We Were Hacked and My Employee Wired Money to a Third Party.

Posted at Apr 04, 2019

Am I Covered By My Insurance Policy?
(Part 2)

By: Michael Perlmuter, J.D.  (Chief Executive Officer and General Counsel)
Alex N. Sill Company, LLC
North America’s Leading Public Adjuster and Loss Consultant

My last BLOG, published in January 2019, addressed the above question: Does a company have coverage if, under false pretenses, an unsuspecting employee wires funds to a third party? The BLOG was well read and obviously the topic remains of significant interest based on the number of lookalike cases triggering lawsuits and the inconsistency in court rulings.

I didn’t plan on penning a second article about the issue of insurer’s responsibility with claims related to financial fraud . . . at least not so soon after the first and certainly not in consecutive offerings. However, the response by Peter Halprin, Esq., Partner with the Anderson Kill law firm in New York City, to what will be known as Part 1, presented a compelling case for an update and enhancement.  Peter, who was among the many readers of the initial BLOG, provided details and outcomes of several recent court cases involving cyber fraud schemes.  Hence, I want to share with you those additional court rulings and a few more– all of which underscore the volume of fraud occurrences, insurers’ reluctance to fulfill policy obligations and the varying reactions of courts at different levels to adjudicating lawsuits brought before them.

Please take a quick peek of the prior BLOG at https://www.sill.com/insurance-claims-advice/ if you would like a refresher.

Otherwise, with apology for the detail necessary to convey case law, following is the best summarization demonstrating the difficulties the courts are having wrestling with insurance policies and the coverage for “phishing.”

Quickly, for background, phishing schemes generally occur when a third party “fakes” an identity and sends an email message either to obtain sensitive information or to cause an organization to wire funds to that third party. When that occurs, it often involves a very large sum of money. Some organizations have filed loss claims with their cyber insurance carriers.

The following four lawsuits totaling more than $8 million in aggregated claimswere filed when insurance companies denied coverage to policyholders.Three of matters were appealed thus requiring the attention of seven courts.

In Principle Solutions v. Ironshore Indemnity Co., an employee of the policyholder IT company received an email purportedly from her boss indicating the company was making an acquisition and directing her to work with an attorney named “Mark Leach” to “ensure that the wire goes out today.” The employee then had a telephone conversation with “Mark Leach” who was a fraudster and received wire instructions to be provided to the company’s bank. The company then transferred $1.72 million to a fraudulent third party.  The thief was never caught.

The company/policyholder sought to recover the loss per its crime policy, but the insurer denied coverage, leading to suit. The policy covered “computer and funds transfer fraud” losses resulting directly from a fraudulent instruction directing a financial institution to “debit your‘transfer account’ and transfer, pay or deliver” money or securities from that account. The federal district court granted Summary Judgment to the policyholder finding the language of the crime policy is ambiguous on its face and therefore must be interpreted in the policyholder’s favor.

Ironshore Indemnity argued the loss did not result “directly” because: (1) additional information for the wire was conveyed to the company by “Mr. Leach” after the first email and (2) the company’s employees set and approved the wire transfer.The court found in favor of the defrauded plaintiff, Principle Solutions. The district court did not find the fact that there may have been multiple steps or actions between the original phishing email and the ultimate wire transfer freed Ironshore from its coverage obligations. The case has been appealed to the Eleventh Circuit Court of Appeals. We will keep watch on this case!

Two cases in other circuits –the Sixth Circuit and Second Circuit — similarly found in favor of the policyholders in cyber fraud cases, albeit in one case only on appeal after the policyholder lost in the trial court.

First, in American Tooling Center v. Travelers Cas. And Surety, the policyholder, a tool manufacturer, agreed to pay one of its Chinese suppliers when it hit certain production milestones. Fraudsters, posing as representatives of the Chinese supplier, requested the policyholder wire about $800,000 in payments for real invoices to a bank account controlled by the perpetrators. The policyholder’s employees did so, only discovering the fraud the day after receiving the last fake email. The money could not be retrieved. As such, the policyholder made a claim under its crime policy, which covered the “direct loss” of funds “directly caused by computer fraud,” which is defined as “the use of any computer to fraudulently cause a transfer of money.”

The district/trial court granted Travelers Summary Judgment, finding the policyholder did not suffer a direct loss attributable to the use of a computer because the company took several steps between the time it received the fraudster’s emails and when it wired the funds. The court emphasized the term “direct” was synonymous with “immediate”, without any intervening events. And given the intervening events between the receipt of the fraudulent emails and the authorized transfer of funds, the court found the loss was not a direct loss  caused by the use of a computer. On appeal, the Sixth Circuit appeals court reversed the district court’s decision, granting Summary Judgment to the policyholder, finding that “direct” under Michigan law can mean “immediate” or “proximate” and ruling the computer fraud therein was the proximate cause of the loss, and holding that no exclusions in the policy applied.

In Medidata Solutions v. Federal Insurance Co., the Second Circuit affirmed the ruling of the lower court in finding that a policyholder’s crime policy covered wire transfer losses resulting from an email spoofing attack. In finding against Chubb subsidiary, Federal Ins. Co., the Second Circuit ruled Medidata employees were spoofed into wiring $5 million to an account the fraudster’s emails misrepresented was an outside attorney assisting in an acquisition. The modus operandi was eerily similar to the one that almost got our company!

In Medidata, an accounts payables employee received an email from a Gmail account purportedly belonging to the company’s president requesting a transfer of funds for an acquisition. The message, which was actually sent by a thief, was altered with a “spoofed” computer code causing it to display the president’s picture and email address and was copied to a fake attorney. After corresponding with the fake attorney by email and phone and receiving approval of real corporate officers, the employee transferred nearly $4.8 million to a bank account in China. The money was not recovered and the thief has not been identified. The policy covered “direct loss of money, securities or property” due to computer fraud or funds transfer fraud committed by a third party. The trial court ruled and the appeals court affirmed that although the company’s computers were not “hacked” by a third party, the computer fraud provision’s requirements were still met because the unknown fraudster used a computer code to alter a series of email messages to make it appear as though they originated from the company’s president, resulting in the fraudulent wire transfer.

So, it appears all courts are in line with recognizing that crime policies cover any sort of phishing enterprise that results in a loss, correct? Not so quickly!

Here comes the Ninth Circuit.

In Aqua Star (USA) Corp. v. Travelers Cas. & Sur Co., the Ninth Circuit Court of Appeals affirmed the decision of the district court which held that there was no computer fraud coverage from a fraudulent email scheme because of an exclusion regarding “having the authority” (where the employees took some action to authorize the wires) and no “direct” hacking. Further, the circuit court stated that the exclusion that the policy “will not apply to loss or damages resultingdirectly or indirectly from the input of Electronic Data by a natural person having the authorityto enter the Insured’s Computer System…” applied.

The facts of this case were not too dissimilar to Medidata above. Aqua Star purchased frozen shrimp from a Chinese company. The Chinese company’s computer system was hacked and subsequently the hacker monitored email exchanges between an Aqua Star employee and an employee of the Chinese supplier before beginning to intercept email exchanges and sending fraudulent emails using spoofed email domains that appeared similar to the employees’ actual emails. The hacker directed an Aqua Star employee to change bank account information for the Chinese company for future wires. The Aqua star employee complied and wired approximately $714,000. Aqua Star made a claim under its crime policy. Travelers denied coverage. The district court granted summary judgment in favor of Travelers and the court of appeals affirmed.

So, what have we learned and what do we know for sure?

First, during the policy acquisition stage, it is extraordinarily important for an insured to closely review the language of a crime policy, its exclusions and possible endorsements with its agent prior to its issuance, even suggesting various factual scenarios and receiving confirmation of coverage in writing. Courts seem to focus closely on what is and is not a “direct” loss and whether the specific language of the crime policy is clear or ambiguous and whether there exists an exclusion or endorsement which might limit or exclude coverage. Second, it is strongly encouraged that all companies have strict cyber protection policies in place, so that when an email with wire instructions is received, the existence of the need to transfer funds and the amount of the funds to be wired is verbally approved, if possible, at two different levels.

In response to some negative verdicts, at least one insurance company of which we are aware has created a “Social Engineering Fraud Coverage Endorsement” with relatively low policy limits and relatively high deductibles for the purpose of excluding coverage under any other provision of its crime policy. As with most things in the world of the Sill Company’s insurance claim adjustments, the devil is in the “grey areas!”



Written by Sillco