Although companies may be operating under the perfectly reasonable expectation that their insurance policies cover them against cyberfraud schemes, they might be surprised to know (or maybe not) that their insurers are taking the exact opposite position when confronted with such claims. In courtrooms across the country, insurers are consistently denying coverage for claims made for one of the most common types of cyberfraud – business e-mail compromise scams. Although there are various versions of this scam, it generally involves the criminal spoofing an e-mail account to pose as a company officer, attorney, or vendor to trick an employee into initiating a fraudulent wire transfer. These attacks have become exponentially more sophisticated as the cybercriminals often use social engineering and other tactics designed to identify and replicate legitimate wire transfer requests – the only exception being that the money is wired to the criminal’s offshore bank account.
Two such cases, American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America (6th Cir. 2017) and Medidata Solutions, Inc. v. Federal Insurance Company (2d Cir. 2017), are currently on appeal in federal court. In these cases, employees were tricked into initiating wire transfers after having received fraudulent e-mails from cybercriminals posing as a vendor (American Tooling) and an executive (Medidata Solutions). Although the cases involve somewhat different policy language and led to different results, insurance companies are united in their efforts to establish that “computer fraud” coverage does not apply in these situations. In both appeals, the Surety and Fidelity Association of America (SFAA), which claims to have 414 members that “write the vast majority of fidelity insurance policies issued in the United States,” filed amicus briefs taking the position that the insureds’ claims should be denied.
Essentially, the SFAA argues that when an employee of an insured is tricked by a cybercriminal into making a fraudulent wire transfer through the use of e-mail, no “computer fraud” occurred because the wire transfer was validly made by one or more company employees. That the employees were duped by criminals using social engineering and spoofed e-mails does not bring the losses within “computer fraud” coverage (i.e., no fraudulent e-mail or third party criminal caused the wire transfer, the employee did).
The merits of these appeals aside, there is little doubt that many companies believe that they are insured against such losses due to “computer fraud” coverage in their policies, and this is not an unreasonable expectation. However, insurance companies do not agree, and the cybercrime coverage that companies believe they have purchased may very well end up being illusory if they fall victim to such an attack.
RegitzMauck PLLC is an intellectual property boutique based in Dallas, Texas. The firm focuses on providing value-based legal services to cost-conscious clients seeking high quality legal representation in intellectual property, cybersecurity, and technology matters and disputes.