BitPay, a Bitcoin payment processor, was hacked in 2014. When it came to filing their insurance claim with Massachusetts Bay Insurance Company (MBIC), they rejected the filing, because the initial incident that led to the $1.85M theft compromised a business partner and not BitPay itself.
In 2014, BitPay was targeted by a criminal who first went after a business partner.
On or around December 11, after compromising an email account used by yBitcoin's David Bailey, the person responsible for the theft sent an email BitPay’s CFO, Bryan Krohn, directing him to a malicious website. The website asked for Krohn's credentials, and from that point the criminal had control over the CFO's corporate account.
It wasn't a quick snatch and grab; the attacker took their time and studied how the company conducted business. After a while, Krohn's email account was used to direct BitPay CEO, Stephen Pair, to transfer BTC to a customer's wallet under their control.
In a series of transactions, nearly 5,000 BTC were stolen, with a value of $1.85M.
After the theft was discovered, BitPay filed a claim with MBIC, for the maximum amount allowed under policy - $950,000.
MBIC refused to pay, stating in part that the attack wasn't covered under the policy:
"... the Policy requires that the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises... The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into Bitpay's computer system fraudulently causing a transfer of Money. Instead, the computer system of David Bailey, Bitpay's business partner, was compromised resulting in fictitious emails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured..."
So should BitPay be surprised that the claim was rejected, given the wording on the policy?
"I think it’s on [BitPay] for not understanding what they bought. Certainly, they did buy some risk insurance, but when someone buys a cyber risk policy, don’t assume it covers everything connected to a computer. There are very specific things that covered and a whole lot of things that aren’t covered," commented Jeff Schmidt, CEO of JAS Global Advisors.
Insurance is a tricky thing, and policies against Web-based threats and incidents are quickly gaining traction in the market, so the particulars are important. Yet, the space is young and organizations are still figuring it out, which is why the situation BitPay is facing exists.
"So this is very topical and just highlights the issue with insurance in a fast-moving market. All the cyber insurance companies have their terms and conditions, but because there are so many unknowns that are very specific about what they can insure -- and apparently phishing isn’t covered," said Andreas Baumhof, CTO of ThreatMetrix.
This isn't BitPay’s fault, Baumhof added, but it highlights that companies need to address the core issue and not just rely on insurance.
"At the same time I believe that these cyber insurances are a bit of a rip-off. Think of car insurance -- if it is insured for theft, it doesn’t matter how the theft was executed. In the cyber world, it seems it does matter."
BitPay wouldn't comment on the pending legal action against MBIC. Copies of the court documents are available via Atlanta Business Chronicle and are linked below.