In one case, a corporate controller received an email from what appeared to be the company’s chief financial officer, instructing her to wire funds to a new vendor.
In another case, a company’s finance department received a fax from what appeared to be a supplier, advising of account changes for future payments.
In both instances, the recipient of the communication complied, wiring funds pursuant to instruction. In both instances, the company fell victim to a scheme that legal and insurance professionals are calling “social engineering” or similarly termed crimes.
By including a Commercial Crime policy in their insurance portfolios, companies transfer many of the risks associated with financial crimes to insurance policies; however, newer variations of criminal activity may test the insurer’s obligations to cover the loss.
More specifically, they may test the breadth of policy wording that was not necessarily drafted in contemplation of a new or developing risk. Social engineering crimes represent such a risk. Thus, the answer to the question “Is my company covered for social-engineering losses?” is, not surprisingly, “It depends.”
As background, a social-engineering incident requires the perpetrator to disguise himself as an insider in a position to authorize payment, or as a third party to whom the company purportedly owes a payment.
If the perpetrator is successful, the company sends money to an illicit account established for receipt of the mistakenly transferred funds.
As the scenarios depicted above suggest, the deception may take different forms. The perpetrator may secure a domain name closely resembling the company’s actual domain and then set up an email address to appear as though an actual company official requested the transfer. Alternatively, the perpetrator might hack into the official’s actual email account to send the message. Of course, there are few limits to a criminal’s creativity to devise other methods of deception to lure organizations into sending them money.
In addressing the issue of whether a company’s Crime policy covers losses stemming from social-engineering incidents, a threshold question is whether the existing language in the company’s policy would cover such a loss.
The Medidata case
At least one insurer has recently asserted that the specific language in its policy does not.
In Medidata Solutions, Inc. v. Federal Insurance Co., Case No. 1:15-cv-00907, in the U.S. District Court for the Southern District of New York, Medidata is seeking coverage for $4.8 million that an employee was tricked into wiring to China at the behest of an imposter who posed in a fraudulent e-mail as a Medidata executive.
The imposter allegedly changed the code in emails to alter the sender’s address, included the executive’s picture and e-signature, and copied a fake attorney with whom the employee later corresponded to make the fraudulent transfer.
The insurer has argued that the Crime policy at issue only covers losses resulting from fraudulent entry of data, or hacking, into a computer system, not a “voluntary” or “intentional” transfer made by a company employee (albeit under false pretenses).
The insured has countered that the imposter changed the “data” in Medidata’s computer system by modifying the code in the email to pose as the executive, thus bringing the claim within the crime policy’s insuring agreement. No decision has been made in the case yet.
Policyholders facing a loss like the one in Medidata likely would be surprised to learn that their insurers could attempt to deny coverage.
Where the policyholder has been the victim of a bona fide crime committed by an imposter posing as a company executive over e-mail, it will almost invariably expect its crime policy to cover the loss.
It is highly unlikely to view its employee’s transfer of the funds as being “voluntary” or “intentional,” as the insurer in Medidata has argued. Rather, a policyholder will view the transfer of money under false pretenses as a result of fraudulent conduct in its computer system as the raison d’etre of its crime policy.
But insurers may be able to point to uncertainties in the policy language or the particular facts at issue.
What if the imposter did not change any code in the e-mail, but rather made the e-mail appear similar enough to a company executive’s email and sent it from a separate server? Would the sending of the email into the policyholder’s computer system constitute a “fraudulent entry”? What if the imposter did not do a particularly convincing job and the policyholder’s employer failed to take reasonable steps to investigate any apparent inconsistencies?
As discussion surrounding the extent of existing coverage persists, most crime insurers now offer to cover the exposure by endorsement.
In doing so, insurers are providing comfort to policyholders that a social-engineering incident is less likely to be subject to dispute. Nevertheless, insurers typically provide this coverage with a sub-limit of liability, that is, a cap on their obligations at substantially less than the policy’s full limit of liability. Insurers contend this is necessary because of the potentially catastrophic nature of social-engineering losses in proportion to the relatively small amount of premium charged for traditional crime policies.
In most cases, insurers provide the coverage after the policyholder submits an insurance application supplement. Whether the underwriter agrees to issue the coverage may depend on a number of underwriting factors, such as the extent or lack of internal controls over the transfer of funds or changes in payment instructions. Additionally, an underwriter may decline to grant the coverage if there has been a previous social engineering incident.
If the insurer does agree to issue the coverage, it may charge additional premium. Mid-term additions of the coverage might also be available on a case-by-case basis. If the insurer does not issue the coverage, it may try to use its offer of specific coverage for “social engineering” losses as evidence that its main policy form does not cover it. However, the coverage provided by the main policy form — in the absence of any endorsement specifically adding coverage — must be interpreted on its own terms. The existence of an endorsement addressing this type of loss does not, on its own, eliminate coverage that the main policy form provides.
As with any other lines of commercial insurance, a crime policy’s language is not uniform among markets. We strongly urge policyholders to vet proposed wording through the company’s coverage counsel and insurance broker. Their experience with past social engineering claims and policy language negotiation may well make a difference between a claim being covered and a claim not being covered.
Tyler Gerking is a partner in Farella Braun + Martel’s San Francisco office, where his litigation practice focuses on recovering insurance policy proceeds for policyholders. He can be reached at firstname.lastname@example.org.
John Orr is a Managing Principal of Integro Insurance Brokers in the firm’s San Francisco office. An executive liability coverage lawyer by background, John co-leads Integro’s national Claims Practice. He can be reached at email@example.com.