In a case filed in California last week, an insurer once again has taken the position that funds disbursed to computer hackers because of fraudulent commands received via e-mail from hackers are somehow distinguishable from the hacker misappropriating the funds directly. They are not. The typical scheme, via social engineering commonly known as “business e-mail compromise” or “CEO fraud,” involves an e-mail from a high-level executive’s e-mail account directing a subordinate employee to wire funds to a bank account actually owned by a third-party scammer, the true author of the email. Insurers have denied coverage for such liabilities, contending that their policies do not cover voluntary disbursements of company funds – as if the insureds intended to give their funds away to the bad guys!
For example, Chubb was recently sued twice for denying coverage to policyholders whose employees were tricked into wiring funds to Chinese bank accounts. In Medidata Solutions Inc. v. Federal Insurance Co., pending in the Southern District of New York, employees in Medidata’s finance department were deceived into transferring $4.8 million to a Chinese bank account based on emails which falsely appeared to come from a Medidata executive. Federal Insurance, a unit of Chubb, insured Medidata under a policy providing coverage for computer fraud, forgery, and funds transfer fraud. Federal Insurance argued that Medidata’s claim is not covered because, among other things, there was no manipulation of Medidata’s computers and Medidata “voluntarily” transferred the funds. Similarly, in Ameriforge Group Inc. v. Federal Insurance Co., pending in a Texas state court, scammers impersonating the CEO of Ameriforge Group (“AFGlobal”) convinced the company’s accountant to wire $480,000 to a bank in China. Federal denied AFGlobal’s claim, even though the policy covered loss resulting from computer fraud and funds transfer fraud. According to Federal, however, the scam did not involve forgery of a financial instrument or a hacking event, and the instructions to wire the funds were issued by AFGlobal itself, rather than a third party posing as AFGlobal. Apparently, Federal disregards that the wire transfer order originated from a third-party scammer, not AFGlobal’s CEO.
The problem does not rest only with first-party losses. Policyholders with third-party coverage face similar arguments when victimized by business email compromise. In Maxum Indemnity Company v. Long Beach Escrow Corporation, filed last week in the Central District of California, Long Beach Escrow wired over $250,000 in response to an e-mail order that purported to originate from the owner of the funds. The email, which appeared to come from a partner at the real estate firm whose funds were held in escrow, instructed a Long Beach employee to transfer the funds to a new account. The real estate firm sued Long Beach for both negligence and breach of fiduciary duty, alleging that the escrow corporation should have confirmed the wire request by phone before transferring funds. Long Beach tendered the claim to its insurer, Maxum, but the insurer argues in a recent filing that the claim is barred by the policy’s funds exclusion and fiduciary duty exclusion. In doing so, however, Maxum apparently ignores that an outside imposter – rather than AFGlobal – was responsible for stealing the funds.
These cases and similar filings across the country serve as reminders to businesses that vigilance is key when dealing with cybercrime threats. Not only do threats from fraudsters and hackers change at a rapid pace, but insurers’ arguments for avoiding liability shift nearly as quickly and can lead to costly legal disputes. Policyholders seeking to mitigate their risks should consult coverage counsel to gain a thorough understanding of the threats covered by their policies as well as the availability of more suitable coverage in the marketplace.