In an all too common scenario, someone in your organization’s finance department receives an email that purports to be from a supplier informing your organization of the supplier’s supposedly changed bank account and a request for you to make all future payments to the new account. Even after some likely back and forth via phone and/or email with the “supplier,” your employee ultimately changes the payment information in your systems, and future invoices are paid to the new pay-to account. Everything seems fine for a while, and then the problems begin.
Eventually, your company receives an email from the supplier asking why it hasn’t received payment of its recent invoices. When the supplier insists that it has not received payment, in spite of your company’s assurances that all invoices have been paid, your IT department investigates. The IT team figures out that the emails with the new payment information and the phone calls were fraudulent—they were not from your supplier but from a bad actor. It is, of course, too late to recover the fraudulently obtained payments, and in the interest of keeping the supplier, your company pays again.
What happens next? Tracking down the bad actor is generally difficult, if not impossible—he or she knows how to cover his or her tracks. But you realize that your company has a crime insurance policy that provides coverage for events like computer fraud. Surely, your insurer must have to cover the double payment and related costs under those provisions, right?
Unfortunately, the answer is “maybe,” at best.
With the increasing prevalence of what is called “social engineering fraud,” the scope of coverage for such frauds under crime policies is, and has been, the subject of a lot of litigation. Unfortunately, many of the decisions that have thus far been rendered are not encouraging for policyholders.
Computer Fraud Coverage
Computer fraud provisions in crime policies often provide coverage for “loss of . . . money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property . . . .”
Many courts have held that there is no coverage for social engineering fraud under such provisions because the losses resulting from such frauds do not “result directly” from the use of a computer.
For example, in Apache Corp. v. Great American Insurance Co., the insured had, after receipt of a fraudulent email containing updated payment instructions, looked to some extent into the alleged vendor’s request to change its banking information, authorized the change and the payments pursuant to valid invoices, and initiated the payments. The court did not consider those payments to be a direct enough result of the computer use to generate the fraudulent email for computer fraud coverage to be available. 662 F. App’x 252, 258-59 (5th Cir. 2016) (per curiam, unpublished opinion). Rather, the court concluded that “the transfers were made not because of fraudulent information, but because [the insured] elected to pay legitimate invoices,” albeit to a fraudulent bank account; that is, “the invoices, not the [fraudulent] email, were the reason for the fund transfers.” Id. at 259; see also, e.g., Incomm Holdings, Inc. v. Great Am. Ins. Co., No. 1:15-cv-2671-WSD, 2017 WL 1021749, at *8-*10 (N.D. Ga. Mar. 16, 2017) (Losses did not result directly from use of computer because they occurred only when charges were subsequently made, that is, as a result of further human activity.)
Similarly, even where a court assumed that the “direct result” requirement was satisfied, it found no coverage because of an exclusion for “loss resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.” Aqua Star (USA) Corp. v. Travelers Cas. & Sur. Co. of Am., No. C14-1368RSL, 2016 WL 3655265, at *2 (W.D. Wash. July 8, 2016). Because an employee of the insured had entered the fraudulent banking information into the insured’s computer system, the exclusion applied. Id. at *1, *3; see also Taylor & Lieberman v. Fed. Ins. Co., 681 F. App’x 627 (9th Cir. 2017) (no coverage for social engineering fraud where policy required unauthorized entry into insured’s computer system because spoofed email did not constitute such entry).
Hope for Policyholders
There are, however, a few cases that should provide some hope to policyholders. Thus, one court has explicitly rejected the reasoning of Apache, finding insufficient direct causation, stating that “the Court finds [Apache’s] causation analysis unpersuasive,” and holding that the insured’s “employees only initiated the transfer as a direct cause of the thief sending spoof[ed] emails” with fraudulent transfer instructions. Medidata Solutions., Inc. v. Fed. Ins. Co., No. 1:15-cv-00907-ALC (S.D.N.Y. July 21, 2017) (granting summary judgment to insured under crime policy for $4.7 million loss resulting from social engineering fraud).
Similarly, in Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., the court held that the insured was entitled to coverage under a crime policy containing a “direct result” requirement even though a company employee had acted upon the fraudulent instructions and initiated the wire transfer at issue because “[i]t is reasonable for [the insured] to interpret the language of the policy to provide coverage even if there were intervening events between the fraud and the loss.” No. 1:15-CV-4130-RWS, 2016 WL 4618761, at *2, *5 (N.D. Ga. Aug. 30, 2016). Although the court found the insurer’s interpretation requiring a more direct linkage between the fraud and the loss also reasonable, it concluded that, “[i]n this circumstance, the Court must construe the policy in the light most favorable to [insured] and provide coverage.” Id.
What’s the takeaway? If your crime policy contains any type of “direct result” requirement in its computer fraud provision, you may not be able to obtain coverage for social engineering fraud under that provision because social engineering fraud typically involves some action by the insured or third parties between receipt of the fraudulent or spoofed information and the transfer of funds resulting in a loss. If that is a concern, the solution may be an endorsement to your crime policy or a cyber policy (with an endorsement, if necessary) that explicitly provides coverage for social engineering fraud.