Imagine the excitement of being hand-picked by the CEO to execute an important and confidential financial transaction that is expected to take your company to the next level! Then imagine the emptiness of learning that there was no acquisition, the email you received with confidential instructions wasn't really from the CEO, and the money you wired is gone forever. You've been duped — the email was sent by an imposter with a spoofed email made to look real. And if you're the CEO, imagine finding out you have no insurance coverage for this loss! Unless you bought a specific endorsement, you probably don't.
In November 2017, the FBI noted a 2,370% increase in such incidents in the last two years and more than $5 billion in related losses over the last four years worldwide. The increasing prevalence of "social engineering" or "business email compromise" schemes has made waves in the insurance industry and has forced courts to answer this question: Is a financial loss connected to an email "spoof" covered by standard Computer Fraud or Funds Transfer Fraud insuring clauses found in commercial crime policies or financial institution bonds?
Recently, two federal courts of appeal have (correctly) answered this question in the negative. [Taylor & Lieberman v. Fed. Ins. Co., 681 Fed. Appx. 627 (9th Cir. 2017) and Apache Corp. v. Great Am. Ins. Co., 662 Fed. Appx. 252 (5th Cir. 2016)].The same question is now before the Second and Sixth Circuits in two similar cases decided differently by their respective district courts. Will the trend continue? Or will one of the courts deviate, creating a split among the circuits and a jurisdiction about which we must be wary.
How the trial courts decided
On July 21, 2017, the U.S. District Court for the Southern District of New York issued a decision in Medidata Solutions, Inc. v. Federal Insurance Co., holding that a wire transfer of nearly $4.8 million in connection with a social engineering scheme was covered under the Funds Transfer Fraud and Computer Fraud insuring agreements of a commercial crime policy. Federal has appealed this decision to the Second Circuit.
On Aug. 1, 2017, the U.S. District Court for the Eastern District of Michigan issued a ruling in American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, finding no coverage under the Computer Fraud insuring agreement of a commercial crime policy for a wire transfer of approximately $800,000 in connection with a similar fraudulent impersonation scheme. American Tooling has appealed this decision to the Sixth Circuit.
What's a direct loss?
In recent years, the fidelity/crime insurance market has increasingly responded to this new risk by offering endorsements, revised wordings, and stand-alone social engineering insurance products. Prior to these offerings, the exposure to email-initiated fraudulent impersonation losses did not fall within the scope of coverage under standard form wordings, as they are not losses "resulting directly from" any covered peril, among other reasons. However, the decision in Medidata threatens to redefine what constitutes a direct loss (as did Apache before the Fifth Circuit's reversal), which could have far-reaching implications beyond the social engineering losses discussed here. (Telephone Instruction Fraud coverage has existed for years, but requires strict testing as a condition precedent to coverage. Email spoofing schemes were not previously contemplated for coverage under standard form wordings.)
The issue of "direct loss" is not a new one by any measure, and although a majority of jurisdictions follow the "direct means direct" approach, many others interpret the phrase "loss resulting directly from" more liberally in favor of coverage. So what happens when an employee receives an email, opens and reads it, then acts on it by taking various steps to knowingly and voluntarily effectuate a multi-million dollar wire transfer? Yes, money is lost — but such loss seemingly could not be more indirect in relation to the keystrokes entered by the fraudster who sent the email, with fingers crossed that there is a trusting person on the receiving end choosing not to follow internal policies and procedures.
If the loss is an indirect or consequential result of the subject conduct, no coverage should attach. An interpretation otherwise is inconsistent with the unambiguous language of the policies and with the drafters' intent.
It's important to remember that standard form crime and financial institution bond wordings are the joint work product of the Surety & Fidelity Association of America (SFAA) and policyholder groups including the American Bankers Association. In friend-of-the-court briefs recently filed in both Medidata and American Tooling,the SFAA emphasizes that the risk in social engineering schemes does not align with the intent of computer fraud coverage, and that insurers and insureds have a mutual interest in seeing that the risk of loss transferred by commercial crime policies is predictable and consistent with the premiums charged.
Impact on availability of coverage
Aside from issues of policy construction and interpretation, an ultimate finding of coverage in either of these cases could gravely impact the availability of insurance coverage for those situations intended to be covered under a Computer Fraud insuring agreement (that is, a hacking situation whereby the fraudulent input of data or computer programs into an insured's computer system directly causes the debit of money from the insured's account) or a Funds Transfer insuring agreement (that is, when a fraudulent instruction is issued to a financial institution, purportedly by the insured, but in reality unbeknownst to and without the consent of the insured).
As many courts have noted, if coverage is triggered simply because a computer was used in the commission of a fraud, essentially all commercial fraud would be covered because computers are used in nearly every transaction in modern commerce. The scope of the Computer Fraud insuring agreement would become virtually limitless. That's a result neither side of the debate should want. Insurers would be forced to alter their wordings in the marketplace, significantly reduce available limits of liability, or perhaps not offer certain coverage at all, while policyholders would be faced with far fewer choices, astronomical premium costs, and uninsured risk.
Follow Medidata and American Tooling with close scrutiny. A favorable outcome for the carriers in these cases means a favorable outcome for all issuers and buyers of insurance in the future.
Stefan R. Dandelles (sdandelles@kdvlaw.com) is a co-managing partner of Kaufman Dolowich & Voluck, LLP's Chicago office. Jean Y. Liu (jliu@kdvlaw.com) is an associate in Kaufman Dolowich & Voluck, LLP's Chicago office.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.