of a breach and how to recover.”
Health & Her Limited (Marketing Director: Kate Bache) “Collecting, protecting and processing sensitive customer data to improve our understanding in the therapeutic areas of female health, including menopause and menstrual wellbeing.”
Masons Moving Group Limited (Financial Controller: Robert Power) “Protecting the business from online harm is of paramount importance and the Guide has enabled us to implement new security and knowledge to ensure cyber threats are eliminated. These new systems will be monitored frequently and updated when necessary.”
Masons Self Storage Limited (Marketing Manager: James Mason) “The Guide has been extremely helpful in helping our business truly understand the impact cyberattacks can have on a small business. We have ensured brand new office procedures have been put in place with efficient regimes of how we hold and process all types of data.”
PLF Wealth Management Limited (Director: Jeremy Freeman) “Your Guide has made me appreciate the myriad of potential cybersecurity attacks that my small firm has to be aware of, and the steps we as a company need to take to protect our data and network from becoming a victim of these attacks. As a small business our in the financial services arena, we control large amounts of personal data and sensitive data which could make us a viable target to such attacks.”
The Business Centre (Cardiff) Limited (Centre Manager: Emma Mason) “Reading the Guide has given me great knowledge on how to protect our business from online harm. Using this knowledge has enabled us to put new office processes and procedures in place to ensure that we are protected. We have looked closely at how we hold and process our data.”
IP crime is traditionally viewed as counterfeiting (false branding) and piracy (illegal copying) but cybercriminals (& some state players) are increasingly coming to recognise the value of confidential data held by businesses, be it sensitive information about the business operation (trade secrets) or customer information such as passwords and credit card details (made even more topical with the arrival of the EU General Data Protection Regulation 2016).
These attacks on confidential data are happening globally with increasing rapidity and ever more complexity. Zero-day vulnerabilities (where hackers have discovered and exploit a software security breach before a fix is available) are increasing exponentially.
In response our award-winning business support initiative IP Wales has launched a new Online Initiative 2017-2020, the aim of which is to help small/medium sized enterprises (SMEs) to protect their IP from online threats.
SMEs are particularly vulnerable to cyberattack, with our research (commissioned by the Welsh Government) showing that many take little or no precautions against cyber threats, in the mistaken belief that they are too small to attract the cybercriminal’s attention, or that they don’t possess any data worth stealing. Examples of cyberattacks on SMEs have included:-
• IP ‘Theft’ (i.e. trade secrets), the loss of which seriously undermines a company’s attractiveness to both investors and prospective buyers of the business.
• Ransoming of Data, where the business is coerced into paying off hackers in order to retrieve or access stolen or encrypted data.
.• ‘Theft’ of Customer Data (including payment details) which exposes the business to lawsuits, regulatory fines for improper handling of personal data, and reputational damage.
In giving evidence to the Public Accounts Committee (PAC) on Cybersecurity in the UK Sir Mark Sedwill (Cabinet Secretary, Head of the UK Civil Service and UK National Security Advisor) asserted, “the law of the sea 200 years ago is not a bad parallel” for the “big international question” of cyberspace governance today (see Public Accounts Committee Oral evidence: Cyber Security in the UK, HC 1745 [1st April 2019] Q93).
In making this assertion Sir Mark may have had in mind articles such as Dr. Florian Egloff’sCybersecurity andthe Age of Privateering: A Historical Analogyin which the author asserted: 1. “Cyber actors are comparable to the actors of maritime warfare in the sixteenth and seventeenth centuries. 2. The militarisation of cyberspace resembles the situation in the sixteenth century, when states transitioned from a reliance on privateers to dependence on professional navies. 3. As with privateering, the use of non-state actors by states in cyberspace has produced unintended harmful consequences; the emergence of a regime against privateering provides potentially fruitful lessons for international cooperation and the management of these consequences.”
In our IP Wales Guide on Cyber Defence we note: “Since 2004, a UN Group of Governmental Experts (UN GEE) has sought to expedite international norms and regulations to create confidence and security-building measures between member states in cyberspace. In a first major breakthrough, the GGE in 2013 agreed that international law and the UN Charter is applicable to state activity in cyberspace. Two years later, a consensus report outlined four voluntary peace time norms for state conduct in cyberspace: states should not interfere with each other’s critical infrastructure, should not target each other’s emergency services, should assist other states in the forensics of cyberattacks, and states are responsible for operations originating from within their territory.
The latest 2016-17 round of deliberations ended in the stalling of the UN GGE process as its members could not agree on draft paragraph 34, which details how exactly certain international law applies to a states’ use of information and communications technology. While the U.S.A. pushed for detailing international humanitarian law, the right of self-defence, and the law of state responsibility (including the countermeasures applying to cyber operations), other participants, like China and Russia, contended it was premature.”
Indeed China has gone further and condemned the U.S.A. for trying to apply double standards to the issue, in light of public disclosures of spying by their own National Security Agency (NSA).
Sir Mark went on to reveal that because cyberspace governance is being only partly addressed through the UN, “we are looking at coalitions of the willing, such as the OECD and some other countries that have similar systems to ours, to try to approach this.”
Evidence of this strategy in operation can be seen at Ministerial Council Meeting of the Organisation for Economic Co-ordination and Development (OECD) on the 22nd May 2019 when 42 countries adopted five value-based principles on artificial intelligence (AI), including AI systems “must function in a robust, secure and safe way throughout their life cycles and potential risks should be continually assessed and managed.”
The recently created UK National Cyber Security Centre (NCSC) has sought to give substance to this principle through offering new guidance on cybersecurity design principles. These principles are divided into five categories, loosely aligned with the stages at which a cyberattack can be mitigated: 1. “Establishing the context. All the elements that compose a system should be determined, so the defensive measures will have no blind spots. 2. Making compromise difficult. An attacker can target only the parts of a system they can reach. Therefore, the system should be made as difficult to penetrate as possible. 3. Making disruption difficult. The system should be designed so that it is resilient to denial of service attacks and usage spikes. 4. Making compromise detection easier. The system should be designed so suspicious activity can be spotted as it happens and the necessary action taken. 5. Reducing the impact of compromise. If an attacker succeeds in gaining a foothold, they will then move to exploit the system. This should be made as difficult as possible.”
Alec Ross (Senior Advisor for Innovation to Hillary Clinton as U.S. Secretary of State) warns that, “small businesses cannot pay for the type of expensive cybersecurity protection that governments and major corporations can (afford)” A Ross, Industries of the Future (2016). It remains to be seen to what extent cybersecurity design principles will become a financial impediment to small business engaging with AI developments in the near future.