There recently has been a “dramatic rise” in the incidence of business e-mail compromise (BEC) scams, according to an April 4, 2016 alert from the Federal Bureau of Investigation (here). In these schemes, which are also often referred to as “social engineering fraud” or “payment instruction fraud,” scammers using official seeming email communications induce company employees to transfer company funds to the imposters’ account. According to the FBI, during the period October 2013 through February 2016, law enforcement agencies have received reports of this type of fraud involving 17,642 victims. Complaints involving these kinds of fraudulent schemes have arisen in every U.S. state and 79 different countries and amount to over $2.3 billion losses. As discussed below, these types of schemes are not only a growing concern, but they are increasingly the source of insurance coverage disputes, as well.
The Payment Instruction Fraud Scheme: In the typical BEC or social engineering fraud scenario, schemers use legitimate seeming emails or other forms of electronic communication to assume the identity of a company’s CEO, financial executive, company attorney, or trusted vendor or customer. The schemers will often use language specific to the company they are targeting and request a wire transfer using cash amounts that lend legitimacy. The amounts involved can be significant, in some cases running into the millions of dollars.
Insurance Carriers are Resisting Coverage for These Kinds of Losses: Many of the companies that have experienced this type of loss seek to recoup the amount of the fraudulently induced transfer under their insurance, typically under their commercial crime policies.
However, as explained in a November 4, 2015 post on the Gordon & Rees law firm’s Privacy Teaches and Breaches blog (here), courts interpreting these kinds of policies draw a distinction between losses where a thief hacks the insured’s computer systems and losses where the insured voluntarily transfers funds. While the courts generally allow coverage for losses arises from hacking, the courts have found that “losses from voluntary transfer of funds, including social engineering losses, are generally not covered because they do not arise “directly” from the use of a computer to fraudulently cause a transfer of property; they arise from an authorized transfer of funds.” In addition, many commercial crime policies contain a “voluntary parting” exclusion on which the carriers will seek to rely in order to argue that coverage for these types of losses is precluded.
An April 6, 2016 memo by the Jenner & Block law firm (here), discussed the challenges companies have faced trying to seek coverage for the types of losses under the Computer Crime, Funds Transfer Fraud and Forgery coverage sections of commercial crime policies. As the cases discussed in the memo show, “insurers have denied coverage” for these kinds of claims, “claiming generally that the computer crime and fraud insurance policies issued are limited to traditional hacking.”
A Recent Example of a Social Engineering Fraud Coverage Dispute: A recent case in the Southern District of New York involving Medidata Solutions illustrates the problem. In its complaint, Medidata alleged that it was “the victim of an international wire transfer fraud” in which mid-level employees of the company were deceived by emails from the perpetrators of the fraud “forged to appear as if they were coming from a Medidata executive,” resulting in the transfer of approximately $4.8 million to an overseas account. Medidata reported the loss to its executive liability insurer, whose policy contained coverage parts insuring against “Computer Fraud,” “Funds Transfer Fraud,” and “Forgery.” The insurer denied coverage for the loss, asserting that its policy extends only to hackers who cause an involuntary money transfer; here, the insurer contended, because the Medidata employee knew and consented to the funds payment, coverage was precluded under the funds transfer provision. Medidata filed an insurance coverage lawsuit against the insurer, alleging that the insurer had breached its insurance contract.
The two parties filed cross-motions for summary judgment. In its motion, Medidata argued that the fraudsters modifications to the email constituted the “fraudulent entry of data,” and argued further that the policy’s coverage would be meaningless of it did not apply to the type of fraudulently induced funds transfer involved.
In a brief March 9, 2016 order (here), Southern District of New York Judge Andrew L. Carter, Jr. denied both parties’ motions, citing the “insufficient record.” Judge Carter directed the parties to conduct discovery limited to establishing the method by which the fraudulent emails were sent to Medidata and what changes, if any, were made to the company’s systems when the emails were received.
There Have Been Many Recent Cases Involving Carriers Resisting Coverage for Social Engineering Fraud or Payment Instruction Fraud Losses: As discussed in the Jenner & Block law firm memo linked above and in a February 9, 2016 memo from the Orrick, Herrington & Sutcliffe law firm’s Policyholder Insider blog (here), there are a number of other cases pending in which companies that have suffered these types of losses are in litigated disputes with their insurers on the question of whether or not there is insurance coverage for these losses. While the aggrieved companies have substantial grounds on which to argue that these kinds of losses are covered, it is clear that the insurers contend that the losses are not covered. As the law firm memos highlight, there have been case decisions already in which some courts have upheld the insurers’ coverage denials.
Some Carriers are Now Offering Social Engineering Fraud Coverage on a Limited Basis: From the policyholders’ perspective, the question of whether the traditional commercial crime policies cover this type of loss is at best uncertain. For that reason, it is important to note that several carriers are now offering coverage by endorsement to the commercial crime policy for these kinds of losses. The endorsements are designed to provide coverage when an employee is intentionally misled by electronic or written instructions from a person purporting to be a company executive or employee, vendor, client, or customer, to transfer money or property. These endorsements are often called “social engineering fraud” endorsements or “payment instruction fraud” endorsements. Some carriers will require companies seeking this type of coverage to complete a supplemental application or provide other underwriting information.
This type of coverage extension may also be available from some carriers as an endorsement to a privacy or network security coverage insurance policy; whether the coverage is better placed in the commercial crime or the cyber insurance policy – or both – is a question insurance buyers should address to their trusted insurance advisor.
Given the position that the traditional commercial crime insurance carriers have taken with respect to these types of losses, it arguably is a good thing that the insurers are now offering this type of coverage. To be sure, one reason the carriers are offering this extension this way now is to try to bolster their argument that without this type of extension, the unendorsed traditional policy does not and was not intended to provide coverage for this type of loss.
The Limitations for This Type of Coverage May Leave Policyholders with Substantial Uninsured Exposure: Most of the carriers that are willing to offer this coverage extension to their policies will do so only on a sub-limited basis. That is, rather than the full limits of liability of the insurance policy, only a lesser amount is available to insure against these types of losses. Often these sub-limits are as low as $250,000 or less. Even carriers that are willing to offer greater amounts will subject the increased amount to a significant co-insurance requirement, in some cases as much as 50% (meaning that the policyholder must absorb up to 50% of the losses). Some of these coverage extensions are also subject to deductibles as well.
The problem with the low limits offered and the other various restrictions is that, as the Medidata lawsuit illustrates, losses from these types of scams can run into the millions of dollars, meaning that at best even for companies whose policies are extended to include a social engineering fraud endorsement, they could still incur very substantial losses in excess of the insurance available.
In addition to the low limits of liability available for these kinds of exposures, another problem with the social engineering fraud coverage extensions is that the endorsement wording may not be broad enough to encompass all of the ways the scammers could try to induce the company to transfer the funds, or may restrict the coverage by narrowly defining the kind of person the scammer must be portraying.
As discussed in an April 4, 2016 article on Law 360 describing this type of extension to the commercial crime policy (here, subscription required), some of the extensions available in the marketplace say that in order for there to be coverage, the fraudster must have been posing as an executive or employee of the company; as the many cases discussed in the law firm memos linked above note, the scammer adopt a wide variety of guises – in addition to company executives or employees, scammers have managed to secure transfers by posing as, for example, vendors, clients, customers and suppliers.
The insurance industry is still wrestling to come up with a comprehensive solution to the this problem, as the carriers struggle to adapt to significant losses of a type they contend they never intended to cover. The extent of the social engineering fraud problem, as well-documented by the recent FBI alert, suggests that this this type of fraud is a serious problem and one that the insurance industry is still struggling to address. Eventually, the industry will adjust and begin to offer products that will comprehensive risk transfer.
Because of the problems and limitation surrounding the social engineering fraud coverage extensions now available in the marketplace, it will be very important for insurance buyers to work closely with a knowledgeable and experienced insurance advisor, in order to ensure that the insurance solution that is put in place is the best available in the marketplace for the company and the one that is best calculated to provide the most insurance protection from among the options available for the company.
In the Absence of Complete Risk Transfer Solutions, Companies Should Develop Other Risk Management Solutions to Protect Themselves from These Kinds of Losses: Until a more comprehensive insurance solution is available, well-advised companies will look to other risk management tools in order to protect themselves from these kinds of losses. In particular, companies should incorporate internal training designed to alert employees to the possibilities of these kinds of scams is an important first step. Employees should be particularly wary of funds transfer requests in unusual amounts, or that are made with an unusual level of urgency or that require the transfer of funds to an unfamiliar account or address. Another important risk management tools is the development of multi-level authentication and verification processes.
******************** More Below ***************
Dial-a-Swede: On Saturday, the New York Times ran an article entitled “Tourism Line Lets Callers Connect to ‘Random Swede, Somewhere in Sweden’” (here), which describes a new program that the Swedish tourism agency has established. The way it works, international callers to a Swedish phone number (011 46-771-793-336) are connected to randomly selected Swedish volunteers to chat about any topic that comes to mind.
On Sunday afternoon (Sunday evening in Sweden), I dialed the number. After a pause, a recorded female voice with a lovely Swedish accent came on that said “Calling Sweden. You will soon be connected to a random Swede, somewhere in Sweden.” After another pause, and several rings at the other end of the line, a very nice Swedish woman named Emma came on the line.
Emma lives in Göteborg. Emma is a librarian at a children’s school. Her English is excellent – when she was younger, she worked as an au pair in Boston. I was the fifth person she had spoken to as part of the program. Her prior callers included one from London, one from Amsterdam, and two from the United States. She decided to participate in the dial-a-Swede program because she likes to talk and she thought it would be fun. She said that it has been interesting so far, through her first caller had only wanted to find out about prostitution and drugs in Sweden. I talked with her instead about places in Sweden I might want to see if I were to visit the country with my wife, including a nature preserve in the North and an island (Gotland) off the country’s east coast. She also described several of the Swedish national parks (there are 29 national parks in the country, it turns out). She likes hiking, and she told me about looking for cloudberries in the spring, in the marshlands in the Northern part of the country. We also talked a little bit about U.S. politics. She said that watching the election campaigns in the U.S. from Sweden, it is very hard to understand what is going on. I told her it looked the same way even when viewed from inside the United States.
So anyway I had a very pleasant conversation with Emma, whom I thanked for her willingness to take my call. The whole thing is a funny idea, but I thought it was great, and I enjoyed to chance to talk to Emma. I recommend making the call, talking to a “random Swede” turns out to be a fascinating thing to do.
A Movie Recommendation: I want to recommend a movie to everyone. It is called “Eye in the Sky.” The movie is about the use of drone aircraft in an antiterrorism campaign in Kenya. Helen Mirren plays a British army colonel who heads an antiterrorism group tracking Al-Shabaab terrorists in Nairobi. The late Alan Rickman (in his final movie role) plays a British Army general who must manage a group of government ministers supervising the drone activity and authorizing military actions. Aaron Paul and Phoebe Fox play two American drone pilots based in Nevada, who control the Predator drone hovering over the terrorists’ Nairobi hideout. With video footage beamed simultaneously around the world from the “eye in the sky,” the action unfolds on screen. It quickly becomes clear that the terrorists everyone is watching on their video screens are planning imminent suicide bomb attacks. With a quick missile strike, the terrorists’ attack might be prevented. But it also becomes quickly apparent that if the Predator drone’s missile strikes the target, there could also be terrible, tragic consequences. The movie captures the agonizing decisions that must be made when human lives hang in the balance, regardless of what action is taken.
The move is tense, fast-paced and serious, and directly confronts the moral dilemmas involved in drone warfare, which is conducted across tremendous distances and from a detached perspective that, as this movie vividly captures, has the unexpected effect of magnifying the significance of every action.
There hasn’t been a lot of publicity about this movie; in fact, I had never even heard of it before my wife and I looked at the movie listings on Saturday (admittedly, I don’t follow the movies very closely). It would be unfortunate if this were to be one of those movies that just disappears. This is a very important, serious movie. It will also keep you absolutely on the edge of your seat. I wouldn’t recommend this movie as, say, a first-day movie, but just the same it is one of the best movies I have seen in a very long time. Helen Mirren is one of my favorite actresses, and her performance in this movie is particularly compelling.