The Intelligent Quarterly from the publishers of The Insurance Insider

Summer 2018

Search archive


Cyber or crime?

Vince Vitkowsky

Businesses face an endless stream of attempted deceptive fund transfers, many of which are successful.

Although insureds instinctively think of these as "cyber losses," they have not been covered by most cyber insurance policies. Rather, they most often involve interpretation of commercial crime policies and financial institution bonds.

There are at least seven potential scenarios to consider:

  1. The transfer is effected entirely by a hacker independently penetrating a computer system, and making the transfer;
  2. The hack and transfer are enabled by employee negligence;
  3. The fraudster convinces an employee to reveal credentials, enters the network by using them, and then transfers funds;
  4. The fraudster gets an employee to open an attachment or click on a link, thereby allowing the network to be penetrated, and allowing the transfer of funds;
  5. The fraudster, through emails or telephone calls or both, poses as a company's executives, vendors or customers and convinces an employee to transfer funds;
  6. An employee enters data believed to be accurate, but which in fact is fraudulent; and
  7. A rogue employee makes an improper transfer or enters fraudulent data.

Numbers three, four and five are variants of "social engineering", a term used to describe the manipulation of people into performing acts or divulging confidential information.

The application of computer fraud and funds transfer fraud coverages to deceptive fund transfers involving computers has arisen in several recent cases, and courts have reached various results.

The main issues have been whether the policy applies to the activities of authorised users or only to the activities of outside hackers, and whether there is causation when the deception involves multiple elements, such as emails, telephone calls and employee acts or negligence.
The leading recent US cases are discussed below.

Authorised user analysis
Universal American Corp vs Nat'l Union Fire Ins Co of Pittsburgh, PA, 25 NY 3d 675 (2015): The New York Court of Appeals (New York's highest court) held that there was no coverage under a financial institutions bond for losses arising when healthcare providers who were allowed to submit claims directly into the computer system of a health insurer (the insured) submitted over $18mn in fraudulent claims.

The bond excluded "losses resulting directly or indirectly from fraudulent instruments which are used as source documentation in the preparation of Electronic Data, or manually keyed into a data terminal".

The court found that the bond provided coverage for losses incurred through unauthorised access to the computer system, i.e. the deceitful and dishonest acts of outside hackers, but not to fraudulent information entered by authorised users.

Pestmaster Services Inc vs Travelers Cas and Surety Co of America, 2016 WL 4056068 (9th Cir 29 July, 2016): Applying California law, the court affirmed a district court holding that there was no coverage for lost funds transferred by the insured to a payroll company that failed to remit the portion representing payroll taxes to the Inland Revenue Service.

It found that neither the computer fraud nor the funds transfer fraud insuring agreements apply where the transfer is made by an employee who was an authorised user of the system.

Also, it found: "Because computers are used in almost every business transaction, reading [the Computer Fraud] provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a 'General Fraud' Policy."

Causation analysis
Apache Corp vs Great American Ins Co, 2016 WL 6090901 (5th Cir 18 Oct 2016): Applying Texas law, the Fifth Circuit found no coverage for a social engineering-induced transfer of funds under a crime protection policy. The computer fraud provision insured against "loss... resulting directly from the use of any computer to fraudulently cause a transfer of [money] from inside the premises".

The fraudster made a telephone call to an oil production company claiming to be an actual vendor, and requested that future payments be sent to a new bank account. Upon being told the request had to be made in writing, the fraudster sent an email from an email address that was similar to the vendor's, attaching a letter purportedly on the vendor's letterhead providing both the old bank account transfer number and the new one.

An Apache employee called the telephone number on the letter, and spoke with a person using the name of the individual who usually dealt with invoices for the vendor. The Apache employee concluded the requested change was legitimate. A different Apache employee approved and implemented the change, and in response to invoices from the actual vendor, transferred millions of dollars to the fraudster's account.

In finding there was no coverage, the court concluded that although the email was part of a scheme, it was merely incidental to the occurrence of the authorised transfer of funds. If Apache had conducted a more thorough investigation, such as calling the correct telephone number known from past communications, it would not have changed the account information.

"Cyber deception and social engineering losses provide a fertile ground for dispute within the context of a rapidly evolving insurance market"

The State Bank of Bellingham vs BancInsure, Inc, 2016 WL 2943161 (8th Cir 20 May 2016): The court found there was coverage under a financial institution bond when a hacker broke into a network and performed fraudulent wire transfers, notwithstanding that the hack was enabled by employee negligence.

Employees left computers on overnight with tokens still inserted, giving access to the Federal Reserve's FedLine Advantage Plus system.

Applying Minnesota law and the concurrent causation doctrine, the court held that the "efficient and proximate cause" of the loss was the transfer by the hacker, not the negligence of the employees.

Principle Solutions Group, LLC vs Ironshore Indemnity, Inc, 2016 WL 4618761 (ND Ga 30 Aug 2016): This case found coverage when an employee of the insured transferred $1.7mn as a result of a scheme in which a fraudster posing as an executive sent an email to the employee instructing her to make the transfer, but the specifics as to where to wire the funds were provided in a subsequent telephone call.

The insurer argued that because of the intervening telephone call and the company employee's actions in setting up and approving the transfer, the loss was not covered.

The policy provided coverage for loss "resulting directly from a 'fraudulent instruction' directing a 'financial institution' to debit [the insured's] 'transfer account' and transfer pay, or deliver 'money' or 'securities' from that account".

The court found that this provision was ambiguous and should be construed in favour of the insured.

Industry reaction
Some crime insurers now offer crime policies that expressly provide coverage for certain deceptive funds transfers, including those effected through social engineering. They tend to be subject to sub-limits, which are frequently $250,000.

Also, an increasing number of cyber insurers now expressly provide coverage for some of these risks. According to The Betterley Report's June 2016 "Cyber/Privacy Insurance Market Survey", of 31 cyber insurers surveyed, 13 offer some coverage for various types of deceptive funds transfers.

Coverage is most often afforded with sub-limits of $250,000, although some insurers have sub-limits of $500,000 or $1mn, and possibly more, "subject to underwriting".

In conclusion, cyber deception and social engineering losses provide a fertile ground for dispute within the context of a rapidly evolving insurance market. They will continue to present coverage issues for resolution by the courts.

Vince Vitkowsky is a partner at Seiger Gfeller Laurie LLP, offering litigation, counselling, and product development to (re)insurance companies for classes including cyber, E&O, D&O and CGL.

This article was published as part of issue Spring 2017

Euromoney Trading Limited - 3rd Floor, 41 Eastcheap, London, EC3M 1DT, United Kingdom. The content of this website is copyright of Euromoney Trading Limited 2018. All rights reserved Euromoney Trading Limited actively monitors usage of our website and products and reserves the right to terminate accounts if abuse occurs.