Insurance Coverage for Social Engineering Crimes—How to Avoid Being Victimized Twice
The Situation: Businesses are increasingly at risk of social engineering crimes, and often their commercial insurance policies do not provide the full protection that they expected.
The Result: Three recent decisions illustrate how differences in policy language can produce varied outcomes with respect to social engineering losses.
Looking Ahead: Businesses should review their policies carefully at the time of purchase to ensure the broadest possible protection against email fraud.
Among the fastest growing risks to any business are social engineering attacks, a form of email fraud also known as business email compromises, in which a company's employees are tricked into misrouting funds by an email from a criminal imposter. Most frequently the imposter's email impersonates either a vendor or an executive of the company itself. Businesses in any sector can fall victim to these schemes. When businesses suffer this type of loss and then are denied insurance coverage, the denial frequently comes as a surprise, leaving the business owners feeling as if they have been victimized a second time.
Within a two-month period in summer 2018, two significant appellate decisions affirmed lower court rulings finding coverage for business email compromises. Medidata Solutions Inc. v. Federal Insurance Co., 729 Fed. Appx. 117 (2d Cir. 2018); American Tooling Center, Inc. v. Travelers Casualty & Surety Co., 895 F.3d 455 (6th Cir. 2018). These two decisions signaled a trend in favor of coverage.
Three more recent court decisions, however, illustrate how differences in policy language can produce varied outcomes. These three decisions underscore the importance to businesses of undertaking a proactive review of their insurance programs, with an eye toward this sort of loss, before the policy is purchased.
In Tidewater Holdings, Inc. v. Westchester Fire Insurance Company, 2019 WL 2326818 (W. D. Wash. May 31, 2019), the court held that a corporate indemnity policy covers losses that were incurred when a fake email convinced an employee to change the routing coordinates for payments to a vendor. The policy contained a broad exclusion titled "Fraudulent Transfer Request," which barred coverage under most coverage parts for "the intentional misleading of an employee, through misrepresentation of a material fact…." However, this exclusion was inapplicable to one coverage part, "Supplemental Funds Transfer Coverage," which expressly provided coverage for "Fraudulent Transfer Requests." The court therefore held that coverage applied under that one section of the policy.
In The Children's Place, Inc. v. Great American Insurance Company, 2019 WL 1857118 (D.N.J. April 25, 2019), the policy lacked the Fraudulent Transfer request exclusion, and therefore the court denied an insurer's motion to dismiss with respect to a loss based on intercepted and fraudulent emails under the "Computer Fraud" section in a Crime Protection Policy. However, the New Jersey court granted the insurer's motion to dismiss with respect to a different section of the policy, its "Forgery or Alteration" coverage, finding that the emails were not sufficiently similar to "checks, drafts, or promissory notes" to fall within the wording of that section. Also, the court found no coverage under the "Fraudulently Induced Transfers" section of the policy, on the grounds that the insured did not take certain precautionary measures that might have prevented the loss, and such measures were conditions precedent to coverage under this section.
In Ad Advertising Design v. Sentinel Insurance Company, 2018 WL 4621744 (D. Mont. Sept. 26, 2018), the U.S. District Court for the District of Montana found coverage under the "Money and Securities" coverage provision, and also under the "Forgery" provision, when an imposter posing as the policyholder's president convinced its operations manager to wire multiple payments to an unauthorized bank account. The insurer unsuccessfully invoked a "False Pretense" exclusion, which the court declined to apply because that exclusion required "physical loss," and money in an account did not meet that definition. By that same reasoning, however, the court refused to find coverage under the "Computer Fraud" provision, because that coverage required a showing of "physical loss."
Two Key Takeaways
- While the range of policies that potentially apply to social engineering crimes is broad, their policy wording and structure can differ substantially from one policy to the next. It is therefore vital for companies to review their insurance program closely at the time of placement to ensure that coverage will be provided for social engineering losses.
- Although the law requires ambiguous wording to be construed in favor of coverage, insurers frequently will attempt to exploit uncertainty and ambiguity to deny claims improperly. Coverage denials should be considered carefully and often must be challenged.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.