Cybersecurity incidents are a popular topic of coverage in the press. These incidents range from hacking into organizations that hold a large quantity of data about clients, employees, vendors and other stakeholders to duping employees to transfer funds into fraudulent bank accounts. Cybersecurity is a top of mind issue for most organizations. From a risk management standpoint, organizations often purchase insurance coverage as a means of mitigating the impacts of a cybersecurity incident. That said, sometimes there is a disconnect between the type of coverage the insured thinks it is getting and what the policy actually covers.
This was a particularly important focus in the decision The Brick Warehouse LP v. Chubb Insurance Company of Canada, where the Alberta Court of Queen’s Bench found that a vendor impersonation did not fall within the terms of the plaintiff’s crime policy coverage. The case is significant since it is one of the first social engineering fraud cases in Canada and follows the approach taken by US courts in Taylor and Lieberman v. Federal Insurance Company (“Taylor”) and Apache Corporation v. Great American Insurance Company (“Apache”).
In 2010, an individual called the Brick’s accounts payable department claiming to be calling from Toshiba, one of Brick’s vendors. He added that he was new to Toshiba and that he required some missing payment details. The Brick employee faxed the requested information to a number provided by the caller.
A few days later that same month, a different Brick staff member in the accounts payable department received an email from a person purporting to be the Toshiba controller and advising that Toshiba had changed its bank from the Bank of Montreal to the Royal Bank of Canada (“RBC”). Account details for the new RBC account were subsequently provided with the request that payments should now be made to the new account.
A few days later, an individual called the Brick’s accounts payable department and spoke to the employee who had received the email from the “controller” and received confirmation of the transfer of the banking information. Internally, the Brick’s staff changed the banking account information for Toshiba in their system so that payments from the Brick’s bank would be made to the new RBC account. While the employee followed the Brick’s standard practice on changing account information and the paperwork was reviewed by another Brick employee, they did not take any independent steps to verify the validity of the request directly with Toshiba, the Bank of Montreal or RBC.
As a result of the change in banking information, payments that should have gone to Toshiba were now going to a mysterious RBC account. A total of ten Toshiba invoices totalling approximately $338,000 were transferred to the RBC account. In early September 2010, a representative of Toshiba called the Brick to inquire why payments had not been received. The fraud was discovered shortly thereafter. The Brick was only able to recover approximately $113,000 of the funds that were incorrectly transferred.
In December 2011, the Brick submitted a claim to Chubb Insurance for approximately $225,000. Chubb denied coverage for the claim on the basis that the Brick’s instructions to its own bank came from an authorized employee of the Brick and that the instructions were not themselves fraudulent. The Alberta Court of Queen’s Bench heard the case brought by the Brick.
The Brick argued that its loss should have been covered under Chubb’s insurance policy which provided coverage for “Funds Transfer Fraud by a Third Party” with the following language:
Funds Transfer fraud means the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent.
Chubb had argued that the Court should adopt the approach taken by US court in other similar decisions such as Taylor and Ameriforge Group Inc. v. Federal Insurance Company (“Ameriforge”).
The Court was of the view that for the Brick to be successful, it had to show that its bank transferred funds out of the Brick’s account under instructions from a third party impersonating the Brick.
In this case, the Court was of the view that the funds were transferred by a Brick employee as a result of fraudulent emails. It noted that a Brick employee gave the instructions to its bank to transfer the funds and that the transfer was therefore done with the Brick’s consent. As a result, the Court concluded that the transfer was not directed by a third party and that the Brick was not entitled to recover its loss from Chubb.
This decision is of particular interest given that many Canadian organizations are either purchasing cyber insurance coverage or relying on their existing insurance policy to cover losses flowing from a potential cybersecurity incident. Insureds often assume that social engineering attacks (and the losses flowing from them) will be covered under their insurance policy. However, given that in most instances social engineering attacks manipulate employees to wilfully transfer funds to cyber-criminals, organizations would be well advised to carefully review their existing insurance policies to ensure that these types of attacks would be covered.
Underwriters should also ensure that insureds have appropriate checks and balances to flag and effectively deal with social engineering attacks. This should be coupled with regular training for staff on how to spot fraudulent requests and who to inform within the organization when they occur so that appropriate defensive steps can be taken.
Social engineering attacks are one of most common types of cyber threats that Canadian organizations face and are likely to increase in the coming years. As most organizations that have been victims of such attacks will attest, once funds have been transferred to the cyber-criminal, it is extremely difficult to recover them (if at all).