Breach Exclusions in E&O Policy Upheld in $1.3M Money Transfer Claim

July 4, 2022

A company that transferred $1.3 million from a client’s payment fund in response to emailed requests from a hacker has lost its bid for insurance to cover the loss.

Pennsylvania-based Construction Financial Administration Services (CFAS) argued that the money error should be covered under its errors and omissions policy even though the policy contained breach exclusions. CFAS maintained that the breach of the client’s systems was not the cause of the loss, but even if it were, its own negligence also was a cause so the loss should be covered.

The federal district court for western Pennsylvania found that Federal Insurance Co. was right to deny the $1.3 million claim under the breach exclusions. The language of both exclusions “clearly contemplates losses” precipitated by social engineering fraud schemes such as hacking, the court found.

The policy excluded any claims “based upon, arising from or in consequence” of any unauthorized access to or use of any computer program.

Even if the exclusion did not apply, Federal was right to deny the claim because the insured failed to notify the insurer as required before admitting its liability and taking action, the court further noted.

CFAS administered a fund for construction projects, receiving funds and making payments to suppliers and contractors on behalf of clients including SWF Construction, a firm working on a border fence in Calexico, California, in 2017. To trigger a payment, the client would provide the one person at CFAS authorized to make disbursements with a voucher for each payment request and identify what line item to charge.

The two wire transfers at issue — one for $600,000 and another for $700,000 — were made by the CFAS employee in response to email requests from what he thought was the client. However, the employee transferred the funds without first obtaining vouchers or line item information from the client. As became known later, the requests were frauds made by someone who had gained unauthorized access to SWF’s systems.

CFAS argued that the loss was not “based upon, arising from or in consequence of” an unauthorized access or use of a computer system. Instead, CFAS argued that its failure to obtain proper paperwork was a proximate cause of the fraudulent transfer, in addition to the hacker’s access to SWF’s computer system. Since CFAS’s failure to obtain the necessary paperwork contributed to the company’s actions, CFAS concluded the exclusion does not apply.

According to CFAS, a loss may have more than one cause. Even if the breach exclusion applies, a policyholder is not excluded from coverage where there is more than one cause of an injury and only one of the causes is excluded, the firm contended.

The insurer argued that the facts clearly fall under the exceptions since the fraudulent user logged into the client’s email accounts and posed as one of its employees.

The court sided with Federal that “even under the narrowest construction” the policy’s language excludes CFAS’s claim.

The court rejected the notion that the wire transfers were the result of the paperwork failure. There was just one cause — the unauthorized emails — and the losses caused by social engineering events such as hacking are not covered by the policy, the court ruled.

“CFAS’s lack of receipt of proper documentation could not have caused the injury in question (here, the fraudulently-induced money transfers) without the emails precipitated by the hacker’s unauthorized access to SWF’s network. CFAS would not have sent the funds to the bank account included by the fraudster without first receiving the unauthorized emails. The existence of the loss did not depend on the existence (or lack thereof) of the documentation, but rather upon the unauthorized emails. Even more literally, CFAS would not have been able to transfer the funds to HK without the unauthorized emails because the emails contained the account information,” the opinion states.

The court added that the policy has broader language than necessary in this case. Instead of confining the breach exclusions to injuries “arising out of” unauthorized access, it further excludes injuries “based upon, arising from or in consequence of any unauthorized or exceeded authorized access to” any computer program or network. The fact that this language casts a wider net cannot be ignored, the court added.

In addition to the breach exclusions, the policy included a notification requirement that CFAS could not settle any claim or admit any liability with respect to any claim without Federal’s prior written consent. Following the fraudulent disbursements, in response to a demand from SWF, CFAS borrowed $1 million and placed those funds into the SWF disbursement account in order to avoid default of payment to the client’s actual subcontractors and suppliers. It did not first notify Federal.

The insurer argued that CFAS violated the notification clause by responding to SWF’s demand letter with a unilateral payment of $1 million. This robbed Federal of the ability to investigate any comparative fault on behalf of SWF or evaluate the events land its options surrounding the fraudulent transfers.

The court concluded the insurer has likely shown CFAS’s failure to notify was a sufficient basis to deny coverage.