BitPay, a Bitcoin payment processor, was hacked in 2014. When it came to filing their insurance claim with Massachusetts Bay Insurance Company (MBIC), they rejected the filing, because the initial incident that led to the $1.85M theft compromised a business partner and not BitPay itself.
In 2014, BitPay was targeted by a criminal who first went after a business partner.
On or around December 11, after compromising an email account used by yBitcoin's David Bailey, the person responsible for the theft sent an email BitPay's CFO, Bryan Krohn, directing him to a malicious website. The website asked for Krohn's credentials, and from that point the criminal had control over the CFO's corporate account.
It wasn't a quick snatch and grab; the attacker took their time and studied how the company conducted business. After a while, Krohn's email account was used to direct BitPay CEO, Stephen Pair, to transfer BTC to a customer's wallet under their control.
In a series of transactions, nearly 5,000 BTC were stolen, with a value of $1.85M.
After the theft was discovered, BitPay filed a claim with MBIC, for the maximum amount allowed under policy - $950,000.
MBIC refused to pay, stating in part that the attack wasn't covered under the policy:
"... the Policy requires that the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises... The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into Bitpay's computer system fraudulently causing a transfer of Money. Instead, the computer system of David Bailey, Bitpay's business partner, was compromised resulting in fictitious emails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured..."
So should BitPay be surprised that the claim was rejected, given the wording on the policy?
"I think it's on [BitPay] for not understanding what they bought. Certainly, they did buy some risk insurance, but when someone buys a cyber risk policy, don't assume it covers everything connected to a computer. There are very specific things that covered and a whole lot of things that aren't covered," commented Jeff Schmidt, CEO of JAS Global Advisors.
Insurance is a tricky thing, and policies against Web-based threats and incidents are quickly gaining traction in the market, so the particulars are important. Yet, the space is young and organizations are still figuring it out, which is why the situation BitPay is facing exists.
Sign up for CIO Asia eNewsletters.