Skip to main content
Top Button
Covering Phishing & Other Social Engineering Attacks: The State of Play in Computer Fraud Insurance Covering Phishing & Other Social Engineering Attacks: The State of Play in Computer Fraud Insurance

Covering Phishing & Other Social Engineering Attacks: The State of Play in Computer Fraud Insurance

As our economy grows increasingly dependent upon online services, we become ever-more vulnerable to cyber-attacks. In particular, online social engineering schemes, such as phishing or business email compromises (BEC), have caused significant losses to individuals and businesses alike. These schemes often involve deceiving people by impersonating a trusted colleague or vendor in order to gain access to systems or receive funds in online wire transfers. This could lead to serious financial losses. Companies have looked to insurance options with hopes of mitigating these risks. But do insurance policies typically cover losses resulting from phishing or BEC?

Imagine you are contracted with a vendor to whom you make periodic payments for services. One day, you receive a message from the vendor’s email address, requesting that you send payments to a new account due to an audit or perhaps implications of a foreign banking regulation. Accordingly, you access your company’s online payment system, manually update the vendor’s banking information to reflect the new account, and then wire payments per the contract. Alternatively, imagine you receive an email message with your company’s president’s name, email address, and picture in the “From” field that instructs you to transfer funds to an account in order to finance a deal that is in closing. You wire the money as instructed; however, as it turns out, the account belongs to a fraudster who comprised your president’s business email. In either scenario, would your insurance cover the losses resulting from the fraudulent emails?

Recently, policyholders have sought coverage for such losses under commercial crime insurance policies. Specifically, they seek coverage under standard Computer Fraud provisions that often grant coverage for the policyholder’s “direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” (Emphasis added). However, coverage issues arise when applying the Computer Fraud provision to scenarios like the ones above. For example, was the wire transfer a “direct loss”? Did the transaction constitute “Computer Fraud”? Did the Computer Fraud “directly cause” the loss?

Courts across the country are currently split on these issues. Initially, decisions from the Ninth Circuit, Fifth Circuit, and Eleventh Circuit Courts of Appeals found that similar losses were not covered by Computer Fraud provisions under crime insurance policies. See, e.g., Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 F. App’x 332 (9th Cir. 2016) (“Pestmaster”); see, e.g., Apache Corp. v. Great Am. Ins. Co., 662 F. App’x 252 (5th Cir. 2016) (“Apache”); see, e.g., Interactive Communications v. Great American, 731 F. App’x 929 (11th Cir. 2018) (“Interactive Communications”). Recently, however, the Second Circuit and Sixth Circuit Courts of Appeals have found that Computer Fraud provisions did cover losses resulting from similar BEC incidents. See, e.g., Medidata Sols., Inc. v. Federal Ins. Co., 268 F. Supp. 3d 471 (S.D.N.Y. 2017), aff’d, 729 F. App’x 117 (2d Cir. 2018); see, e.g., Am. Tooling Center, Inc. v. Travelers Cas. & Sur. Co. of Am., 835 F.3d 455 (6th Cir. 2018) (Aug. 28, 2018) (“American Tooling”).

Among the issues litigated, there are three on which the courts have primarily focused.

What is a “direct loss”?

Some insurance companies have argued that wiring funds to a fraudster vendor is not a “direct loss” under the Computer Fraud provision when the policyholder was contracted to send money for services or goods it already received. Instead, the argument is that the loss occurs later when the real vendor demands the money it is still owed and which the policyholder sent to the fraudster.

In American Tooling, the Sixth Circuit Court of Appeals—applying Michigan law—rejected this characterization. Am. Tooling Center, Inc., 835 F.3d 455 (6th Cir. 2018). There, the policyholder was under contract to make periodic payments to a Chinese vendor for goods provided. Employees of the policyholder received emails from the vendor’s email account with requests that the policyholder re-route payments to a new bank account “due to an audit” and later “due to some new bank rules in [China].” After wiring approximately $834,000 to the new account, the real vendor made a demand for the same payments at which point the policyholder discovered it had sent the money to an imposter. When the policyholder sought coverage for Computer Fraud, the insurer denied it for, among other things, a lack of “direct loss.”

The Sixth Circuit, however, disagreed with the insurer. Under its analysis, it defined a “direct” loss as “one resulting from an ‘immediate’ or ‘proximate’ cause, as distinct from remote or incidental causes.” The court found that a “direct loss” occurred at the moment when the policyholder sent money to the fraudster vendor, and accordingly, ruled that Computer Fraud coverage applied.

Is “Computer Fraud” limited to brute-force hacking or does it include social engineering that manipulates an authorized individual to act?

Arguably one of the most central issues in Computer Fraud coverage analysis is whether the coverage is limited to losses resulting from brute-force hacking or if it includes social engineering. The difference lies in the involvement of authorized personnel. For brute-force hacking, the fraudster uses a computer to hack into a policyholder’s system and transfer funds himself. For social engineering like BEC, the fraudster uses the computer to trick a policyholder or an authorized agent into manually modifying routing information and then wiring money.

Crime insurance policies often define “Computer Fraud” as “[t]he use of any computer to fraudulently cause a transfer of Money….” Insurers tend to argue that this definition requires a computer to “fraudulently cause the transfer” which, consequently, excludes social engineering incidents from coverage, because they involve acts by an authorized individual—that is, the employee who manually changes the account information. Conversely, policyholders counter that the definition includes social engineering where an impersonator sends a fraudulent email using a computer that fraudulently causes the policyholder to act.

In Pestmaster, the Ninth Circuit Court of Appeals—applying California law—agreed with the insurer argument and interpreted the phrase “‘fraudulently cause a transfer’ to require an unauthorized transfer of funds.” Pestmaster Servs., Inc., 656 F. App’x 332 (9th Cir. 2016). There, the policyholder had hired a vendor to handle its payroll tax services and granted it electronic access to its bank account. The claimed loss arose when the vendor failed to pay the taxes and kept the money. In response to the policyholder’s insurance claim, the insurer denied coverage on the basis that no “Computer Fraud” had occurred under the policy’s definition.

The Ninth Circuit agreed with the insurer. It found there was no “Computer Fraud” under the policy’s definition, because the policyholder had given the vendor authority to access and make payments with its online bank account.

A few months after Pestmaster was decided in 2016, the Fifth Circuit Court of Appeals—applying Texas law—followed the Ninth Circuit’s reasoning and found that a BEC incident did not constitute a covered “Computer Fraud.” Apache Corp., 662 F. App’x 252 (5th Cir. 2016). In Apache, the policyholder sought coverage under the Computer Fraud provision for losses resulting from money it transferred to a fraudster’s bank account. There, the fraudster impersonated one of the policyholder’s vendors in an email and convinced the policyholder to wire money to a new bank account. In the court’s analysis, it found this was not Computer Fraud. Instead, it found that the fraudulent “email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money.”

Unlike Pestmaster and Apache, the Sixth Circuit in American Tooling found that a fraudulent email that fraudulently causes the policyholder—authorized or not—to transfer money constitutes “Computer Fraud.” Am. Tooling Center, Inc., 835 F.3d 455 (6th Cir. 2018). The Sixth Circuit rejected the narrow definition of “Computer Fraud” that limits it to brute-force hacking. Instead, the court explained that had the insurer “wished to limit the definition of computer fraud to such criminal behavior it could have done so.” In effect, the Sixth Circuit found that certain losses arising from social engineering are included under certain policies’ definitions of “Computer Fraud.”

When is a “direct loss” “directly caused by a Computer Fraud”?

Causation has been another issue litigated in Computer Fraud coverage cases. Again, under the standard language, a “direct loss” is covered if “directly caused by Computer Fraud.” Assuming that a Computer Fraud occurred, the question becomes whether it “directly caused” the loss or if time or some other superseding factor rendered the loss too attenuated for coverage. Insurers argue that “directly caused” means the loss should be immediate and coverage does not apply when numerous steps separate the Computer Fraud from the loss. Conversely, policyholders argue that the phrase “directly caused” includes both immediate and proximate cause within its definition. In other words, if the Computer Fraud is the dominant cause that leads to the loss, then causation is satisfied regardless of intervening factors.

In Interactive Communications, the Eleventh Circuit Court of Appeals—applying Georgia law—agreed with the insurer and found that “directly caused” meant loss had to be immediate. Interactive Communications, 731 F. App’x 929 (11th Cir. 2018). The court analyzed the issue of causation by laying out the factual chain of events that occurred from the Computer Fraud perpetrated on the policyholder’s system to the loss of funds. Specifically, the court identified the following four steps that occurred in the incident from fraud to finish: (1) fraudster manipulated the policyholder’s computer system to allow for double redemption of pre-paid debit cards; (2) that fraud induced the policyholder to transfer money to its account held by a third-party; (3) the fraudster made a purchase using the debit cards; and (4) the third-party deducted the amount of the purchased from the policyholder’s account. Having identified the chain of events, the Eleventh Circuit concluded the Computer Fraud at Step 1 was too far removed from the loss—or “point of no return” where the policyholder actually lost control of the funds—at Step 4. As a result, the court found that the loss was not “directly caused by Computer Fraud,” because it was not immediate.

Only two months after Interactive Communications was decided in mid-2018, the Sixth Circuit rendered its opinion in the earlier-cited American Tooling case. Unlike the Eleventh Circuit, the Sixth Circuit held that the Computer Fraud in American Tooling “directly caused” the loss. See Am. Tooling Center, Inc., 835 F.3d 455 (6th Cir. 2018). Applying the Eleventh Circuit’s steps approach, the court found that the fraudulent email in American Tooling was Step 1 and the policyholder’s subsequent internal actions and transfer of money was Step 2.    

Similarly, the Second Circuit Court of Appeals—applying New York law—recently found a “direct loss” is equivalent to proximate cause for the purposes of Computer Fraud. See Medidata 729 F. App’x 117 (2d Cir. 2018). In Medidata, an insurer had denied coverage for losses resulting from a “spoofing” attack where the fraudsters sent the policyholder’s employees emails apparently coming from a high-ranking member of the company. The emails instructed the employees to transfer funds in accordance with an acquisition, and the employees complied. In review of the claim, the insurer argued the loss was not “direct,” because the employees transferred the funds. The court, however, disagreed with the insurer and found that “the spoofing attack was the proximate cause of [the policyholder’s] losses” and, thus, was covered. The court explained the fraudulent email was the proximate cause:

The chain of events was initiated by the spoofed emails, and unfolded rapidly following their receipt. While it is true that the [policyholder’s] employees themselves had to take action to effectuate the transfer, we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred. The employees were acting, they believed, at the behest of a high-ranking member of [the policyholder].

Coverage Going Forward

As depicted above, there is a lot of disagreement among the courts about Computer Fraud coverage. Some insurers have sought to modify their policies to clarify the definition of ‘Computer Fraud’ and alternatively offer separate endorsements for social engineering. See District of Columbia, SERFF Tracking #: SURE-130089148, Department of Insurance, Securities and Banking (Aug. 28, 2018 1:32 pm), http://serff.disb.dc.gov/DownloadPdf.ashx?id=SURE-130089148

Businesses should re-evaluate their insurance coverage to determine the extent of their cyber exposure. It is important that you take the time to fully understand what your policies cover and what they exclude.

For more information, contact Christian Robertson or another member of our Insurance Coverage and Recovery Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

View Full Site View Mobile Optimized