Court Finds Travelers Crime Policy Covers Money Transfer Loss Due to Email Spoofing
For the second time in about a week, a federal appeals court has sided with a commercial policyholder where the insurer denied coverage under a computer fraud provision of a crime insurance policy for a money transfer involving fraudulent emails.
The Sixth Circuit appeals court found that Travelers was wrong to deny the claim of American Tooling Center, a Michigan tool-and-die company that wired $800,000 in funds to a fraudster’s account in the belief the account belonged to one of its Chinese subcontractors.
While a lower court agreed with Travelers that the loss was not a “direct loss” caused by the “use of a computer” and thus the crime policy did not apply, that ruling has now been reversed on appeal (American Tooling Center, Inc. v. Travelers Casualty and Surety).
Last week, in a similar case, a federal appeals court in New York ruled that a commercial crime insurance policy covered wire transfer losses resulting from an email spoofing attack. The ruling (Medidata Solutions Inc. v. Federal Insurance Company) by the Second Circuit appeals court found against Chubb subsidiary Federal Insurance Co. Medidata employees were “spoofed” into wiring $5 million to an account that the fraudsters’ emails misrepresented were from an outside attorney and Medidata’s own president.
Both cases involved an increasingly common type of social engineering fraud, where fraudsters impersonating vendors, executives or attorneys convince employees to wire funds to external accounts. Both cases also address whether such losses can be considered direct losses caused by computer fraud as defined in the policies.
The ATC ruling may carry the most weight.
“This case is important because it is the first federal published opinion in the U.S. with a detailed analysis finding that a BEC (business email compromise) scam can cause an insured to suffer a direct loss of money directly caused by computer fraud through one or more email messages,” attorney Douglas Young, of the law firm Wilson Young Costello PLC, who represented ATC, told Insurance Journal.
The Medidata decision was a summary order and not a full published opinion, which lessens its value as a precedent to be honored in future rulings.
Young said insureds with previously denied claims involving a similar email scam may now want to ask whether their insurers should reconsider their claims.
“I think the most significant take-away from this case is that the Sixth Circuit Court of Appeals has clarified its earlier opinions where it stated ‘direct means direct’ or an immediate loss in determining whether there is a ‘direct loss’ under a fidelity bond. Now, in Michigan cases, it is known that direct loss can mean both ‘immediate’ loss or ‘proximate’ cause loss,” Young added.
However, the impact on insurers or insureds is not expected to be major. Experts note that many insurers have already modified their forms to exclude this risk or have created “social engineering” coverage for these losses, which Young said tend to offer reduced sublimits of liability.
Jonathan Schwartz, a partner with Goldberg Segalla in Chicago, said the emergence of these coverages is likely to mitigate against similar rulings on crime insurance policies.
“While the Sixth Circuit found persuasive the existence of commercial crime policies defining ‘computer fraud’ more narrowly than the Travelers policy did, other courts are apt to discover the existence of specific social engineering fraud coverage offerings in the marketplace,”Schwartz told Insurance Journal.“This should serve as persuasive evidence that traditional commercial crime policies are not intended to cover email spoofing claims like the one in American Tooling.”
Travelers declined to comment.
In American Tooling, employees in ATC’s finance department were deceived by fraudulent emails that were forged to appear as if they were coming from a legitimate ATC vendor, Shanghai YiFeng Automotive Die Manufacture Co., resulting in the wire transfers of more than $800,000 to an overseas account thought to be the account of YiFeng.
American Tooling’s policy from Travelers states the insurer “will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.”
Travelers argued that there is no coverage, claiming that ATC did not suffer a “direct loss;” that this was not a case of computer fraud; and the loss was not “directly caused by computer fraud.”
Travelers struck out with the appeals court on all three of its pitches—as well as on its additional claims that three exclusions in the policy barred payment.
ATC and Travelers disagreed about whether the wire transfers of money constituted a “direct loss” of ATC’s money. ATC argued that it suffered a direct loss the moment it paid $834,107 to the impersonator because it no longer had that money in its bank account. In contrast, Travelers argued that the loss only arose later, after the fraud was discovered, when ATC agreed to pay YiFeng at least half of the money still owed.
Michigan’s appellate courts have defined a “direct” loss as one resulting from an “immediate” or “proximate” cause, “as distinct from remote or incidental causes.” This appeals court agreed with ATC that it suffered a “direct loss” under either definition—direct as immediate only or direct as immediate or proximate. Writing for her fellow judges, Justice Karen Nelson Moore offeried an analogy to explain the court’s reasoning:
“A simplified analogy demonstrates the weakness of Travelers’ logic. Imagine Alex owes Blair five dollars. Alex reaches into her purse and pulls out a five-dollar bill. As she is about to hand Blair the money, Casey runs by and snatches the bill from Alex’s fingers. Travelers’ theory would have us say that Casey caused no direct loss to Alex because Alex owed that money to Blair and was preparing to hand him the five-dollar bill. This interpretation defies common sense.”
The two parties also were at odds over whether the fraudulent scheme constituted “computer fraud” under the policy. According to the the policy, computer fraud means: “the use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or to a place outside the Premises or Financial Institution Premises.”
Travelers argued that this definition requires a computer to “fraudulently cause the transfer” and that it is “not sufficient to simply use a computer and have a transfer that is fraudulent.” Under Travelers’ narrower definition, computer fraud must involve hacking or criminal behavior. Because “computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy,” the insurer contended.
Travelers struck out with this argument as well. The impersonator sent ATC fraudulent emails using a computer and these emails fraudulently caused ATC to transfer the money to the impersonator, the court noted. “Travelers’ attempt to limit the definition of “Computer Fraud” to hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer is not well-founded,” the ruling states. “If Travelers had wished to limit the definition of computer fraud to such criminal behavior it could have done so. Because Travelers did not do so, the third party’s fraudulent scheme in this case constitutes “Computer Fraud” per the Policy’s definition.”
Strike three for Travelers came on its argument that the “direct loss” was not “directly caused” by the computer fraud. The appeals court found that ATC has met its burden “because the computer fraud was an immediate cause of its loss” even though the chain of events that was precipitated by the fraudulent emails and led to the wire transfers involved multiple internal actions at ATC.
According to Erica Davis, senior vice president, JLT Re (North America) Inc., who works with carriers on cyber issues, both decisions “highlight the varying scope of coverage provided under crime policies for social engineering related incidents” and show that the “direct loss” and “directly caused by” crime policy language is open for interpretation.
But the real threat is how these scams are proliferating.
“Given the success of these types of attacks, we can expect bad actors to continue to prey on employees. As we’ve observed, the scams will also become increasingly sophisticated,” Davis added.
- Impact of Court Ruling Chubb Unit’s Crime Policy Covers ‘Spoofed’ Wire Transfer
- The Modern Fraudster: How Courts Are Responding to Social Engineering Fraud
- Beazley Expands Coverage for Social Engineering, Online Fraud Scams
- Coalition, a Cyber Insurer and Cybersecurity Firm, Makes Its Debut
- Chubb Launches Crime Coverage for Payment Fraud
- Cyber Insurance Claims from Fraudulent Instruction Scams Rise: Beazley