Various courts across the country have reached mixed decisions for insurance coverage disputes involving insureds who fell victims of social engineering crimes. The court’s ruling in Medidata Solutions Inc. v. Federal Insurance Company,1 finding coverage for the insured who was spoofed by e-mail fraudsters was previously discussed by my colleague, Verne Pedro. As Verne pointed out in his blog, the debate over whether and when victims of cyber-crimes are covered under computer fraud and similar policy provisions remains contentious and unsettled.
Recently, in Aqua Star (USA) Corp. v. Travelers Casualty & Surety Company,2 the United States Court of Appeals for the Ninth Circuit affirmed summary judgment holding that Travelers’ policy exclusion foreclose coverage for theft involving the company’s email system, known as “business email compromise scam” (“BEC”).
Aqua Star (USA) Corp. (“the insured”) was the victim of an e-mail scheme when it was tricked to transfer money to the cybercriminal under the guise that the cybercriminal was the Insured’s supplier. The cybercriminal hacked into the supplier’s computer system and gained control over the emails. The insured received an email purportedly from its supplier instructing it to issue payments to a new bank account because the government placed a “hold” on the supplier’s bank accounts due to tax related disputes.
The insured requested its Treasury Department to change the payment instruction for the supplier in its electronic database for future payments. Ultimately, the insured claimed to have lost in excess $700,000 as a result of the theft before the fraud was exposed. Travelers denied the claim arguing that the “Computer Fraud” provision in the policy did not apply because there was no fraudulent entry of data into insured’s computer system.
The Computer Fraud Insuring Agreement provided coverage for “direct loss…directly caused by Computer Fraud.” “Computer Fraud” means the “use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises.”
The policy also contained a number of exclusions. Exclusion G precluded coverage for “loss…resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System, unless covered under Insuring Agreements A.1., A.2., A.3., F.2. or G” (the Employee Theft coverages, the Electronic Data Restoration coverage, and the Funds Transfer Fraud Coverage).
Travelers further argued that the loss was precluded by Exclusion G because insured’s employee had authorized access and voluntarily inputted electronic data into its computer system, which ultimately led to the transfer of funds from the insured’s bank account to the cybercriminal’s bank account. The insured rejected arguments by Travelers that coverage was limited only to hacking into insured’s computers and reasoned that the underlying fraud is the only reason that the insured wired its money to the perpetrator. It further argued that the innocent entry of the electronic data amounts to nothing more than internal accounting procedures, which is insignificant and did not cause the loss.
The Ninth Circuit affirmed the district court’s grant of summary judgment to Travelers, holding that the employees “had the authority to enter” the insured’s systems when they “input” the “Electronic Data” on Aqua Star computers “to change the wiring information and authorize the four wires.” It further concluded that Aqua Star employee “conduct fits squarely within the Exclusion [G].”
This opinion highlights the insureds uphill battle of arguing coverage under computer fraud or similar provisions of the policy when duped into voluntarily transferring money, which turns out to be for a fraudulent purpose. The methods used by cybercriminals to access the data system to trick an insured has a significant impact on coverage. As social engineering crimes are on the raise, it is imperative for you to review your policy to determine whether the exclusions might limit coverage and to inquire about extra coverages you can add that may be useful.
1 Medidata Solutions Inc. v. Federal Ins. Co., case number 1:15-cv-00907 (S.D. N.Y. July 21, 2017).
2 Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co. of America, No. 16-35614, 2018 WL 1804338 (9th Cir. Apr. 17, 2018).