In the fast-developing world of cyber threats and corresponding cyber coverage, at least two insurance carriers are pushing back against covering losses arising out the transfer of funds to cyber fraudsters after employees were tricked into thinking they were participating in legitimate business transactions. Coverage for this kind of commercial fraud is currently offered both under the more traditional commercial crime policies and under the new and developing suite of cyber policies. Yet, as the occurrence of these cyber-cons increases, two current cases out of Texas and Georgia indicate that at least some carriers are moving to deny coverage under commercial crime policies on technical grounds. These cases are significant for two reasons: they highlight the overlooked threat of significant losses from transfers induced by cyber fraud, and they also raise the sometimes murky question of just what constitutes a “cyber” loss.

In Principle Solutions Group LLC v. Ironshore Indemnity Inc., No. 1:15-cv-04130 (N.D. Ga.), an employee of Principle received an email from her boss asking her to work with outside counsel “Mark Leach” to wire funds to close a purported acquisition. Both the email and the supposed lawyer were fake. Unfortunately, the company did not realize this until after the employee had calls with the fake lawyer and wired $1.7 million according to his instructions. When Principle submitted the loss for coverage under its $5 million commercial crime policy, however, Ironshore denied the claim.

Among other things, Ironshore argues that the event was not covered because the fake email from the employee’s boss did not contain the specific instructions to transfer the funds. Rather, it was the subsequent phone calls with a fake lawyer that actually led to the fraudulent transfer. Ironshore argues the distinction is important—Principle’s commercial crime policy only provides coverage for losses from electronic or written instructions to transfer funds from someone purporting to be an employee. Since it was the fake outside counsel that actually directed the transfer, Ironshore takes the position that the loss is not covered. Principle argues that Ironshore’s distinctions are meaningless and that the fraud was accomplished by a false representation that an executive had authorized the transfer of funds. The parties are currently exchanging summary judgment briefs around these issues.

Ironically, Apache Corp. v. Great American Insurance Co., No. 15-20499 (5th Cir.), involves the exact opposite sequence of facts, yet still has resulted in the carrier denying coverage. The fraud at issue in that case started with a phone call, not an email, from someone purporting to be one of Apache’s well-established vendors asking Apache to change the bank account information that Apache used for payment purposes. When the Apache employee informed the fraudster that he would need the request on official letterhead, the fraudster complied, sending a fake email with a scanned letter on the vendor’s official letterhead.  As a result, Apache suffered a loss of over $2.4 million. When Apache submitted the claim for coverage, however, Great American denied the claim.

The applicable coverage provision under Apache’s commercial crime policy turns on whether the transfer constituted “computer fraud.” Great American claims, among other things, that the fake email was not critical to the fraud and thus did not really count as “computer” fraud, and that the email was not actually from the correct domain name of the vendor and thus did not constitute hacking. Finally, the insurer takes the position that the email, at best, only caused Apache to change the bank account, not actually wire the money to the fraudster, such that the loss did not “directly result” from “computer fraud.” The district court sided with Apache, holding that Apache would not have been defrauded except for the fraudulent email and that this computer fraud directly led to the transfer of funds. Great American has appealed that decision to the Fifth Circuit.

Although how the Principle and Apache cases will ultimately be decided is not known yet, both cases illustrate why it is important to work with brokers and coverage counsel to clearly understand the types of risks your company faces. Furthermore, although both Principle and Apache deal with commercial crime policies, similar issues can arise under stand-alone cyber policies where provisions may require that a loss has a tight causal relationship with unauthorized access of covered computer systems. In an age where all transactions are in some manner electronic, companies should beware of coverage provisions that turn on a nebulous distinction between whether a loss is really a “cyber” loss.

Reporter, Andrew M. W. Mutter, Atlanta, +1 404 572 4705, amutter@kslaw.com.