Written by Partner Patrick Frye for the Winter 2022 Edition of Powerhouse Points, A Quarterly Litigation Update.
Read the full issue here.
- Computer fraud insurance coverage can apply to frauds based on faked emails
- Coverage still applies even though company employees voluntarily participated in the fraud after they were tricked into paying the fraudster
- Coverage will not apply if the express terms of the insurance make coverage contingent on the insured’s lack of knowledge or consent
Many cyber-losses are frauds that begin with an email to an insured company. Appearing to have been sent by an officer in, or a legitimate vendor for, the company, the email may demand that the company wire money to a specified bank account. After the company wires the money, it learns that the email was sent not by an officer or vendor, but instead by a stranger far abroad. That money is lost for good. To recover its loss, the defrauded company may turn to insurance commonly known as Computer Fraud coverage to seek to be made whole on the money it lost from a scheme in which it was a willing, albeit unwitting participant. Whether the company will actually obtain insurance proceeds for this loss depends on the exact circumstances of the fraud and the exact language of the insurance contract, as seen in the following examples.
Consider these scenarios in which an insured Company is defrauded:
- Company receives an email apparently from its vendor’s accountant—but this email address is one letter off the accountant’s true email. The impersonator provides payment instructions for fulfillment of the Company’s legitimate outstanding order with that vendor. After the Company pays the fraudster over $300,000, the real vendor inquires about payment on that order.
- Upon taking a phone call from someone professing to be a Company vendor, a Company employee instructs the caller to submit any new wiring instructions by email. The next week, the Company’s accounts payable department receives those instructions in an email from an account that appears to be—but in fact is not—the vendor’s. After a Company employee calls the telephone number provided in the email to confirm the authenticity of the email, another Company employee implements the change, and the Company thereafter issues over $7 million in payments to criminals in Latvia, before the true vendor complains about the Company’s arrears.
- Company emails its Chinese vendor for submission of all outstanding invoices, and the vendor advises that it has changed its banking details. Company later receives an email from someone claiming to be the vendor, who requests several payments to a new bank account. (This imposter apparently intercepted the earlier emails between the Company and its vendor.) Having no process for verifying the changed information, Company simply makes for payments totalling more than $800,000 before the actual vendor demands the same payments.
- Company CFO receives a response to his email to a vendor, in which response the vendor instructs that future payments should be sent to a new bank account. The CFO thereafter authorizes payments totalling $1.025 million to the new account by initiating the transfer through an online banking system, which was confirmed by a Company employee on the bank’s website and orally authorized by the Company COO during a call with the bank. Afterwards, the genuine vendor demands the same payments.
- A Company employee in accounts payable receives an email appearing to be from the Company president—the ‘from’ field displayed the president’s name, email address, and picture. (The thief coded his emails to cause the Company system to falsely display them as truly from the president—i.e., the email is ‘spoofed’.) This email notifies the employee to expect a call from an attorney, who later demands a wire transfer to him. After she advises the caller that this payment would require both an email making this request and the authorization of two other Company officers, she and those officers receive a second email ostensibly from the president. Then the employee initiates and the officers approve a $4.8 million transfer. The bona fide Company president later advises he had not requested the transfer.
In each case above, the Company sought reimbursement of those payments under insurance coverage against computer fraud, and the Insurer rejected that claim. Lawsuits followed. Three of the Companies won insurance coverage for their claims; the other two did not.
In the first case above, the court entered a verdict in favor of the Company. The Insurer promised to pay for loss of money “resulting directly from the use of any computer to fraudulently cause a transfer of that property” to someone or somewhere outside the Company’s premises. Although the payment immediately and necessarily followed from the Company employees’ authorization of it, the court deemed that payment a sufficiently “direct” result of the fraudulent email that induced them to do take that action. Cincinnati Ins. Co. v. Norfolk Truck Center, 430 F. Supp. 3d 116 (E.D. Va. 2019).
In the next case, the appellate court ordered judgment to be entered against the Company and in favor of the Insurer. This case’s insurance policy had the exact same language as the first case’s policy. This case’s result differed from the first case’s because the court decided that the imposter email was only “incidental” to the overall fraud. Apache Corp. v. Great Am. Ins. Co., 662 Fed. App’x 252 (5th Cir. 2016).
In the third case, the appellate court held that Company’s claim fell within the insurance policy’s coverage for the “direct loss of . . . Money . . . directly caused by Computer Fraud.” This language was satisfied because the Company believed it was paying a legitimate debt, but instead paid an imposter solely because of a fraudulent email. Am. Tooling Center v Travelers Cas. & Sur. Co., 895 F.3d 455 (6th Cir. 2018).
In the fourth case, the court held that the claim did not fall within the Insurer’s promise to pay for loss of money “resulting directly from Computer Transfer Fraud” that causes money to be paid to someone else “without the Insured Entity’s knowledge or consent.” Although the Company was clearly fooled into making the payments, its employees were aware of the payments—which they themselves authorized. Miss. Silicon Holdings v. Axis Ins. Co., 843 Fed. App’x 581 (5th Cir. 2021).
In the final case, the court held the claim to fall within the Insurer’s promise to pay for the “direct loss of Money . . . resulting from Computer Fraud committed by a Third Party.” The court found coverage because the spoofed email changed data in the Company email system in order to deceive the recipients into believing that the email came from the Company president. Medidata Solutions Inc. v. Fed. Ins. Co., 729 Fed. App’x 117 (2d Cir. 2018).
In these cases, the courts found coverage whenever the fraudulent email was central to the scheme and the insurance contract did not require the payment to be unauthorized. The courts were not overly strict in their application of the contractual requirement of loss being the ‘direct’ result of the computer fraud. They might have held that the payment was not such a ‘direct’ result because after the fraudulent email was received, the Company itself needed to authorize the payment and could have refused. Yet the courts took a more lenient view in favor of awarding coverage to the insureds.
This does not mean, however, that the same Computer Fraud coverage will always apply to those frauds—the law on insurance coverage varies from state to state; and all insurance contracts contain a variety of different exclusions that might apply. That said, a company believing itself to be vulnerable to this type of fraud should—after it bolsters its processes for avoiding these types of fraud in the first place—consider whether its existing insurance coverage might reimburse the stolen money.