New Insurance Endorsement Can Protect Businesses from $2.3 Billion Scheme
By Nick Reuhs and Paul Schmitt
Phyllis works for an accounting department in a business that occasionally conducts transactions with overseas entities. Eventually she receives an e-mail from the company’s CFO requesting that she transfer money to an overseas bank account to help close an important and urgent deal involving the company’s acquisition of new assets. The fact that the CFO has e‑mailed Phyllis is not unusual, nor is the fact that she asked Phyllis to transfer company money overseas out of the ordinary. In fact, the e-mail looks identical in format and tenor to others Phyllis received in the past. Unfortunately for Phyllis and her employer, in this case fraudsters have broken into a company e-mail account and identified company officers with financial authorization responsibilities and employees with control over financial assets and accounts. They have duped one of those employees – Phyllis, in this case – into following what seem like typical orders. However, unlike a typical transaction, Phyllis has been directed to transfer funds to an overseas account that will be emptied by the fraudsters shortly after her deposit is made.
Phyllis and her employer are the victims of a sophisticated type of phishing scam known as Business E-mail Compromise (BEC). BEC scams affect businesses of every size and industry. According to the FBI, over 17,600 victims reported crimes with losses totaling more than $2.3 billion between October 2013 and February 2016.[i]
And this type of fraud is increasingly common; since January 2015, the FBI has witnessed a 270 percent increase in identified victims and exposed loss.
Once the fraud is discovered, a company like the one Phyllis works for will naturally turn to its insurer, confident that its commercial property policy’s provisions on Funds Transfer Fraud will cover this fraudulent act. However, over the last few years a growing number of insurance companies have claimed that BEC and similar scams are beyond the scope of traditional Funds Transfer Fraud coverage. The insurers rely on the language of the policy itself, which was written at a time when Funds Transfer Fraud schemes involved an imposter attempting to dupe the bank
, not the business itself, into transferring funds away from client accounts.
Typical policy language regarding Computer Fraud and Funds Transfer Fraud provides:
The Computer Fraud and Funds Transfer Fraud Coverage Limit shown in the Schedule of this endorsement is the most we will pay for loss of ‘money’ and ‘securities’ resulting directly from a ‘fraudulent instruction’ directing a financial institution to transfer, pay or deliver ‘money’ and ‘securities’ from your ‘transfer account.’
The language contemplates covering fraud that occurs through a fraudster’s personal interaction with the financial institution itself. In BEC cases, however, an authorized agent has been duped into interacting with the bank to the fraudster’s benefit. In other words, BEC involves an honest-to-goodness instruction, not a “fraudulent instruction.” Insurers rest their refusal of coverage upon this important, if subtle, distinction.
As a response, duped businesses have taken to litigation, hoping that courts will interpret the policy provisions regarding Funds Transfer Fraud broadly enough to cover BEC and similar scams.[ii]
In these cases, defrauded companies are struggling to make the traditional language fit the more sophisticated crimes prevalent today, hoping that courts will help them recover at least some of the hundreds of thousands – or even millions – of dollars that they lost through these scams.
Although the results of these litigation efforts are mixed, companies should avoid the potential need for litigation altogether by adding endorsements to their policies that include these newer scams. By adding a “Fraudulently Induced Transfer” endorsement or a “Social Engineering” endorsement to their policies (the actual name varies by insurer), businesses can fill this significant gap in their coverage for a nominal cost. These endorsements are designed to cover BEC and protect the actions of employees and businesses when they submit fraudulently induced requests for transfers to their financial institutions. In contrast to the policy language covering Funds Transfer Fraud defined above, a Fraudulently Induced Transfer endorsement covers:
A transfer resulting from a payment order transmitted from you to a financial institution, or a check drawn by you, made in good faith reliance upon an electronic, telefacsimilie, telephone or written instruction received by you from a person purporting to be an Employee, your customer, a Vendor or an Owner establishing or changing the method, destination or account for payments to such Employee, customer, Vendor or Owner that was in fact transmitted to you by someone impersonating the Employee, customer, Vendor or Owner without your knowledge or consent and without the knowledge or consent of the Employee, customer, Vendor or Owner.
The endorsement’s language specifically fills the problematic coverage gap in the traditional Funds Transfer Fraud language. Many insurers now offer these endorsements for a modest charge, and they typically provide coverage of up to $250,000 per incident. More coverage is often available with additional underwriting.
For more information on protecting your business from data scams, contact Nick Reuhs
or a member of our Data Security and Privacy Practice.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
[ii] Medidata Solutions, Inc. v. Federal Insurance Co.
, No. 1:15-cv-00907 (S.D.N.Y.); BitPay, Inc. v. Massachusetts Bay Insurance Co.
, No. 1:15-cv-03238 (N.D. Ga.); Ameriforge Group, Inc. v. Federal Insurance Co.
, No. 16-cv-377 (S.D. Tex.).