In the current world, cyber security is critical for every organization. Cyber insurance is an important part of every organization’s cybersecurity program. In the following guest post, a Senior Associate in D’Amato & Lynch, LLP’s Fidelity Bond Practice Group, examines how business can best match their cyber insurance to their cyber security needs. I would like to thank David for his willingness to allow me to publish his article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is David’s guest post.
**********************************
Time and again, insureds seek payment for cybercrime claims only to be denied by their insurers and the courts that review the subsequent lawsuits that are inevitably filed by insureds. As courts strictly interpret cybercrime policies, insureds need to ensure that their cybercrime policies provide adequate coverage for the known risks and perils of their businesses. Such coverage can only be achieved through a diligent review of business models and processes to match them with a proper insurance program. Recently, federal appellate and district courts denied insureds’ claims for cybercrime coverage where the insureds’ insurance program did not match their business models and processes.
In Taylor & Lieberman v. Federal Insurance Company, the Ninth Circuit held that losses resulting from wire transfers that emanated from fraudulent emails were not an unauthorized entry into a computer system or an introduction of instructions that propagated themselves through the computer system.[1] Thus, the court held that coverage under the computer fraud coverage was unavailable. Further, the court held that the funds transfer fraud coverage was not implicated because the insured directed separate emails to the financial institution to wire the funds that ultimately caused the loss.
The insured, Taylor & Lieberman, was an accounting firm that made certain payments on behalf of its clients. With respect to the client at issue, the client executed a power of attorney in favor of the principal of the insured. The insured’s employee received three emails purportedly from the client requesting that the insured issue certain wire transfers. The first two emails were from the client’s email account and the third email was from a separate email account. Upon receiving the third email, the insured’s employee called the client and discovered that the client’s email account was compromised and sought to recover the funds that were previously wire transferred. While certain funds were recovered, the insured incurred a loss of approximately $99,433.92. The insured submitted a claim under its Forefront Portfolio Policy that provided certain coverages including computer fraud and funds transfer fraud coverage.
The insurer denied coverage for the claim and the insured brought suit. On the parties’ cross motions for summary judgment, the district court granted the insurer’s motion for summary judgment and the insured appealed.
In analyzing the competing arguments regarding the coverage, the Ninth Circuit noted that the emails, which contained the instructions to the insured to wire the client’s funds, “were not the type of instructions that the policy was designed to cover.”[2] The email stood in contrast to the malicious computer code that the policy was intended to cover. Ultimately, the court concluded that claim did not come within the computer fraud coverage.
With respect to the funds transfer fraud coverage, the court reviewed the insuring clause which provided:
Fund transfer fraud encompasses:
Fraudulent written . . . instructions issued to a financial institution directing such institution to transfer . . . Money from any account maintained by an Insured Organization at such Institution, without an Insured Organization’s knowledge or consent.
The court noted that the insured knew about its directions to its financial institution. Specifically, the insured received the instructions in the emails and then sent an email to its financial institution to wire transfer the funds that were lost. Thus, while the instructions the insured relied upon were fraudulent, the insured not only had knowledge of its own directions, but also consented to them because it directed such instructions to its financial institution. Therefore, the court held that the claim was not within the insuring agreement.[3]
In InComm Holdings and Interactive Communications International, Inc. v. Great American Insurance Company, the United States District Court for the North District of Georgia held that losses related to fraudulently redeemed chits for loading value onto debit cards were not covered because (i) the fraudulently redeemed chits resulted from the use of a telephone and not a computer; and (ii) the losses did not result directly from the fraudulently redeemed chits, but from the payments after use of the debit cards.[4]
In InComm, the insured operated a debit card processing system for various issuing banks whereby debit card holders would purchase chits to from a retailer to add funds to the debit cards. After purchasing the chits, the retailer sent the payment to InComm. Additionally, the customer would call InComm’s system and enter certain codes from the chit and debit card. Upon redemption of the chit, InComm would wire transfer funds to a bank account at issuing bank. Such bank account was held by the issuing bank as a fiduciary for InComm for the benefit of the cardholder. When the cardholder used the debit card to purchase merchandise, the issuing bank would deduct the funds from the account and the merchant would be paid. If the cardholder made a purchase prior to InComm transferring the funds, the issuing bank would pay for the cardholder purchase and be reimbursed by InComm’s wire transfer.
From November 2013 to May 2014, a flaw in the system allowed for multiple credits using the same chit if the codes were entered from simultaneous telephone calls to InComm’s system. The losses totaled $11,477,287 resulting from 25,553 unauthorized redemptions of 1,933 separate chits, or an average of 13 redemptions per chit. On May 6, 2014, InComm began investigating the duplicate redemptions, discovered the system flaw in an hour and repaired the flaw in its system within a subsequent hour to prevent further unauthorized redemptions.
On May 23, 2014, InComm filed a claim with Great American Insurance Company under Computer Fraud Insurance Provision which provided:
[The insurer] will pay for loss of . . . money . . . resulting directly from the use of any computer to fraudulently cause a transfer for that property from inside the premises or banking premises:
i. to a person(other than a messeger) outside those premises; or
ii. to a place outside those premises.[5]
On May 12, 2015, Great American denied InComm’s claim. InComm filed a lawsuit against Great American on July 28, 2015. Upon competing motions for summary judgment filed by the parties, the court reviewed the insuring agreement as applicable to the loss at issue. In particular, the court looked at the process for redeeming chits and concluded that the claim was not covered because the chit redemption process involved a telephone. In reaching its holding, the court noted that “[a] ‘telephone’ is not a ‘computer.’”[6] Further, the court noted that “[t]here is no evidence that cardholders even realized their telephone calls resulted in interaction with a computer.”[7]
The court went on to analyze the relationship between the unauthorized redeemed chits to the losses claimed. In particular, the court noted that InComm’s transfer of funds to the issuing bank did not result in the loss of funds because certain issuers still retained certain of the wired funds. The court stated that the loss of funds only occurred when the cardholder used the card to pay for a transaction and the issuing bank paid the seller for the transaction. Therefore, the loss occurred subsequent to InComm’s transfer of funds.
The court went on to note that even if the loss were to occur upon InComm’s transfer of funds to the issuing bank, the loss would still not be a direct result of the unauthorized redemption of chits. Specifically, InComm wired the funds pursuant to its contract with the issuing bank without reconciling or verifying that the chits were legitimate. In other words, InComm’s loss resulted from InComm deciding to wire the funds without properly investigating the duplicate chit redemptions.
In Taylor & Lieberman, the insured purchased insurance coverage from losses resulting from computer viruses, but not for the so-called “socially engineering” emails. Taylor & Lieberman did not appear to match its payment processes which involved human intervention and the issuance of instructions to its bank to the insurance it purchased.
Similarly, in InComm, the insured purchased insurance coverage for losses resulting from computer fraud, but not instructions received by telephone. InComm had a mismatch between its computer fraud coverage and its business model of receiving telephone enabled instructions for chit redemptions. Additionally, InComm’s insurance program did not provide coverage for its indirect role in the payment of funds for the cardholder’s transactions.
As courts appear to be strictly interpreting insurance policies, insureds need to be diligent in reviewing their business models and processes for areas of potential vulnerabilities and losses. Such reviews should form the basis of an insured’s request for insurance. It is likely that such an insured’s request will result in an insurance program that provides adequate coverage against the perils that really exist for an insured.
David Bergenfeld, Esq., is a Senior Associate in D’Amato & Lynch, LLP’s Fidelity Bond Practice Group. He thanks to Neil R. Morrison, Esq., a Partner in D’Amato & Lynch, LLP’s Fidelity Bond Practice Group, for editorial support.
[1] No. 15-56102, 2017 WL 929211 (9th Cir. Mar. 9, 2017).
[2] Id. at *2.
[3] The Ninth Circuit also held that the emails received from the perpetrator “did not trigger coverage because [the insured was] not a financial institution.” Id.
[4] No. 1:15-cv-2671-WSD (N.D. Ga. Mar. 16, 2017).
[5] Id. at *3.
[6] Id. at *8.
[7] Id. at *9.