Social Engineering Fraud Cases: Disparate Issues in Crime and Cyber insurance

Insurance policies are constructed in reaction to the emerging financial exposures of businesses as underwriters isolate an acceptable portion of risk and structure parameters of coverage.

Despite such proactive efforts, conflicts still arise as to the proper insurance vehicle for financial loss recovery.

Case in point: Fraudulent Email Schemes Resulting in the Transfer of Money or Other Property.  I am sure that many readers recall that “Brick and Mortar Crimes” of deception historically referred to in insurance terms, as theft by scheme, trick or device.  

 A recent appellate case, Taylor & Lieberman v Federal Insurance Company, from the Ninth Circuit, (found here), exposes the  potential shortcomings of relying upon a Commercial Crime Policy, Financial Institution Bond, and/ or a Cyber Insurance Policy without an expressly provided and appropriately constituted grant of Social Engineering coverage. 

In this particular case, the insured was instructed by an outside party purporting to be a client to wire certain of such client’s funds to a third party. This happened several times before the fraud was discovered, however the insured’s client ultimately suffered a sizeable loss of funds.

 In its decision, the Ninth Circuit Court of Appeals succinctly determined that for the reasons specified in its ruling, basic required elements of loss were lacking, so:

1.  There is no forgery coverage;

2.  There is no computer fraud coverage; and

3.  There is no funds transfer fraud coverage

Cyber insurance is now readily available in the market. It has evolved beyond the initial scope of network security and privacy liability to now routinely extend to other associated electronic risks, up to and including facets of ‘cyber crime’. Unlike the traditional commercial crime policy, it is intended for and should be more adequately designed to respond to e-business and internet liability exposures.

Extensions also now exist under cyber policies for ‘computer fraud’ (also known as ‘social engineering’ fraud) and ‘funds transfer fraud’.

Computer fraud (‘social engineering’ fraud) includes various other monikers such as: ‘fake president fraud’, ‘impersonation fraud’, ‘business email compromise’, etc. The typical theme of these types of losses involves an illegitimate instruction from a party impersonating a C-suite executive, a vendor, a customer or some other authorized employee to cause an insured to conduct a financial transaction (or series of such) resulting in a financial loss.

Funds Transfer fraud generally involves a fraudulent instruction by a third party to a financial institution directing such institution to pay, transfer or deliver money and securities from an account maintained by the insured, without the insured’s knowledge or consent

Policies are by no means uniform in the scope of coverage, however some basic elements as described above should be present. It is essential to review such wordings carefully.

A contrasting decision came down only last week from the U.S. District Court for the Southern District of NY regarding a somewhat similar fact pattern and related coverage issues in Medidata Solutions Inc. v. Federal Ins. Co. (found here). In this case, however, the judge ruled in favor of the insured plaintiff seeking coverage under the provisions of a commercial crime policy.

It is essential that firms take action to augment their Crime and Cyber policies as appropriate.  But keep in mind that off-the-shelf Social Engineering Endorsements are not designed to cover all exposures.  For example, an Endorsement that limits coverage for claims involving the transfer of money from an Insured’s own account would not have helped the Insured in the Taylor & Lieberman case since the monies that the Insured transferred were from a client’s account.  Also, if there is an exposure to property other than money, the Endorsement must expressly specify that “money and other property” are covered.

CONCLUSION

Decisions may be drastically different in this emerging area based on the facts and the policy forms. The applicable coverage provisions between a commercial crime policy and a ‘cyber’ policy may not be mutually exclusive. Some overlap may also exist.

Careful coordination of both policies is the recommended strategy.

Trinity International is the broker who has the requisite skill and experience to help guide you and your client through various available coverage options.