Phishing is a criminal hacker’s favorite sport, and for good reason. It’s a tried and true way to land the big one, over and over again. Whether using a spoofed bank website and stolen email addresses to trick customers into divulging account information, sending email messages purporting to be from a senior company official to deceive employees into providing personal health records, or posing as a trusted vendor and transmitting wire transfer instructions to fraudulently divert funds, hackers are reeling in the catch and making it look easy.
But a well-managed company should have sophisticated safeguards in place. And if these fail, there is insurance coverage, right? The prudent policyholder buys all kinds of insurance: It has up-to-the minute “Cyber” coverage. It has Crime and Fidelity coverage with Computer Fraud riders. It has Professional Liability coverage. And of course it has regular old Commercial General Liability and Property coverage. Surely it’s covered for this type of fraud. Or is it?
While seeming to offer products that respond to the latest risks, insurers often provide limited coverage and seek to exclude the most obvious and inevitable losses. A series of recent cases highlight some of the biggest holes in the insurance safety net.
Sometimes coverage that seems to neatly fit the fact pattern contains startling exclusions. Earlier this month, Maxum Indemnity sued Long Beach Escrow in federal court in California seeking a declaration of no coverage. According to Maxum’s complaint, hackers gained control of the email account of a manager of Keely Partners, a real estate company, and sent an email over the manager’s signature to Long Beach, Keely’s escrow agent, requesting three withdrawals totaling over $250,000 to be wired to the hackers’ account. After Keely sued Long Beach for negligence and breach of fiduciary duty, Long Beach made a claim under its Professional Liability policy, which ostensibly covered its acts, errors or omissions in rendering “services as an Escrow Agency.” Maxum sued to enforce a Funds Exclusion, barring coverage for “damages arising out of the commingling, conversion, misappropriation or defalcation of funds or other property,” and a Fiduciary Duty Exclusion, barring coverage for claims arising out of the “insured’s fiduciary duty, responsibility or obligation.” It will be interesting to see whether the court enforces these obligations, or rejects them as rendering the insurer’s promise of coverage illusory. What coverage is left, after all, if an escrow agent isn’t protected against damages for fraudulent funds transfers and breaches of fiduciary duty?
In another recent case, Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co., a federal court in Washington ruled that coverage was barred by an express exclusion in a Crime policy for loss resulting from the input of data by an employee with authority. In that case, a hacker had monitored email exchanges between an employee of Aqua Star, a seafood importer, and an employee of Zhanjiang Longwei Aquatic Products, Aqua Star’s supplier of frozen shrimp. The hacker then sent a “spoofed” email directing the Aqua Star employee to change the bank account information for future wire transfers to Longwei, causing some $700,000 intended for Longwei to be misdirected to the hacker. Aqua Star doubtless believed that the Computer Fraud clause of its Crime policy was designed to protect against just such a loss, but the court ruled that coverage was excluded, because the actual diversion of funds took place when an Aqua Star employee entered the fraudulent bank account information into Aqua Star’s computer system. The decision is now on appeal to the Ninth Circuit.
“Direct” Causation Requirement
Frequently, insurers assert that there is no coverage because the loss did not proximately result from the fraudulent hack, but rather from the intervening actions of duped individuals. Last year, in Apache Corp. v. Great American Insurance Co., a federal court in Texas ruled on an insurer’s challenge that the requirement in the Computer Fraud clause of a Crime policy that the loss result “directly” from the use of a computer was not met. An Apache employee received a call, and then an email attaching a letter, from a person claiming to be an employee of one of Apache’s vendors, requesting a change of the account information to which payment was to be sent for the vendor’s services. The change was made, and $2.4 million was directed to the fraudulent account. The insurer argued that intervening steps by Apache’s employees, i.e. a confirming phone call and a supervisor’s clearance, interrupted the chain of events sufficiently to defeat coverage. The court disagreed, concluding that the email directing Apache to disburse payments to a fraudulent account “was a cause in fact, or ‘substantial factor,’” sufficient to satisfy the policy language. Apache is currently on appeal to the Fifth Circuit.
More recently, the Eighth Circuit in State Bank of Bellingham v. BancInsure, Inc. addressed the requirement in the Computer System Fraud coverage of a Financial Institutions Bond that the loss result “directly” from the fraudulent activity. A hacker infected one of the bank’s computers with malware, and was then able to take advantage of the fact that, at the end of a work day, a Bellingham employee left her computer running, and credentials accessible, in order to make unauthorized transfers to banks in Poland. The district court found coverage, and the Eighth Circuit agreed, ruling that the efficient and proximate cause of the loss was the illegal transfer of money and not the employee’s violations of policies and procedures.
The Devil is in the Details
Some policies offering Computer Fraud or Computer System Fraud coverage apply only to very specific factual scenarios. For example, some require a fraudulent “entry” or “change” of electronic data or a computer program within the policyholder’s computer system. Insurers likely would argue that this coverage does not apply to many phishing incidents. Last year, Medidata Solutions sued Federal Insurance in federal court in New York seeking to test this issue. Medidata’s complaint alleged its employees wired funds to hackers based on fraudulent emails that purported to come from a company executive. The policy contained Computer Fraud coverage requiring a fraudulent “entry” or “change” to the policyholder’s computer system. In a recent order, the court denied both the insurer’s and the policyholder’s motions for summary judgment, and instead granted the parties leave to conduct limited expert discovery regarding the method by which the hacker sent the emails and the “changes,” if any made to the policyholder’s computer systems.
What about Cyber Coverage?
Policyholders might assume that specialized Cyber policies are tailor-made to cover losses from phishing attacks. But insurers likely would argue that such policies do not address the scenarios in the foregoing cases. They would contend that no personal, private information was at issue, so third-party coverage for a “privacy injury” or “privacy event” wouldn’t be triggered. Likewise, coverage for “network security” liability might not be triggered because it typically applies only to a failure of network security to protect against unauthorized access or use of the policyholder’s computer system. Thus, coverage would not be available for the losses in Apache, Aqua Star and Maxum unless the company had purchased “contingent” coverage expressly covering liability arising out of a compromise of a vendor’s or business partner’s computer network.
Computer fraud comes in many forms. When it comes to coverage for the resulting loss, no one size fits all. Each hacking incident must be analyzed on its specific facts, and all available policies reviewed for coverage. Both victims of fraud and those charged with securing the best available protection against it will want to confer with counsel thoroughly versed in the developing insurance market and the latest judicial interpretations of the relevant policy language. Don’t let coverage for that phishing attack be the one that got away.