The Fifth Circuit Court of Appeals, in an unpublished decision released this month, held that a Crime Policy’s “Computer Fraud” coverage did not cover a $2.4 million loss suffered by a policyholder after a social engineering fraud was perpetrated on its accounts payable department. While the decision will undoubtedly be cited by insurers as persuasive authority supporting their denial of similar claims, the Fifth Circuit’s decision should ultimately prove to be merely a minor roadblock on the path to coverage for policyholders.
Social engineering attacks have increased at an exponential rate in recent years. Indeed, the FBI has observed a 1,300 percent increase in business email compromise schemes (an increasingly prevalent form of social engineering fraud) since January 2015. This corresponds to an estimated $3.1 billion in exposed identified losses to businesses worldwide. Unsurprisingly, businesses have turned to their first-party crime insurance policies to recoup the substantial amounts lost as a result of social engineering fraud.
Equally unsurprisingly, insurers have been quick to deny claims submitted by policyholders under their traditional crime coverage provisions relating to computer fraud, forgery, or fraudulent transfers. Instead, insurers believe that policyholders must purchase very specific language in their policies covering social engineering fraud, much in the same way insurers steered policyholders towards cyber crime-specific policies several years ago.
In Apache Corp. v. Great Am. Ins. Co., No. 15-20499, 2016 WL 6090901 (5th Cir. Oct. 18, 2016), the Fifth Circuit Court of Appeals held that a crime policy’s “Computer Fraud” coverage did not cover Apache as a result of a social engineering “payment diversion” scheme that resulted in $7 million being diverted to a scammer’s bank account.
The social engineering scheme at issue in Apache originated from a telephone call placed to an employee in Apache’s accounts payable department by a scammer posing as a representative from one of Apache’s vendors. The scammer directed Apache’s employee to change the bank account information for all future payments made by Apache to the vendor. Apache’s employee replied that the information could not be changed without a written request on company letterhead.
A week later, Apache’s employee received an email from a spoofed email address that closely resembled the vendor’s email domain name. The email referred the employee to an attached letter, ostensibly on the vendor’s letterhead, directing that the vendor’s bank account information be changed. Apache’s employee called the number on the letterhead – which had been altered to direct the call to the scammer’s phone – and was satisfied enough with the response that the vendor’s payment information was changed. The scam was discovered by Apache one month later when the vendor contacted Apache to inquire as to the status of its payments. While Apache was able to recover part of the diverted payments, it was left with an approximately $2.4 million loss for which Apache sought reimbursement under its crime policy.
The “Computer Fraud” provision at issue in Apache covered the “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: a. to a person (other than a messenger) outside those premises; or b. to a place outside those premises.”
Examining this policy provision, the Fifth Circuit adopted the insurer’s position that the “computer use” deployed in furtherance of this particular scheme was insufficient to implicate the policy’s Computer Fraud coverage. “The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money.” 2016 WL 6090901, at *6 (5th Cir. Oct. 18, 2016). The Court noted that the fraudulent email was sent only after Apache's employee advised, in response to the scammer’s telephone call, that the request had to be made on the vendor’s letterhead. “Accordingly, the computer-use was in response to Apache's refusing, during the telephone call, to, for example, transcribe the change-request, which it could have then investigated with its records.”
Despite the holding in the insurer’s favor, the Fifth Circuit’s decision in Apache should not be viewed as a significant roadblock in a policyholder’s path to coverage under traditional crime policies for losses resulting from social engineering fraud. First, unlike many other social engineering fraud scams, the scam at issue in Apache originated with a telephone call rather than a hacked or spoofed email. Thus, the Apache decision does not conflict with other decisions, such as Owens, Schine, & Nicola, P.C. v. Travelers Cas. & Sur. Co. of Am., 50 Conn. L. Rptr. 665, 2010 WL 4226958, at *8 (Conn. Super. Ct. 20 Sept. 2010), vacated, 2012 WL 12246940 (Conn. Super. Ct. 18 Apr. 2012), or Principle Sols. Grp., LLC v. Ironshore Indem., Inc., No. 1:15-CV-4130-RWS, 2016 WL 4618761 (N.D. Ga. Aug. 30, 2016), both of which found for the policyholder in claims arising from social engineering schemes that originated with, and were highly reliant upon, electronic communications disseminated from spoofed or hacked email accounts.
Further, the Fifth Circuit’s decision was highly critical of Apache’s procedures and diligence in confirming the change request. For example, the Court questioned the employee’s decision to contact the phone number provided on the scammer’s spoofed letterhead rather than the number the company had on file for the vendor. The Court also criticized Apache’s process for confirming such requests in general.
The pursuit of coverage for social engineering fraud and similar computer-related crimes is a highly fact-intensive endeavor. The facts presented by the Apache decision were largely unfavorable to the policyholder and were atypical of the common business email compromise schemes that are targeting businesses of all sizes and industries. Victims of social engineering attacks should not be discouraged by the Fifth Circuit’s decision in Apache and are advised to continue pursuing insurance coverage for losses resulting from social engineering and computer-related fraud.