If you bought cyber insurance so you\u2019d be covered if you were hacked, and then had $1.8 million stolen after being hacked, wouldn\u2019t you expect your insurance claim to be paid? If so, then think again as the claim can be denied due to the wording of the risk insurance contract.BitPay, a Bitcoin payment processor, had purchased cyber insurance from Massachusetts Bay Insurance Company (MBIC), but BitPay was in for a rude awakening.In December 2014, an unknown hacker pulled off a social engineering attack; he spearphished BitPay\u2019s Chief Financial Officer, managed to capture corporate credentials, then used the hacked email account to spoof emails to the CEO; the hacker tricked BitPay into making three separate transfer transactions over two days to the tune of 5,000 bitcoins, which were valued at $1,850,000. Well at least the company had cyber insurance, right? No; the insurance company denied the claim due to the wording in the contract; BitPay then sued the insurance company.The policy, which supposedly covered BitPay for a million dollars, stated (pdf):We will pay for loss of or damage to \u201cmoney,\u201d \u201csecurities\u201d and \u201cother property\u201d resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the \u201cpremises\u201d or \u201cbanking premises\u201d: a. To a person (other than a \u201cmessenger\u201d) outside those \u201cpremises\u201d; or b. To a place outside those \u201cpremises.According to court documents obtained by the Atlanta Business Chronicle, BTC Media CEO David Bailey\u2019s computer had been hacked at some point and his email compromised. Bailey had been in negotiations with BitPay about buying BitPay\u2019s magazine yBitcoin. The hacker, posing as Bailey, sent an email to BitPay's CFO Bryan Krohn. The email asked Krohn to review the negotiation modifications on the attached Google document.Krohn clicked the link and entered his credentials. One court document (pdf) says after he opened his Google Docs account, his Google account password and authentication codes were compromised, while another (pdf) says Krohn provided the credentials for his BitPay corporate email account. Yet Krohn received an error message after entering his credentials; he did not know the link led \u201cto a website controlled by the hacker.\u201dAfter gaining control of the CFO\u2019s corporate email, the attacker allegedly studied Krohn\u2019s emails to discover how BitPay conducted business, \u201cincluding the fact that Second Market was the sole purchaser of bitcoins with whom BitPay did not require advance payment.\u201d Later that day, the hacker \u2013 using Krohn\u2019s email \u2013 sent an email to BitPay CEO Stephen Pair; that email, which appeared to contain a purported email chain between Krohn and Second Market, asked the CEO to transfer 1,000 bitcoins to a specific wallet. Two hours later, another email allegedly from Krohn, asked the CEO to transfer another $1,000 from BitPay\u2019s hot wallet to the same wallet address allegedly belonging to Second Market.Apparently that worked so well for the attacker that he tried it again; the next day another email supposedly from Krohn asked the CEO to send 3,000 bitcoins to Second Market at a different blockchain wallet address. The CEO sent an email to Krohn to check the validity of the request since it exceeded \u201cthe usual 1,000-2,000 bitcoin amount between the companies.\u201d After the attacker, again posing as Krohn, replied that the request was valid, the CEO transferred the 3,000 bitcoins.But this time the CEO carbon copied a Second Market employee when he sent an email confirming the bitcoins had been sent. She replied that she did not send the prior email and that Second Market did not purchase the 3,000 bitcoins.BitPay claimed that when the attacker \u201cillegally hacked\u201d Krohn\u2019s computer to send authorizations, \u201cit is this hacking which fraudulently caused the transfers of bitcoin and therefore the loss to Bitpay of bitcoin valued at $1,850,000.\u201dAccording to court documents, the insurance company refused to pay and claimed:The Policy requires that the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises. "Direct" means without any intervening step i.e. without any intruding or diverting factor. The Computer Fraud Insuring Agreement is only triggered by situations where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer of Money to an outside person or place. The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into Bitpay's computer system fraudulently causing a transfer of Money. Instead, the computer system of David Bailey, Bitpay's business partner, was compromised resulting in fictitious emails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured.Attorneys for MBIC insurance also noted the \u201cimportant distinction between fraudulently causing a transfer, as the Policy language requires, and causing a fraudulent transfer, which is what occurred upon the CEO\u2019s approval of the bitcoin transactions after receiving the fictitious emails. The loss incurred by BitPay was not a direct loss.\u201d In other words, the insurance company claims it doesn\u2019t have to pay because an authorized system user triggered a transfer.But that\u2019s not all, as apparently the word \u201cpremises\u201d in the cyber insurance policy meant insurance doesn\u2019t have to pay for a bitcoin transfer that occurs online and not on BitPay\u2019s physical property. What kind of Commercial Crime Policy (pdf) cyber insurance doesn\u2019t cover theft that occurs in the cyber world? Andreas Baumhof, CTO of ThreatMetrix, told CSO's Steve Ragan, \u201cCyber insurances are a bit of a rip-off. Think of car insurance\u2014if it is insured for theft, it doesn\u2019t matter how the theft was executed. In the cyber world, it seems it does matter.\u201dBitPay is now suing MBIC for breach of contract, bad faith failure to pay and statutory damages; it is seeking $950,000 in damages plus court fees.