In some instances, a commercial crime insurance policy may offer coverage for money a company loses due to a cyber attack, a court has ruled.
The 11th U.S. Circuit Court of Appeals in Atlanta has ruled that an insurer must indemnify a policyholder that was scammed out of more than $1.7 million in a phishing incident under its commercial crime policy.
The decision is good news for companies who have not purchased cyber insurance but have commercial crime policies.
This is at least the third precedent-setting case in which a court has ruled that a commercial crime policy can cover losses “directly” resulting from computer fraud.
Crime insurance companies, when denying hacking claims that resulted in monetary losses, will often argue that hacks and phishing scams are “indirect” losses, which are not covered by their commercial crime policy because someone on the outside duped an employee into transferring funds to a third party.
The most recent case
In the most recent case, the controller of IT services provider Principle Solutions Group LLC received an e-mail purported to be from the company’s managing director, directing her to write $1.7 million to an account at a Chinese bank. The communication said she would receive instructions in an e-mail from an attorney, which she did and so she initiated the transfer.
Before the bank issued the wire, its fraud unit intervened and held the money transfer. The controller contacted the “attorney,” who confirmed that the managing director had approved the transaction. Upon receiving that information, the bank released the wire. Unfortunately, it was all a fraud and the managing director knew nothing about it.
After Principal Solutions discovered that request was fraudulent, it filed a claim under its commercial crime policy with Ironshore Indemnity Inc., which denied coverage. The company subsequently sued the insurer and the local court ruled in its favor. Ironshore appealed, but the appeals court upheld the lower court’s ruling.
In rejecting the insurer’s argument that the loss did not result directly from the fraudulent instruction, the court found that the ordinary meaning of the phrase “resulting directly from” requires proximate causation between a covered event and a loss, not an immediate link. The court held that as a matter of law there was proximate cause and the intervening communications, including the bank’s hold, were not sufficient to sever the causal chain.
This decision follows two 2018 decisions by federal appellate courts — the Second Circuit in Medidata Solutions, Inc. vs. Federal Insurance Company, and the Sixth Circuit in American Tooling Center, Inc. vs. Travelers Casualty & Surety Co. — which ruled that the insurers’ policies in both cases covered losses “directly” resulting from computer fraud.
In the American Tooling case, the court wrote that the policy language did not distinguish between frauds based on how they induce a transfer.
What to do
- Try to avoid getting hit by phishing scams in the first place by training employees to recognize suspicious e-mails.
- Invest in the latest security measures.
- Set up stricter protocols for paying large sums to new accounts.
- Review your crime coverage and any policy relating to computer, business e-mail compromise or social-engineering fraud to see if you are covered. If you have concerns, feel free to call us for a review.
- If you do suffer a breach and loss, promptly notify all potentially implicated lines of insurance coverage.