Two Courts Rule Crime Policies Cover Wire Fraud, Business Email Compromise
August 28, 2018
By Steve Gottheim
We all know the drill by now. A fraudster gains access to a real estate agent’s or consumer’s email account. They monitor the progress of a transaction. At an opportune time, they spoof a party’s email and contact the title or escrow company sending false wiring instructions. This subterfuge induces the company to wire the transaction proceeds or agent commission to the fraudster.
By the time the scam is discovered, the money is long gone, and the title company’s only hope is it’s insurance. Will this wire transfer fraud or business email compromise (BEC) attack be covered? The answer will depend on what type of policy they purchased and their location.
Coverage for spoofing under a crime policy has been a hot issue in courts this summer. Recently, two federal circuit courts found coverage under a crime policy’s computer fraud provision for losses from a spoofing attack. This contrasts a series of past cases that limited coverage under these clauses to unauthorized intrusions in the policyholder’s systems. See Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 25 N.Y.3d 675, 679 (N.Y. Ct. App. 2015); Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 F. App’x 332 (9th Cir. 2016).
While this is encouraging news for policyholders, the safest course of action is to review your policy language relating to computer, business email compromise or social engineering fraud and consider buying a stand along cybercrime and/or social engineering policy.
Arming title companies to be informed shoppers when they buy their crime and cyber insurance will be the subject of a session hosted during the upcoming ALTA ONE, Oct. 9-12 in Los Angeles. The session titled, “Make Your insurance Work for You” will provide attendees with the ins-and-outs of coverages and exclusions common in crime and cyberpolicies.
Here's a look at some of the recent court rulings affecting cyber coverage.
American Tooling v. Travelers
In American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018), the Sixth Circuit found a crime policy the covered direct losses due to computer fraud covered $800,000 in losses for payments made by a manufacturer intended for its supplier. In this case, American Tooling subcontracted some materials production with a Chinese company. Criminals intercepted a request from American Tooling for invoices from the contractor. The fraudster sent falsified wire instructions to American Tooling. American Tooling, believing the instructions to be genuine, transferred approximately $834,000 to the criminals.
When the fraud came to light, American Tooling paid the actual vendor 50% amounts dues and the vendor agreed that the remaining 50% would be contingent on insurance recovery. American Tooling made a claim under its ts computer crime/fraud policy from Travelers but the claim was denied.
The policy stated the insurer would, ‘‘pay the Insured for the Insured’s direct loss of ... Money ... directly caused by Computer Fraud.” Travelers, and the lower court agreed, that coverage did not exist because American Tooling did not suffer a “direct loss”. The district court said that there were “intervening events” between the spoofed email and the loss, like the American Tooling’s initiating the transfers without verifying the bank account a known safe contact at the subcontractor. The district court also held that coverage for “Computer Fraud” required the fraudster to gain access to the insured’s computer.
The Sixth Circuit rejected these arguments. Using Michigan law, the circuit court found that "direct" meant an immediate or proximate cause, rather than a remote or incidental cause. Applying this standard, the court held that the fraudulent email was the proximate cause of American tooling’s decision to wire funds to the incorrect account. The court explained: "A simplified analogy demonstrates the weakness of Travelers' logic. Imagine Alex owes Blair five dollars. Alex reaches into her purse and pulls out a five-dollar bill. As she is about to hand Blair the money, Casey runs by and snatches the bill from Alex's fingers. Travelers' theory would have us say that Casey caused no direct loss to Alex because Alex owed that money to Blair and was preparing to hand him the five-dollar bill. This interpretation defies common sense."
Further, the Sixth Circuit rejected the insurer's argument that the policy's definition of "Computer Fraud" requires the fraudster to gain access to the insured system and wire the funds out themselves. The court said if the insurer wanted to limit its exposure it should have specifically written those terms into the definition.
Medidata v Federal Insurance Co.
The American Tooling opinion came shortly after a similar opinion from the Second Circuit in Medidata Solutions Inc. v. Federal Insurance Co., No. 17-2492, 2018 WL 3339245 (2d Cir. July 6, 2018). In Medidata, financial employees wired over $5 million to fraudsters believing they were acting on the orders of the company president.
The fraudster spoofed the e-mail address of Medidata’s president too convince the company’s finance department to wire money for a purported corporate acquisition. Medidata used Google’s Gmail for business platform. The deception led Medidata’s finance team to transfer $4.8 million to a Chinese bank account.
Federal Insurance Company, a unit of Chubb Corp., insured Medidata under a executive protection policy that included coverage for computer fraud. Federal denied coverage alleging there was not a direct loss since it was Medidata employees took additional steps before wiring the funds. Additionally, they argued that there was no coverage the loss was the result of a breach to Medidata’s systems.
The Second Circuit sides with Medidata finding that the fraudsters crafted a computer-based attack to manipulate Medidata’s email system. It found that the fraudster’s alteration of the ‘‘From’’ field in the spoofed emails changed the “Data elements or program logic of” Medidata’s computer system. This as akin to hacking in the court’s view and within the coverage of the policy.
Additionally, the Second Circuit found that the spoofed email was the direct or proximate cause to the loss.. it explained, “[i]t is clear to us that the spoofing attack was the proximate cause of Medidata’s losses. The chain of events was initiated by the spoofed emails and unfolded rapidly following their receipt. While it is true that the Medidata employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred.”
Apache v. Great American
As a contrast is the Fifth Circuit, applying Texas law in Apache Corp. v. Great American Ins. Co., 662 F. App’x 252 (5th Cir. 2016), In this case, Apache wired $7 million in invoice payments to a fraudulent bank account based on a spoofed email address for a vendor, Petrofac. The false invoices were preceded by a spoofed phone call from the fraudster and confirmed with a fraudulent email appearing to be on Petrofac letterhead. The wire instructions were confirmed using by Apache employees who called the phony telephone number on the letterhead.
The Fifth Circuit reversed a lower court and denied coverage stating that the loss did not result directly from the use of any computer as required under the policy. The court explained that while it was part of the scheme the email was incidental to the wire transfer. The rationale was the that the transfer of funds was made only because the employees ‘‘failed to investigate accurately’’ the false instructions.
Contact ALTA at 202-296-3671 or email@example.com.