In the following guest post, Geoffrey B. Fehling and Michael S. Levine review and analyze a September 2, 2021 Fifth Circuit decision in which the appellate court reversed a lower court ruling and held that a D&O insurance policy must cover a settlement related to a social engineering loss. Geoffrey is a counsel in Hunton Andrews Kurth’s Boston office and Michael is a partner in the firm’s Washington, D.C. office. I would like to thank the authors for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ article.
Continue Reading Guest Post: 5th Circ.: D&O Insurer Must Cover Firm for Social Engineering Losses Despite Professional Services Exclusion
social engineering fraud
“Voluntary Parting” Exclusion Precludes Coverage for Social Engineering Fraud Loss
Social engineering fraud, or as it is sometimes called, business instruction fraud, has unfortunately become all too common. In many instances, the defrauded companies’ losses are huge. In a recent insurance coverage dispute, the social engineering fraud loss involved was not as large as some of the others have been. Unfortunately, and notwithstanding the relatively small size of the loss, the court concluded that coverage for the company’s loss was precluded by the “voluntary parting” exclusion in its crime policy. As discussed below, there are still some lessons to be drawn from this case. Eastern District of Virginia Judge John A. Gibney, Jr.’s February 20, 2020 opinion in the case can be found here.
Continue Reading “Voluntary Parting” Exclusion Precludes Coverage for Social Engineering Fraud Loss
11th Circuit: Crime Policy Covers Payment Instruction Fraud Loss
Earlier this week, I published a post noting the challenges policyholders can face in establishing coverage under traditional crime and cyber liability insurance policies for losses arising from “payment instruction fraud” (sometimes called “social engineering fraud). I also discussed the recent availability of sublimited coverage extensions for these kinds of losses. In response to my earlier post, several readers sent me messages noting that several courts have, in fact, found coverage under commercial crime policies for payment instruction fraud losses. As if to prove their point, the same day as I published my post, the 11th Circuit issued an opinion affirming a district court ruling that a firm’s payment instruction fraud losses are covered under the “fraudulent instruction” provisions of the applicable commercial crime policy. The 11th Circuit’s December 9, 2019 opinion can be found here.
Continue Reading 11th Circuit: Crime Policy Covers Payment Instruction Fraud Loss
Payment Instruction Fraud and Cyber Insurance Coverage
As I have noted in prior posts, a recurring challenge many organizations face these days is the threat of “payment instruction fraud,” also sometimes called “social engineering fraud” or “payment impersonation fraud.” In these schemes scammers use official-seeming email communications to induce company employees to transfer company funds to the imposters’ account. Among the many issues arising when these kinds of scams occur is the question of insurance coverage for the loss. Some victims may expect that their cyber liability insurance will cover their loss.
However, as Lauri Floresca of Woodruff-Sawyer points out in her December 5, 2019 post on her firm’s blog entitled “Payment Impersonation Fraud: Why is This Common Cyber Problem Not a Valid Cyber Claim” (here), these claims rarely involve the kind of cyber security breach required to trigger cyber insurance coverage. Accordingly, there are other steps well-advised companies may want to take to try to protect themselves from these kinds of losses.
Continue Reading Payment Instruction Fraud and Cyber Insurance Coverage
Insurer’s Bid to Dismiss Complaint Seeking Coverage for Payment Instruction Loss Denied
One of the more challenging issues businesses must confront as wrongdoers have turned Internet tools into criminal devices has been the rising threat of payment instruction fraud, or, as it is sometimes called, social engineering fraud. Along with these crimes have come vexing questions of insurance coverage for the ensuing losses. Courts have struggled to determine whether or not payment instruction fraud losses are covered under Crime policies. A recent case in the Southern District of New York raises the question whether a payment instruction fraud loss is covered not under a Crime policy but rather under insurance policy containing both E&O and Cyber coverages.
Continue Reading Insurer’s Bid to Dismiss Complaint Seeking Coverage for Payment Instruction Loss Denied
SEC Warns of Need for Internal Controls to Prevent Cyberscams
The threat of cyberscams in the form of what has been called “social engineering fraud” or “payment instruction fraud” has become pervasive. In these swindles, imposters posing as senior corporate executives or company vendors direct company personnel to transfer funds to accounts that the imposters control. Losses from these frauds can be substantial, and, as I have noted on prior posts on this site, the insurance coverage questions these losses present can be challenging. Earlier this week, the SEC released an investigative report taking a look at what the agency called “business email compromises” at nine different public companies. The report underscores the need for companies to take cyber threats into account when implementing internal accounting controls. The report has some interesting insurance underwriting implications as well. The SEC’s October 16, 2018 press release about the report can be found here.
Continue Reading SEC Warns of Need for Internal Controls to Prevent Cyberscams
While You Were Out
September is here. Labor Day has come and gone. Time to put away the swim trunks, parasols, flip flops, bungee cords, ukuleles, sun screen, boomerangs, bongos, snorkels, vorpal blades, and unicycles, and get back to work. Yes, it is time to answer all those emails and return all of those phone messages. And most importantly of all, it is time to catch up on what has been happening in the world of directors’ and officers’ liability and insurance. Here is what happened while you were out.
Continue Reading While You Were Out
Insurer Seeks Rehearing of Ruling That Payment Instruction Fraud is Covered
The insurer on the receiving end of the recent Sixth Circuit ruling that the a payment instruction fraud loss is covered under the Computer Fraud section of a Commercial Crime policy has filed a petition for rehearing or rehearing en banc. In its July 27, 2018 petition (here), the insurer contends that in its decision, the Sixth Circuit’s analysis was at odds with its own prior precedent, and as a result the appellate court applied the wrong causation analysis in determining whether or not the fraudulent email “directly” caused the loss of the policyholder, American Tooling Center (ATC).
Continue Reading Insurer Seeks Rehearing of Ruling That Payment Instruction Fraud is Covered
6th Circ.: Crime Policy’s Computer Fraud Section Covers Email Scheme Losses
In the second policyholder-favorable federal appellate court decision on the issue in a matter of days, the Sixth Circuit has held that the Computer Fraud provisions of a commercial crime policy cover a company’s losses from an email payment instruction fraud scheme. Just last week, the Second Circuit ruled in the Medidata case that Computer Fraud coverage applied to losses incurred in a similar email scam. However, the Sixth Circuit’s decision may be even more helpful for policyholders as, unlike the Second Circuit’s decision, the policyholder-favorable ruling is not as dependent on very specific factual determinations about the way the fraudster manipulated the harmed company’s email program. The Sixth Circuit’s July 13, 2018 decision in the American Tooling Center (ATC) opinion can be found here.
Continue Reading 6th Circ.: Crime Policy’s Computer Fraud Section Covers Email Scheme Losses
Second Circuit: Computer Fraud Coverage Section Covers Fraudulent Email Funds Transfer
In a much anticipated decision, on July 6, 2018 the Second Circuit, applying New York law, affirmed a district court ruling that the computer fraud provisions of a commercial crime coverage section covered the losses Medidata incurred when the company’s employees transferred funds in response to a spoofed email. The appellate court’s opinion could prove valuable for other policyholders seeking to establish that their crime policies provide coverage for losses incurred as a result of social engineering fraud (also known as payment instruction fraud). The Second Circuit’s July 6, 2018 opinion can be found here.
Continue Reading Second Circuit: Computer Fraud Coverage Section Covers Fraudulent Email Funds Transfer