Along with all of the other risks arising from companies’ increasing dependence on electronics communications and data storage technology has come not only the risks of a data breach caused by a hacker, but also the risk of a company’s transfer of funds by one of its employees who has been duped into believing the transfer was legitimate and authorized. These kinds of losses, which have been called “payment instruction fraud” or “social engineering fraud,” raise of a host of potential issues under traditional insurance policies, owing to the voluntary nature of the funds transfer made by a person authorized to access the company’s computer system. A recent decision by the Ninth Circuit illustrates the kinds of coverage problems that can arise from these circumstances. The Ninth Circuit’s unpublished April 17, 2018 opinion in Aqua Star (USA) Corp. v. Travelers Casualty & Surety Company of America can be found here. The Wiley Rein’s law firm’s April 19, 2018 post about the Ninth Circuit decision can be found here.
Aqua Star is a seafood importer. One of its employees was duped by a fraudster posing as one of the company’s seafood vendors into sending $713,890 to an overseas bank account controlled by the fraudster. The fraudster had directed the employee to change the vendor’s bank account information. The employee made the changes as instructed. The company sought coverage for the loss of funds under the computer crime coverage in its commercial crime policy. The crime insurer denied coverage for the loss arguing among other things that coverage was precluded by a policy exclusion (Exclusion G) precluding coverage for “loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.”
The company filed a breach of contract action against the insurer. The insurer filed a motion for summary judgment. The district granted the insurer’s motion based on its finding that there was no unauthorized use of the company’s computer system. The company appealed.
The Ninth Circuit’s Opinion
In a brief three-page unpublished opinion dated April 17, 2018, a three-judge panel of the Ninth Circuit affirmed the district court’s grant of summary judgment. The appellate court said that Exclusion G “unambiguously” precludes coverage for losses resulting from authorized use of the company’s computer system.
The company’s losses, the appellate court said, “resulted from employees authorized to enter its computer system changing wiring information and sending four payments to a fraudster’s account.” The employees “had authority to enter” the computer system when they input the changed wiring information. Their conduct, the appellate court said, “fits squarely within the exclusion.”
The reason this issue continues to come up, and the reason courts struggle with these issues, is that social engineering fraud, or payment instruction fraud, is a very serious problem. The amount of money this company lost before it detected the problem underscores the magnitude of the problem; indeed, many companies subject to this kind of criminal activity have experienced even larger losses.
As detailed in an April 27, 2018 Law 360 article by J. Robert MacAneyney and John Pitblado of the Carlton Fields law firm (here), the problem that these kinds of situation present from an insurance coverage standpoint is that in one of these payment fraud situations “the fraudster is not so much using a computer, as they are using a human dupe, who then conducts the authorized, nonfraudlent uses of a computer … unwittingly furthering the fraud.”
The problem for parties to the insurance contract, as well as for courts evaluating the possibility of coverage under the contract, is that the standard Computer Fraud language was written at a time before computerized business transactions became a uniform and ubiquitous form of business transaction processing. With the spread of computer technology to all parts of a business’s activities, and in particular with email and other form of communication becoming pervasive, the opportunities for misconduct have multiplied, in ways that the traditional crime policy language do not fully anticipate. Policyholders have struggled to try to get coverage for their losses, and courts have struggled with the coverage issues.
As the Law 360 article’s authors suggest with respect to judicial decision-making on these issues, “the results are decidedly mixed.” As their article details, there have been judicial decision that, unlike the court in the Aqua Star case, have found that losses from a social engineering or payment instruction fraud are in fact covered under the Computer Fraud coverage in the commercial crime policy. There are a number of appeals pending in a number of different circuits on this very issue, which is very much in a state of flux. (A closely watched case in the Second Circuit, the Mediadata case, in which the district court found that a social engineering fraud loss was covered under a crime policy’s Computer Fraud coverage section, remains pending.)
The Ninth Circuit had little trouble concluding that there was no coverage for AquaStar’s losses under its commercial crime policy. In light of the specific circumstance involved and the specific exclusionary language at issue, the outcome in the case arguably is unsurprising. The problem for all companies from this decision is that it raises the question of what companies can do to try to ensure that their company has insurance protection for these kinds of losses.
A number of insurers are now offering a social engineering fraud loss extension to their standard commercial crime policies. The availability of these extensions sometimes requires the payment of additional premium and/or additional underwriting. The movement of the insurance industry toward providing affirmative coverage for these kinds of losses unquestionably is a good thing, given the mixed record for this kind of coverage in the courts. However, in most instances, this coverage extension is subject to one very significant limitation; that is, the coverage extension is subject to a very strict sub-limit, usually no more than $250,000. As AquaStar’s circumstances show, the losses from this kind of fraud can quickly far exceed this restricted amount of coverage.
Moreover, there are other potential limitations involved with these coverage extensions. Some versions of the extension limit coverage to situation where the fraudster impersonates an officer or employee of the insured company. As the AquaStar situation shows, losses can arise not just from the impersonation of a company officer or employee, but can also arise from the impersonation of a vendor. Or even a customer, regulator, lender, outside professional (such as an attorney, accountant, or investment banker). Even though the sublimited coverage represents only a restricted amount of coverage, it is important to ensure that the coverage that is available is constructed to ensure that the coverage is sufficient to provide protection in a broad variety of circumstances.
Along those lines, in light of the changing nature of these frauds, it is not enough for the coverage extension to provide protection only in the event of the fraud resulting in the transfer of funds. Losses can arise at a company due to fraudulent instruction to transfer product or inventory as well. For that reason efforts should be made to ensure that the coverage extension is not limited just to losses from transfer of funds, but also to losses arising from the transfer of product or inventory.
Given the strict limitation of coverage generally available in the insurance marketplace for these kinds of losses, it unquestionably is in the interests of all companies to focus on their loss avoidance strategy on a loss prevention approach. Well-designed company systems can be implemented to try to reduce these kinds of incidents and avoid the losses in the first place. Education and training obviously are an indispensable part of any loss prevention approach. In addition, the adoption of control processes to try to prevent the unauthorized transfer of funds can also help to avoid these kinds of losses. Mandatory requirement of second channel confirmation of change requests is one such approach; another is dual authorization requirements for any payments above a certain threshold.
In the absence of an adequate risk transfer solution to the possibility of social engineering fraud, well-advised companies will want to try to implement a full range of risk avoidance strategies, starting with the inculcation among all employees of the danger that these kinds of frauds present. While the possibility of losses from social engineering fraud represents a growing threat, there are proactive steps companies can take to try to protect themselves from these kinds of losses.
Quarterly Claims Update Webinar/Cryptocurrency Focus: On May 1, 2018, at 11:00 am EDT, I will be participating as a panelist in the Advisen Quarterly Claims Update webinar. This quarter’s session will have as its particular focus the emerging issues surrounding cryptocurrencies and Initial Coin Offerings (ICOs). The session will be moderated by Advisen’s Jim Blinn. The panel will also include Garrett Koehn of CRC Insurance Group and Paul Tomasi of E-Risk Services. Information about this free one-hour webinar, including registration instructions, can be found here. The quarterly claims update webinars are always interesting, this one is likely to be particularly so.