In one case, a corporate controller received an email from whatappeared to be the company’s chief financial officer, instructingher to wire funds to a new vendor.

In another case, a company’s finance department received a faxfrom what appeared to be a supplier, advising of account changesfor future payments.

In both instances, the recipient of the communication complied,wiring funds pursuant to instruction. In both instances, thecompany fell victim to a scheme that legal and insuranceprofessionals are calling “social engineering” or similarly termedcrimes.

By including a Commercial Crime policy in their insuranceportfolios, companies transfer many of the risks associated withfinancial crimes to insurance policies; however, newer variationsof criminal activity may test the insurer’s obligations to coverthe loss.

More specifically, they may test the breadth of policy wordingthat was not necessarily drafted in contemplation of a new ordeveloping risk. Social engineering crimes represent such a risk.Thus, the answer to the question “Is my company covered forsocial-engineering losses?” is, not surprisingly, “It depends.”

Social-engineering fraud

As background, a social-engineering incident requires theperpetrator to disguise himself as an insider in a position toauthorize payment, or as a third party to whom the companypurportedly owes a payment.

If the perpetrator is successful, the company sends money to anillicit account established for receipt of the mistakenlytransferred funds.

As the scenarios depicted above suggest, the deception may takedifferent forms. The perpetrator may secure a domain name closelyresembling the company's actual domain and then set up an emailaddress to appear as though an actual company official requestedthe transfer. Alternatively, the perpetrator might hack into theofficial's actual email account to send the message. Of course,there are few limits to a criminal’s creativity to devise othermethods of deception to lure organizations into sending themmoney.

In addressing the issue of whether a company’s Crime policycovers losses stemming from social-engineering incidents, athreshold question is whether the existing language in thecompany’s policy would cover such a loss.

(Photo: Thinkstock)

The Medidata case

At least one insurer has recently asserted that the specificlanguage in its policy does not.

In Medidata Solutions, Inc. v. Federal Insurance Co.,Case No. 1:15-cv-00907, in the U.S. District Court for the SouthernDistrict of New York, Medidata is seeking coverage for $4.8 millionthat an employee was tricked into wiring to China at the behest ofan imposter who posed in a fraudulent e-mail as a Medidataexecutive.

The imposter allegedly changed the code in emails to alter thesender’s address, included the executive’s picture and e-signature,and copied a fake attorney with whom the employee latercorresponded to make the fraudulent transfer.

The insurer has argued that the Crime policy at issue onlycovers losses resulting from fraudulent entry of data, or hacking,into a computer system, not a “voluntary” or “intentional” transfermade by a company employee (albeit under falsepretenses).

The insured has countered that the imposter changed the “data”in Medidata’s computer system by modifying the code in the email topose as the executive, thus bringing the claim within the crimepolicy’s insuring agreement. No decision has been made in the caseyet.

Policyholders facing a loss like the one in Medidatalikely would be surprised to learn that their insurers couldattempt to deny coverage.

Where the policyholder has been the victim of a bona fide crimecommitted by an imposter posing as a company executive over e-mail,it will almost invariably expect its crime policy to cover theloss.

It is highly unlikely to view its employee’s transfer of thefunds as being “voluntary” or “intentional,” as the insurer inMedidata has argued. Rather, a policyholder will view thetransfer of money under false pretenses as a result of fraudulentconduct in its computer system as the raison d’etre of itscrime policy.

Language matters

But insurers may be able to point to uncertainties in the policylanguage or the particular facts at issue.

What if the imposter did not change any code in the e-mail, butrather made the e-mail appear similar enough to a companyexecutive’s email and sent it from a separate server? Wouldthe sending of the email into the policyholder’s computer systemconstitute a “fraudulent entry”? What if the imposter did notdo a particularly convincing job and the policyholder’s employerfailed to take reasonable steps to investigate any apparentinconsistencies?

As discussion surrounding the extent of existing coveragepersists, most crime insurers now offer to cover the exposure byendorsement.

In doing so, insurers are providing comfort to policyholdersthat a social-engineering incident is less likely to be subject todispute. Nevertheless, insurers typically provide this coveragewith a sub-limit of liability, that is, a cap on their obligationsat substantially less than the policy’s full limit of liability.Insurers contend this is necessary because of the potentiallycatastrophic nature of social-engineering losses in proportion tothe relatively small amount of premium charged for traditionalcrime policies.

In most cases, insurers provide the coverage after thepolicyholder submits an insurance application supplement. Whetherthe underwriter agrees to issue the coverage may depend on a numberof underwriting factors, such as the extent or lack of internalcontrols over the transfer of funds or changes in paymentinstructions. Additionally, an underwriter may decline to grant thecoverage if there has been a previous social engineeringincident.

If the insurer does agree to issue the coverage, it may chargeadditional premium. Mid-term additions of the coverage might alsobe available on a case-by-case basis. If the insurer does not issuethe coverage, it may try to use its offer of specific coverage for“social engineering” losses as evidence that its main policy formdoes not cover it. However, the coverage provided by the mainpolicy form — in the absence of any endorsement specifically addingcoverage — must be interpreted on its own terms. Theexistence of an endorsement addressing this type of loss does not,on its own, eliminate coverage that the main policy formprovides.

As with any other lines of commercial insurance, a crimepolicy’s language is not uniform among markets. We strongly urgepolicyholders to vet proposed wording through the company’scoverage counsel and insurance broker. Their experience with pastsocial engineering claims and policy language negotiation may wellmake a difference between a claim being covered and a claim notbeing covered.

Tyler Gerking is a partner in Farella Braun + Martel’s SanFrancisco office, where his litigation practice focuses onrecovering insurance policy proceeds for policyholders. He can bereached at [email protected].

John Orr is a Managing Principal of Integro InsuranceBrokers in the firm’s San Francisco office. An executive liabilitycoverage lawyer by background, John co-leads Integro’s nationalClaims Practice. He can be reached at [email protected].