In today’s digital world, there are many scams that fraudsters employ to steal money and information from your company. Those computer-based scams include hacking, phishing, ransom-ware, and spoofing to name only a few. The first step in protecting against these cyber crimes is to have the appropriate information technology and employee checks and balances in place to prevent such scams. Another way to protect against these scams is to work with your counsel and insurance agent to purchase the appropriate insurance, with the appropriate amount of coverage, to attempt to guard against them.
What is a Computer Crime and Computer Fraud Insurance Policy
There are many insurance products in the marketplace that purport to cover computer crime and computer fraud. This type of insurance may take the form of a stand-alone policy, or simply be part of a larger policy protecting your business.
Computer crime and computer fraud insurance policies will typically have coverage provisions entitled: “social engineering fraud” and/or “computer fraud,” and/or “funds transfer fraud,” and/or forgery. These insurance provisions cover different types of fraud and cyber crime scenarios and should be well defined in the policy. Nevertheless, when cyber theft occurs, and there is an insurance coverage dispute, these provisions will likely be the subject of litigation.
It is critical to read and understand what is and is not covered by your company’s computer and crime fraud insurance policy. The goal, of course, is to have coverage for most, if not all, cyber crime that your company encounters. Let’s look at some examples of how courts have interpreted provisions under these types of insurance policies.
Fraudster Posing as a Client
In one case, a law firm was the victim of a scheme where, via e-mail, a fraudster posed as a new client. Owens, Schine & Nicola, P.C. v. Travelers Cas. & Sur. Co. of Am., No. CV095024601, 2010 WL 4226958, at *1. The fraudster sent a fake physical check to that law firm, asked the firm to deposit that check into the firm’s trust account, and then to wire funds to the fraudster’s account. The law firm wired the funds before the fake check was rejected by its bank. When the law firm sought insurance coverage, the insurance company denied the claim, arguing the loss was not caused by computer fraud.
The insurance policy provided that: “We will pay you for your direct loss of, or your direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” Under the policy, “computer fraud” was defined as “the use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Banking Premises: to a person (other than a Messenger) outside the Premises or Banking Premises; or to a place outside the Premises or Banking Premises.”
The insurance company argued the law firm’s loss was not directly caused by a computer and/or its use, but, instead, was caused by the firm’s employee calling the bank and directing the bank to initiate the wire transfer to the fraudster. The law firm, on the other hand, argued that, in the insurance context, direct causation was synonymous with proximate cause. The law firm argued the fraudster’s email correspondence induced the firm to wire the funds, and was, therefore, the proximate cause of the loss. The court agreed with the law firm and denied the insurer’s motion for summary judgment.
While the Owens decision was ultimately vacated, by stipulation of the parties, it is instructive. Specifically, it provides insight into how courts may interpret computer fraud insurance policies and the actions necessary to cause the loss and implicate insurance coverage.
Fraudster Posing as Company President
In Medidata Sols., Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471, an accounts payable employee received an email, purportedly sent from the insured’s president. The email message contained the president’s name, email address, and picture in the “From” field of the email. That email informed that the insured was close to finalizing an acquisition, and that an attorney would contact her.
The employee then received a phone call from a man who held himself out as that attorney, and who instructed the employee to process a wire transfer. The employee explained she needed an email from the insured’s president requesting the wire transfer, and approval from the insured’s vice president and director of revenue. The employee, the vice president and the director of revenue, then received a group email, purportedly sent from the company’s president, asking them to approve and process a payment of $4.7 million.
The employee initiated the payment, and the vice president and director of revenue each logged into the company’s banking website and approved the transfer. The employee and vice president subsequently discovered that the emails, purportedly from the company president, were fake, and the result of fraudsters hacking their email system and impersonating the president. The insured made a claim for computer fraud coverage, and the insurer denied the claim.
The insurance policy provided coverage for the “direct loss of Money, Securities or Property sustained by an [the insured] resulting from Computer Fraud committed by a Third Party.” The policy defined “Computer Fraud” as: “[T]he unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation.”
In finding that the business’ financial loss was covered under its insurance, the court stated, “The chain of events began with an accounts payable employee receiving a spoofed email from a person posing as [the insured’s] president.” The business initiated the transfer of funds due to the fraudster sending spoofed emails posing as the president, and the employee would not have initiated the wire transfer, but for the fraudster’s manipulation of those emails.
Fraudster Posing as a Vendor
In Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 895 F.3d 455, 458 (6th Cir. 2018), the insured subcontracted some its manufacturing work to a Chinese company. The insured received a series of e-mails, purportedly from that Chinese vendor, stating the vendor had changed bank accounts and requesting that the insured make payment to that account in the future.
After sending $800,000.00 in payments, the insured discovered the e-mails from its purported vendor were fraudulent, and the insured sent those payments to a fraudster’s account rather than to its vendor’s. The insured then made a claim for computer fraud coverage under the applicable insurance policy, and the insurer denied coverage. After the insurance company obtained summary judgment, the insured appealed, and the summary judgment was reversed.
The applicable insurance policy provided that “The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.”
Computer Fraud was defined in the insurance policy as:
The use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises: to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or to a place outside the Premises or Financial Institution Premises.
The appellate court found there was coverage under the insurance policy for the computer fraud, and held that the fraudster sent the insured emails using a computer, and these emails fraudulently caused and induced the insured to transfer money to the fraudster.
The world of cyber crime and cyber fraud is constantly involving, with fraudsters devising new and more intricate schemes to steal money from your company. The cases cited above turned on the language of the applicable insurance policies, as well as the type of scheme the fraudster employed. To best protect your company, ensure you have internal checks and balances in place with your employees to guard against computer crime and computer fraud. In addition, work with your counsel and your insurance agent to ensure you have the proper insurance coverage in place to best protect against computer crime and computer fraud.