The growth and sophistication of modern fraud and cybersecurity attacks has necessitated adaptable countermeasures by for-profit and non-profit organisations.
Of these countermeasures, the emergence of niche cybercrime and fraud insurance (eg, cyber liability insurance) has given credence to the ethos that such attacks are not a matter of if but when.(1) One of the benefits of these forms of insurance is anticipating the pernicious reality of the causes of cyberattacks; vulnerabilities may arise from factors which are internal to an organisation as much as threats which are external to it. However, such policies, similar to all insurance policies, are not without their limits.
The Brick Warehouse LP v Chubb Insurance Company of Canada (2017 ABQB 413) recently considered the limits of a funds transfer fraud policy. In August 2010 fraudsters had orchestrated a scheme to have The Brick change its payment information for a supplier, Toshiba Canada, to a new bank account that the fraudsters controlled. Over the course of a few days, the fraudsters had used a combination of telephone and email impersonations of Toshiba employees in a type of fraud known as 'social engineering fraud'. After C$338,322.22 had been transferred to the fraudsters' account and a Toshiba Canada representative had inquired about a delinquent payment, The Brick discovered that it had been a victim of fraud. Although the police recovered some funds, C$224,475.14 remained unrecovered. The Brick made a claim to Chubb Insurance under the policy, which defined 'funds transfer fraud' as:
The fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured's knowledge or consent.
The Brick's right to recovery turned on the scope of its knowledge and consent. Accordingly, Justice Fraser noted (at paragraph 19) that for The Brick to recover losses pursuant to the policy, it must:
Show that its bank transferred funds out of the Brick's account under instructions from a third party impersonating The Brick. It is not covered if The Brick knew about, or consented to the instructions given to the bank. The insurance policy also contains in the exclusion section a clause which denies coverage if the loss is due to the insured knowingly having given or surrendered money, securities or property in exchange or on purchase to a third party, not in collusion with an employee.
In other words, the court conditioned recovery under the policy on the presence of the fraudsters impersonating The Brick and instructing its bank. The court found that The Brick had not been entitled to coverage because the transfer had been done with The Brick's consent and knowledge.
The court considered a US decision, Taylor v Federal Insurance Company (2:14-cv-03608), to find that an employee's knowledge or consent to a transfer per se, despite fraudulent instructions, excludes coverage. In Taylor, the US Court of Appeals, for the Ninth Circuit, characterised the relevant scope of knowledge accordingly: "Although [Taylor] did not know that the emailed instructions were fraudulent, it did know about the wire transfers."
By giving the undefined terms 'knowledge' and 'consent' their ordinary meaning, even though the fraudulent instructions came from a third party, it was The Brick – and not a third party – who had transferred the funds. The Brick employee did not need to give informed consent for a fraudulent transfer, for it to have the knowledge or consent which referred to the definition of funds transfer fraud.
The US case law which interprets such policies has typically treated a duped employee as the basis to deny coverage for socially engineered frauds. Where the loss must result directly from a fraudulent activity, the duped employee transferring funds severs the causal nexus. In addition, where funds have been transferred without an insured's knowledge or consent, as in The Brick Warehouse, the court interpreted this to mean that the duped employee could neither consent to, nor have knowledge of, the transfer itself for recovery.
In one sense, decisions such as The Brick Warehouse highlight the importance of carefully reading an insurance policy.
In another sense, such decisions and policies undermine the notion that cybersecurity breaches are not a matter of if but when. If employees of an insured who unwittingly facilitate fraud can make the difference in an insured's disentitlement from recovery under such policies, the insured ultimately bears the risk for adequate end-user security training.
Perhaps unsurprisingly, social engineering fraud coverage has emerged as another form of specialised insurance in this area.
For further information on this topic please contact Amjad Khadhair at Dentons Canada LLP by telephone (+1 604 687 4460) or email (firstname.lastname@example.org). The Dentons Canada LLP website can be accessed at www.dentons.com.
(1) For more information please see www.chubb.com/ca-en/business-insurance/cyber-liability-insurance.aspx.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.