Cyber Insurance Social Engineering Coverage | Property Insurance Coverage Law Blog

In the emerging area of cyber insurance law, the promise of what is covered is still being tested. Courts are trying to apply traditional insurance contract principles to cyber losses and policies with little legal framework and discussion. A recent federal decision out of Mississippi involving Gore, Kilpatrick & Dambrino, PLLC, and Spinnaker Insurance Company highlights just how unsettled this area of insurance law remains. ¹

The case arises out of an increasingly common fraud. A law firm is contacted by what appears to be a legitimate client, receives what looks like a legitimate check, deposits it, confirms the funds have “cleared,” and then wires money only to learn that the entire transaction was a carefully orchestrated scam. The law firm turned to its cyber insurance policy, expecting that it and a “social engineering” endorsement would pay the loss. The insurer said “no.” The court agreed with the insurer.

The court found that the policy’s language was unambiguous and that the facts alleged did not meet the definition of a covered “Social Engineering Incident.” I am not so certain this finding is correct.

Cyber policies are relatively new. Their forms are evolving. Cyber risks with social engineering are often advertised to address this scenario.

Yet, the court reduced the central issue to whether the instruction to transfer funds was sent by an “imposter” purporting to be a person who exchanges or is under contract to exchange goods or services with the insured. That framing sounds precise, even surgical. But it is also too narrow.

What the policy actually says matters. It covers instructions “purporting to be” from such a person. Those words are not accidental. They exist because social engineering fraud, by its very nature, involves deception. The fraudster is not the real client. The fraudster is pretending to be the client. The entire scheme depends on that fiction. By focusing on whether there was an actual underlying business relationship, the court effectively read the word “purporting” out of the policy. In my opinion, based on traditional rules regarding interpretation of insurance contracts, this reasoning for no coverage is flawed.

If coverage requires a real, legitimate business relationship, then many, if not most, social engineering scams fall outside the policy. That is not how these endorsements are marketed, sold, or understood. It raises a troubling question: if the fraud must involve a real client to be covered, what exactly is this coverage for?

The court’s reasoning becomes even more strained when it concludes that the instruction could not have been sent by an imposter if the individual giving the instruction was the client. That statement may sound logical at first blush, but it collapses under scrutiny. It assumes that the fraudster becomes the client simply by engaging the firm. But a fabricated identity does not transform into a real contractual counterparty simply because a contract was signed. The entire relationship was built on false pretenses. The “client” never existed in any meaningful sense. Treating the fraudster as the client is a category error, confusing appearance with reality.

These analytical gaps are significant. They matter not only for this case but also for how courts will interpret future cyber policies going forward. If courts continue to construe these provisions narrowly, insureds may find that the coverage they believed they purchased offers far less protection than expected.

Despite these concerns, the court’s ultimate ruling may still be correct. The uncomfortable truth is that this case does not turn solely on the definition of “imposter.” There are other grounds on which the insurer may stand, depending on facts.

The policy requires that the transfer result from reliance on an instruction transmitted via email. Here, the facts suggest that the firm did not simply rely on an email. It verified the instructions by phone and then made a conscious decision to wire the funds. Arguably, one could draw a line between being tricked by an email and voluntarily transferring funds after independent verification, even if that verification itself was part of the fraud. Yet, this is what most cyber insurers require policyholders to do—verify the identity with a third party via a discussion before wiring the money.

There is also the broader issue of causation. The loss did not occur when the email was received. It occurred when the firm initiated the wire transfer. That act, knowingly sending money out the door, has been viewed by some courts as breaking the chain of causation required for coverage under both social engineering and funds transfer fraud provisions.

In other words, while the court may have taken a questionable path, it may have arrived at the right destination.

This is precisely why the case is a strong candidate for appeal. Contract interpretation is reviewed de novo, meaning the appellate court will not defer to the district court’s reasoning. The insured will have a legitimate argument that the court misinterpreted the policy language, particularly the meaning of “purporting to be” and the treatment of the imposter issue. There is also a credible argument that the case was dismissed too early, before the factual nuances of how the instructions were transmitted and relied upon could be fully developed.

Cyber insurance law is new. Policy forms are being drafted, revised, and tested in real time. Courts are being asked to rule on new wording. Insureds are learning, sometimes the hard way, that not all fraud is created equal in the eyes of the policies being sold to them.

The lesson is not that all cyber insurance lacks value. The exact wording of these policies and the claims culture of the companies selling them matter. The precise sequence of events and the method by which instructions are transmitted and verified are not mere technicalities under these cyber coverages. They are the difference between coverage and denial.

As this area of law continues to evolve, one thing is certain. The next generation of cases will further refine these issues. Somewhere along the way, courts will have to confront the fundamental question this case only partially answered: When a business is deceived into wiring money to a fraudster, what did the parties really intend the policy to cover?

For commercial policyholders, I suggest choosing your cyber insurer carefully. Some cyber insurers promise a lot with advertising and brochures but take away even more with sharp policy language and a claims culture to match.

Thought For The Day

“The great difficulty in life is not persuading people to accept new ideas, but to make them forget the old ones.”
John Maynard Keynes

¹ Gore, Kilpatrick & Dambrino, LLC v. Spinnaker Ins. Co., No. 4:25-cv-107 (N.D. Miss. March 31, 2026).

The Illusion of Cyber Coverage: How a Court Narrowed Social Engineering Insurance

Why Do Judges Keep Demanding That Policyholders Understand the Insurance Contract?

Proving Causation in Property Insurance Claims

Did You or Your Business Suffer a Denied Claim? The Real Problem May Have Started Before the Loss

We’re Ready to Serve You