As instances of fraudulently induced monetary transfers continue to rise, policyholders should carefully review their insurance policies to understand what forms of computer fraud-related loss are covered. In the absence of a standalone cyberliability policy, fidelity and crime insurance policies may limit coverage to unauthorized system access, along the lines of computer hacking. Such policies may also limit coverage only to losses that are the “direct” result of computer fraud. As a result, policyholders may find themselves without coverage for losses that are not caused by direct hacking into a computer system — such as instances where employees are induced to wire or otherwise transfer funds in response to fraudulent inquiries. To avoid a coverage gap, policyholders should consider separate coverage specific to these types of losses — such as a standalone cyberliability policy — or attempt to negotiate broader coverage within existing fidelity and crime policies.
A business email compromise (BEC) is a scam in which criminals trick company employees into wiring money to fraudulent accounts. These are also commonly referred to as fraudulently induced transfers. For example, in one form, a company employee receives an email that appears to come from the CEO, directing the employee to wire money to a particular account. The employee wires the money, only to discover that the CEO never requested the transaction, and the money disappears. According to the FBI, BEC scams resulted in $5.3 billion in reported losses in the United States between October 2013 and December 2016.
A fair number of courts have considered the issue of whether fidelity and crime policies with “computer fraud” provisions provide coverage for BEC events in which employees are fraudulently induced to respond to inquiries purporting to be from a valid source, and in response, wire money to a third-party perpetrator. These courts are divided, however, as to whether coverage is available for these types of BEC events under fidelity and crime policies. The Fifth and Ninth Circuits have both held that typical computer fraud provisions do not extend to losses resulting from this type of fraud. Apache Corp. v. Great Am. Insurance Co., 662 F. App’x 252 (5th Cir. 2016); Pestmaster Servs. Inc. v. Travelers Cas. & Sur. Co. of Am., 656 F. App'x 332 (9th Cir. 2016); Taylor & Lieberman v. Fed. Insurance Co., 681 F. App'x 627 (9th Cir. 2017). Despite this appellate authority, some district judges in other circuits have held that policyholders are, in fact, entitled to coverage under similar circumstances.
A set of recent decisions underscores the uncertainty about whether fidelity and crime insurance policies that provide coverage for “computer fraud” will apply in response to a BEC event. The cases have similar facts and similar policy provisions. However, the outcomes are different, highlighting the need for policyholders to consider obtaining specialized coverage to avoid potential coverage gaps.
In August 2016, a Georgia district court ruled that the computer fraud provision of a company’s commercial crime policy provided coverage for an incident in which an employee wired funds outside of the company after being induced to do so by receipt of an email later determined to be fraudulent. Principle Sols. Grp. LLC v. Ironshore Indem. Inc., No. 1:15-CV-4130-RWS, 2016 WL 4618761 (N.D. Ga. Aug. 30, 2016). In that case, the insurer argued that the loss did not result “directly” from a computer fraud because there were multiple intervening steps between the employee’s receipt of the fraudulent email and actually wiring the money. The district court disagreed, holding that the policy could reasonably be understood to cover a loss resulting from computer fraud, even where there were intervening steps between the initial fraud and the later loss. The insurer has filed an appeal, which is currently pending.
In July 2017, a New York district court likewise ruled that the computer fraud provision of a company’s commercial crime policy provided coverage for an incident in which a perpetrator sent fraudulent emails to company employees, tricking them into wiring money overseas. Medidata Sols. Inc. v. Fed. Insurance Co., No. 15-CV-907 (ALC) (S.D.N.Y. July 21, 2017). In that case, the relevant policy provision covered losses related to “fraudulent entry” or changing of data in the company’s computer system. The insurer argued that the provision was limited to hacking events, and did not apply where a third party did not directly hack into the company’s computers. The district court disagreed, explaining that a scheme involving fraudulent emails designed to look like they came from the company’s president was simply a different form of fraudulent entry covered under the language of the computer fraud provision. The insurer has also filed an appeal in this case, which is currently pending.
Most recently, on Aug. 1, 2017, a Michigan district court reached the opposite conclusion, holding that a company was not entitled to coverage under its commercial crime policy for an incident in which perpetrators posing as a vendor used fraudulent emails to induce company employees to wire money to a sham account. Am. Tooling Ctr. Inc. v. Travelers Cas. & Sur. Co. of Am., No. 16-12108 (E.D. Mich. Aug. 1, 2017). There, the relevant portion of the policy defined computer fraud as the use of “any computer” to “fraudulently cause” a money transfer. The company argued that a wire transfer made in response to a fraudulent email is computer fraud under the policy, but the insurer responded that it was not a direct loss in the sense that it was not directly caused by the use of a computer. In this instance, the district court agreed with the insurer, finding that the company did not suffer a loss directly caused by the use of a computer, where there were several intervening steps between the receipt of the emails and the funds being wired in response. The district court judge noted that in his view, there was no infiltration or hacking of the company’s computer system; rather, company employees authorized the funds transfer and only later discovered that the transfer request had been fraudulent.
These cases underscore the growing uncertainty surrounding whether traditional fidelity and crime insurance policies will provide coverage for incidents in which a company’s employee is induced to wire or otherwise transfer funds to a third-party perpetrator in response to instructions whose fraudulent nature is not discovered until after the loss has occurred. Until the law develops further, policyholders should evaluate the necessity of separate coverage particular to these types of losses — such as a standalone cyberliability policy — or instead attempt to obtain broader coverage in their existing fidelity and crime policies.