One of the more challenging issues businesses must confront as wrongdoers have turned Internet tools into criminal devices has been the rising threat of payment instruction fraud, or, as it is sometimes called, social engineering fraud. Along with these crimes have come vexing questions of insurance coverage for the ensuing losses. Courts have struggled to determine whether or not payment instruction fraud losses are covered under Crime policies. A recent case in the Southern District of New York raises the question whether a payment instruction fraud loss is covered not under a Crime policy but rather under insurance policy containing both E&O and Cyber coverages.
In a November 6, 2019 order (here), Southern District of New York Judge Jed Rakoff, applying Connecticut law, denied the insurer’s motion to dismiss the policyholder’s complaint seeking coverage for its payment instruction fraud losses. Judge Rakoff’s ruling in the case raises a number of interesting issues, as discussed below.
EDITOR’ NOTE: Subsequent to publication of this blog post, I was advised by knowledgeable sources that in this coverage action, the policyholder was seeking coverage under the applicable policy’s E&O coverage, rather than under the policy’s Cyber coverage. With respect to the question of which of the policy’s multiple insuring provisions was in dispute in this coverage action, readers may find it helpful to refer to the policyholder’s initial complaint in the coverage lawsuit, here.
Background Regarding the Underlying Losses
SS&C Technology Holdings is a software and software-enabled services provider. Among its clients was a company called Tillage Commodities Fund. In March 2016, third parties using stolen credentials send e-mailed funds transfer requests to SS&C, falsely claiming to be acting on behalf of Tillage. SS&C processed these requests, over the next three weeks causing over $5.9 million to be transferred from Tillage’s accounts to bank accounts in Hong Kong. SS&C discovered the scheme, alerted Hong Kong authorities, and tried to help Tillage and the authorities recover the funds.
In September 2016, Tillage initiated a New York state court lawsuit against SS&C. Shortly before the case was scheduled to go to trial, Tillage and SS&C settled the case without any admission of wrongdoing or liability by either party.
Background Regarding the Insurance Dispute
At relevant times, SS&C maintained a “Specialty Risk Protector” insurance policy with multiple insuring provisions, including Cyber Insurance-related insuring provisions. (A copy of the policy can be found here.) Shortly after discovering that the Tillage funds had been transferred in error, SS&C notified its insurer of the losses and sought coverage. The insurer agreed to provide SS&C defense cost coverage but denied coverage for any indemnity amounts. After the Tillage lawsuit settled, the insurer denied coverage for the settlement amount.
SS&C filed a lawsuit in the Southern District of New York against the insurer. SS&C’s complaint contained three counts, one alleging breach of contract; a second count seeking a judicial declaration of coverage; and a third count seeking damages for alleged breaches of the covenant of good faith and fair dealing. In response to the complaint, the Insurer filed a motion to dismiss.
Policy Language at Issue
In support of its coverage position, the insurer relied on the policy’s Exclusion 3(a) which precludes coverage for losses:
alleging, arising out of, based upon or attributable to a dishonest, fraudulent, criminal or malicious act, error or omissions, or any intentional or knowing violation of the law; provided however, [the Insurer] will defend Suits that allege any of the foregoing conduct, and that are not otherwise excluded, until there is a final judgment or final adjudication against an Insured in a Suit, adverse finding of fact against an Insured in a binding arbitration proceeding or plea of guilty or no contest by an Insured as to such conduct, at which time the Insured shall reimburse [the Insurer] for Defense Costs.
The November 6, 2019 Ruling
In a relatively brief November 6, 2019 Memorandum Opinion, Judge Rakoff, applying Connecticut Law, largely denied the insurer’s dismissal motion.
In seeking to have SS&C’s complaint dismissed, the insurer had argued that the coverage preclusionary provision in Exclusion 3(a) applies not only to any “dishonest, fraudulent, criminal or malicious act, error, or omission, or any intentional or knowing violation of the law” committed by SS&C, but also broadly to these kinds of acts committed by third-party fraudsters.
In rejecting this argument, Judge Rakoff read and interpreted the exclusion as a whole, taking into account the exclusion’s “provided however “ clause. Judge Rakoff said that reading the “provided however” clause with the first clause “clearly indicates that Exclusion 3(a) applies only to dishonest, fraudulent, criminal or malicious acts committed by SS&C.” In that regards, he noted that the “provided however” clause refers specifically to “Suits that allege any of the foregoing against SS&C.” This reading, Judge Rakoff said, “also comports with what the parties most likely intended when the entered into the Policy.” At “the very least,” he said, “ambiguity exists,” and under Connecticut law he must construe the insurance contract in favor of coverage.
Judge Rakoff also denied the insurer’s motion to have the bad faith claim dismissed. However, he granted the insurer’s motion to dismiss SS&C’s declaratory judgment claim as duplicative of SS&C’s breach of contract complaint.
If nothing else, the magnitude of the losses from SS&C erroneous transfer shows the scale of the issues that can be arise from payment instruction fraud. These kinds of losses represent a serious threat to all businesses, particularly given the pervasiveness of email as a business communication medium.
As companies have presented these kinds of losses to their insurers, both insurers and the courts have struggled as they have tried to match the question of coverage for these kinds of losses with policy language that was written long before current business practices came into place. Much of the early case law decisions examining the question of insurance coverage for these kinds of losses has involved Crime policies (compare, for example, a recent Ninth Circuit decision finding a Crime policy did not provide coverage with a recent Second Circuit decision finding the Crime policy did provide coverage).
Judge Rakoff’s ruling denying the insurer’s motion to dismiss is interesting and may give heart to policyholders and their representatives seeking coverage for payment instruction fraud losses under other types of policies. However, Judge Rakoff’s ruling may be of very limited relevance to other circumstances, and not merely because it was decided under Connecticut law.
Judge Rakoff’s ruling is very much a reflection of the specific and arguably peculiar language in the Exclusion 3(a) on which the insurer sought to rely. It is not clear at all how this ruling would have gone had there not been the tension in the exclusion’s language between the “provided however” clause and the exclusion’s first clause. The first clause standing alone plausibly could be read to encompass third-party misconduct. In other words, on a different day in a different case involving slightly different policy language, the outcome of the coverage question might turn out differently. This is a very policy language-specific ruling.
As policyholders and insurers have struggled to figure out the insurance implications of payment instruction fraud losses, one perennial question has been whether these kinds of losses properly belong under Crime policies, Cyber policies or other types of policies. The first line of defense for insurers these days seems to be that their policies provide no coverage for these losses. Crime insurers argue further that the standard Computer Fraud Coverage section in their policies do not apply these kinds of losses since they involve voluntary transfer of funds rather than an intrusion into computer systems. For their part, Cyber insurers argue that their policies were not designed to or intended cover fraudulently induced funds transfers. Given the likelihood for continued losses of this kind, and the likelihood that insurers will continue to try to resist coverage for these losses, these disputes are likely to continue.
In recent months, insurers seeking to build out their argument that their policies were not intended to cover these kinds of losses have begun offering optional coverage extensions providing social engineering coverage. (This coverage extension may be available from both Crime and Cyber insurers; which policy is the right one to have this extension is a larger topic beyond the scope of this post, but I will say that as a general matter I favor having the extension in the Crime policy rather than the Cyber policy.)
While this type of affirmative coverage grant might seem welcome, these coverage extensions often come with severely restricted sublimits, often as little as $250,000 or even less. When compared to the kind of losses SS&C’s client sustained here, these kinds of sublimits afford relatively limited protection.
In an insurance world where insurers are putting all of their effort into trying to avoid coverage for these kinds of losses, companies best risk management approach to these kinds of risks might be around education, internal controls, and process safeguards, to try to ensure that these kinds of losses do not occur in the first place.
There is one aspect to the payment instruction fraud involved here that is worth considering when it comes to the various social engineering fraud coverage extensions the insurers are offering. Some versions of the extension limit coverage to situations where the fraudster impersonates an officer or employee of the insured company. As the SS&C situation shows, losses can arise not just from the impersonation of a company officer or employee, but can also arise from the impersonation of a customer. Or even a vendor, regulator, lender, outside professional (such as an attorney, accountant, or investment banker). Even though the sublimited coverage represents only a restricted amount of coverage, it is important to ensure that the coverage that is available is constructed to ensure that the coverage will respond in a broad variety of circumstances.
One final note about Judge Rakoff’s ruling here. Judge Rakoff denied the insurer’s motion to dismiss. But a dismissal motion denial is different than an affirmative determination of coverage. Importantly, his dismissal motion denial does not in any way involve the entry of a judgment in SS&C’s favor. To the contrary, this case is still pending. I can only assume that there are other grounds on which the insurer seeks to deny coverage for SS&C’s losses. This case is potentially a long way from a determination that SS&C’s policy covers the losses.
To be sure, in light of the dismissal motion ruling, the insurer’s potentially best argument against coverage is now shot and the insurer arguably now has stronger incentive to come to the negotiating table. But the bottom line is that at this point this case is not over and SS&C has not yet won its argument that its policy covers the losses it seeks to recover. The limited nature of the court’s ruling is something that should definitely be kept in mind when the significance of this decision is being discussed.