Two recent cases highlight the importance of understanding the nuances of insurance coverages pertaining to cybercrime and liability.
The U. S. District Court in Ann Arbor, MI ruled that a 2015 incident involving spoofed emails was not covered by American Tooling Center, Inc.’s (ATC) insurance policy with Travelers, which provided coverage for computer fraud. The incident involved an outside party forging an email which appeared to come from a vendor of ATC. The emails instructed ATC to direct payments for outstanding invoices to a new bank account. ATC did not verify the new account information and subsequently transferred approximately $800,000 to a fraudulent account.
ATC filed a claim for the loss with Travelers but was denied. On August 1st, 2017, Judge John Corbett O’Meara found that ATC’s policy with Travelers required a “direct loss…directly caused by the use of any computer.” Judge O’Meara found that ATC’s loss wasn’t directly caused by the use of a computer due to ATC’s failure to verify the authenticity of the new bank account information provided in the spoofed email.
In a somewhat similar case, albeit with a different outcome, a U.S. District Court in New York ruled that Medidata’s claim, also involving email spoofing, was covered under an insurance policy that had been acquired through Chubb Ltd. A forged email, which appeared to be from the president of Medidata, was sent to an employee of the company, directing said employee to wire money to a fraudulent account. The employee wired approximately $4.8 million to the account.
Chubb Ltd. initially denied Medidata’s claim, stating that the emails did not involve a manipulation of Medidata’s computers and were instead due to the manipulations of the individual employees involved. However, the U. S. District Court in New York later ruled that the circumstances of the claim fell under the computer fraud language of Medidata’s policy.
These two cases exhibit the importance of fully understanding the specific policy language of your coverages related to cybercrime and liability, as well as the need for sophisticated internal controls governing wire transfers. The fact that an outside entity may use a computer to facilitate a fraud through social engineering techniques, such as email spoofing and phishing, does not guarantee that you will be covered under a computer crime or cyber liability policy. Regardless of your cyber hygiene protocols and barriers against network penetration, your greatest weakness as it pertains to cyber liability will always be the fallibility of your employees, and it is paramount to understand whether that risk is being adequately managed to avoid unplanned retention.