As cyber scams and hacker attacks grow, the insurance industry has been frantically trying to keep up in providing appropriate coverage for these events.
Hacks, viruses, ransomware and exposure of sensitive personal information of your customers or employees, and any resulting regulatory implications, are often covered by cyber liability insurance. But what about the recent trend of criminals spoofing a company executive’s e-mail address, posing as them and ordering accounts payable to cut a check and send it to the fraudsters?
Well, two companies suffered similar incidents, but two different federal appeals courts came out with opposite opinions, with one saying that a company’s crime insurance policy covered the event, while the other court said it didn’t in its case.
The fact that two courts came out with two different rulings illustrates how many traditional and even cyber policies are slow to keep up with evolving hi-tech threats to businesses. The devil is always in the details, so you should always read your policy and discuss your concerns and potential risks with us.
This is all important because this kind of crime is growing quickly. Business e-mail compromise scams quadrupled in 2017, and losses ranged from a few thousand dollars up to $3 million, according to an analysis of insurer Beazley’s clients. The average claim amount they received from this type of scam in 2017 was $352,000.
The FBI has cited business e-mail compromise schemes used to intercept and hijack wire transfers as one of the fastest-growing cyber crimes.
Court case one: Covered
In this case employees of Medidata, a clinical-trial software firm, wired $4.7 million to an account they were led to believe was for an acquisition by their employer via a series of fraudulent e-mails that they thought were from their company’s president and the firm’s outside legal counsel.
As part of the scam, a third party was able to send multiple Medidata employees e-mails that looked like they came from the company president, even including his picture in the “from” field.
The company didn’t have a cyber insurance policy, but it had a Federal Insurance Co. executive protection policy, which included a crime section that included coverage for computer fraud, funds-transfer fraud and forgery. The insurer rejected Medidata’s claim and the company sued in federal court. The lower court ruled in favor of the insurer, but upon appeal the federal appeals court ruled that the policy did in fact cover the loss.
The insurer argued the policy applies to only hacking-type intrusions. The appeals court found that while no hacking occurred, the fraudsters did insert the spoofing code into Medidata’s e-mail system, which the court said is part of the computer system, and they sent messages that were made to look like they were from high officials at Medidata in order to trick the employees.
The court held that the insurer must pay under the computer fraud portion of its policy.
Court case two: Not covered
In the second case, a federal district court found no crime policy coverage where a Michigan tool and die firm wired $800,000 in funds to a fraudster’s account in the belief the account belonged to one of its vendors.
The insurer faulted the company for not verifying the bank account with the vendor. The district court agreed with the insurer that the loss was not a “direct loss” caused by the “use of a computer,” and thus the crime policy did not apply.
Computer fraud is evolving rapidly, so it’s important that you talk to us about the types of fraud that appear in the news.
We will work with you to ensure that your coverage is forward-looking and covering more than just threats from last year. We can also discuss with you how computer fraud coverage interacts with other types of cyber crime policies.