Just days after a Southern District of New York judge ruled in the Medidata Solutions decision that the Computer Fraud section of a commercial crime policy covered losses from social engineering fraud (as I discussed in a post last week), a judge in the Eastern District of Michigan has held that a crime policy’s computer fraud section did not apply to social engineering fraud. Eastern District of Michigan Judge John Corbett O’Meara concluded, based on the specific policy language at issue, that the computer fraud coverage only applied when the fraud directly caused the loss, and that because there had been intervening steps between the computer fraud and the transfer of funds, the coverage did not apply. As discussed below, these recent decisions underscored the problems facing policyholders as they seek insurance coverage for social engineering fraud losses. Judge O’Meara’s August 1, 2017 opinion can be found here.
American Tooling Center is a tool and die manufacturer that outsourced some of its manufacturing to a firm in China, Yi Feng. Yi Feng processed the manufacturing orders and then invoiced ATC for the amounts due. In March 2015, an ATC official emailed Yi Feng requesting copies of all outstanding invoices. The ATC official received a reply that appeared to be from Yi Feng, but instead was from an imposter. The domain name on the imposter email showed that it was not from Yi Feng, but the domain name was virtually indistinguishable from the correct domain name. The imposter directed ATC to send payment for several legitimate outstanding invoices to a new bank account. ATC wire transferred $800,000 to the bank account. ATC quickly discovered the error, but the funds had already been transferred and could not be retrieved.
ATC submitted its loss as a claim to its commercial crime insurer. The insurer denied coverage contending that the company had not incurred a covered loss under the policy. ATC filed a lawsuit against the insurer and the parties filed cross-motions for summary judgment.
The policy’s computer crime coverage section states that “The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” The term “Computer Fraud” is defined as “The use of any computer to fraudulently cause a transfer of Money, Securities, or Other Property from inside the Premises or Financial Institution Premises: 1. to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or 2. to a place outside the Premises or Financial Institution Premises.”
The August 1, 2017 Opinion
In his August 1, 2017 opinion, Judge O’Meara granted the insurer’s motion for summary judgment and denied ATC’s motion for summary judgment.
In contending that there was no coverage under the policy for ATC’s loss, the insurer argued that ATC did not suffer a “direct loss” that was “directly caused” by the “use of any computer.” Judge O’Meara agreed, saying that “the fraudulent emails did not ‘directly’ or immediately cause the transfer of funds from ATC’s bank account.” Rather, he said, “intervening events between ATC’s receipt of the fraudulent emails and the transfer of funds (ATC verified production milestones, authorized the transfers, and initiated the transfers without verifying bank account information) preclude a finding of ‘direct’ loss ‘directly caused’ by the use of any computer.”
Judge O’Meara cited with approval to the Fifth Circuit’s 2016 opinion in Apache Corp. v Great American Insurance Company, in which the appellate court agreed with the insurer in that case that the “mere sending/receipt of fraudulent emails did not constitute ‘the use of any computer to fraudulently cause a transfer.’” He also quoted the Fifth Circuit’s opinion as stating “To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would … convert the computer-fraud provision to one for general fraud.”
Judge O’Meara also distinguished the recent decision of the Southern District of New York in the Medidata Solutions case, noting that the policy at issue in that case, unlike the ATC’s policy did not include the language requiring the “direct loss” to be “directly caused by Computer Fraud.”
As Judge O’Meara’s opinion shows, the precise policy wording involved in a crime policy will have a significant impact on whether or not there is coverage for social engineering fraud, which is a the point made in an August 1, 2017 Law 360 article written by Matthew Schlesinger and Scott Levitt of the Covington law firm entitled “Key Strategies for Insuring Social Engineering Risks” (here, subscription required). Their articles discuss various ways in which crime policy wordings can affect the availability of coverage for social engineering fraud.
As the authors note in their memo, many carriers now offer a policy extension expressly insuring social engineering or payment instruction fraud. However, as the authors also note, these extensions have their limitations and shortcomings. Among other things the coverage extension is almost always subject to sublimits that are far below the amounts usually involved in social engineering fraud. Some of these extensions also exclude coverage if the policyholder’s employee failed to require that the requestor authenticate the transaction using a different method of communication than the one used for the request. Other versions may require in order for the coverage to be triggered that the instruction must be someone of a particular status, such as an existing employee. As the ATC case itself shows, the fraudulent payment instruction can come from an imposter posing as someone other than an employee.
In addition to several other crime policy wording issues, the memo’s authors also note the specific wording issue that was determinative here – that is, insurers will seek to deny coverage for social engineering fraud under the computer fraud section of their policies in reliance on policy provisions specifying that a loss must arise “directly” from computer fraud. The memo’s authors suggest that insurance buyers request that their insurer delete the “direct” limitation, “and, if not, consider whether another insurer provides broader coverage for a comparable premium.”
If nothing else, the two recent decisions, while coming out differently on the coverage issues, underscore the fact social engineering fraud or payment instruction fraud is a real and recurring problem. The problem for the companies involved is that the losses often involve substantial sums of money. Obviously, there are risk avoidance processes companies can adopt to try to avoid these kinds of losses. But there is also a need for insurance to protect against these kinds of losses when employees are negligent or processes otherwise fail to prevent losses. The likelihood is that these kinds of losses will continue to happen and the industry will continue to struggle with the ways that crime insurance policies should respond to these kinds of losses. I expect that we will see a lot more of these kinds of decisions involving questions of insurance coverage for social engineering losses.