The endorsement states:

"Social Engineering Incident means the intentional misleading of an Insured to transfer Money to a person, place or account beyond the Named Insured's control resulting directly from the Named Insured's employee's good faith reliance upon an instruction transmitted via email, purporting to be from:

[i]. a natural person or entity who exchanges, or is under contract to exchange, goods or services with the Named Insured for a fee ... or
ii. an employee of the Named Insured;
but which contained a fraudulent and material misrepresentation and was sent by an imposter."

Spinnaker denied the claim, stating the event did not meet the strict contractual definition of a Social Engineering Incident. Gore subsequently sued the insurers for breach of contract, bad faith, gross negligence, and fraud.

The Court's Ruling

The case was brought before a United States District Court. Spinnaker Insurance Company argued that to qualify as a covered Social Engineering Incident, the policy required that an imposter instruct the insured to transfer funds while purporting to be a person who already exchanges goods or services with the insured.

Gore argued that because the imposter signed a fee agreement, they were a client, and that the incident should be covered. They also argued that the policy language was ambiguous and as a result should be interpreted in the policyholder's favor.

The court disagreed, finding the policy language unambiguous. The court found that for coverage to apply, the imposter must be impersonating a pre-existing client or vendor. In this case, the real David Casteel had never been a client of Gore and had no idea this transaction was occurring. Because the real Casteel was not a party who exchanged services with the firm for a fee, the imposter posing as him did not trigger the specific terms of the coverage.

Gore claim's that the imposter was a client because they signed and returned the fee agreement also failed because, as the court stated, "the Social Engineering Incident provision cannot be reasonably interpreted to cover the fraudulent transaction alleged in the complaint because the instruction to transfer money cannot have been sent by an imposter purporting to be a client if the individual giving the instruction is the client."

The court found that Gore failed to prove that there was a breach of contract. The bad faith allegation quickly failed because bad faith requires an underlying breach of contract. On the gross negligence allegation, the court stated that even if the insurer had thoroughly investigated the claim, the end result would have still been the same because Gore would still not be covered by the Social Engineering endorsement. The fraud allegation also failed because Gore failed to make specific allegations that the insurer made intentional, material misrepresentations.

Editor's Note

This case shows the importance of knowing exactly what is covered by your policy and endorsements. On face value, the overpayment scam carried out by the imposter sounds like the exact thing a Social Engineering Coverage endorsement might cover, but under Gore's policy, it was specified that there is only coverage if the imposter pretends to be an already existing client of the firm.

Read More:

Fool Me Once: Insurance Coverage for Social Engineering Scams Under Judicial Review