Among the fastest growing risks to any business are social engineering attacks, a form of email fraud also known as business email compromises, in which a company's employees are tricked into misrouting funds by an email from a criminal imposter. Most frequently the imposter's email impersonates either a vendor or an executive of the company itself. Businesses in any sector can fall victim to these schemes. When businesses suffer this type of loss and then are denied insurance coverage, the denial frequently comes as a surprise, leaving the business owners feeling as if they have been victimized a second time.
Within a two-month period in summer 2018, two significant appellate decisions affirmed lower court rulings finding coverage for business email compromises. Medidata Solutions Inc. v. Federal Insurance Co., 729 Fed. Appx. 117 (2d Cir. 2018); American Tooling Center, Inc. v. Travelers Casualty & Surety Co., 895 F.3d 455 (6th Cir. 2018). These two decisions signaled a trend in favor of coverage.
Three more recent court decisions, however, illustrate how differences in policy language can produce varied outcomes. These three decisions underscore the importance to businesses of undertaking a proactive review of their insurance programs, with an eye toward this sort of loss, before the policy is purchased.
In Tidewater Holdings, Inc. v. Westchester Fire Insurance Company, 2019 WL 2326818 (W. D. Wash. May 31, 2019), the court held that a corporate indemnity policy covers losses that were incurred when a fake email convinced an employee to change the routing coordinates for payments to a vendor. The policy contained a broad exclusion titled "Fraudulent Transfer Request," which barred coverage under most coverage parts for "the intentional misleading of an employee, through misrepresentation of a material fact…." However, this exclusion was inapplicable to one coverage part, "Supplemental Funds Transfer Coverage," which expressly provided coverage for "Fraudulent Transfer Requests." The court therefore held that coverage applied under that one section of the policy.
In The Children's Place, Inc. v. Great American Insurance Company, 2019 WL 1857118 (D.N.J. April 25, 2019), the policy lacked the Fraudulent Transfer request exclusion, and therefore the court denied an insurer's motion to dismiss with respect to a loss based on intercepted and fraudulent emails under the "Computer Fraud" section in a Crime Protection Policy. However, the New Jersey court granted the insurer's motion to dismiss with respect to a different section of the policy, its "Forgery or Alteration" coverage, finding that the emails were not sufficiently similar to "checks, drafts, or promissory notes" to fall within the wording of that section. Also, the court found no coverage under the "Fraudulently Induced Transfers" section of the policy, on the grounds that the insured did not take certain precautionary measures that might have prevented the loss, and such measures were conditions precedent to coverage under this section.
In Ad Advertising Design v. Sentinel Insurance Company, 2018 WL 4621744 (D. Mont. Sept. 26, 2018), the U.S. District Court for the District of Montana found coverage under the "Money and Securities" coverage provision, and also under the "Forgery" provision, when an imposter posing as the policyholder's president convinced its operations manager to wire multiple payments to an unauthorized bank account. The insurer unsuccessfully invoked a "False Pretense" exclusion, which the court declined to apply because that exclusion required "physical loss," and money in an account did not meet that definition. By that same reasoning, however, the court refused to find coverage under the "Computer Fraud" provision, because that coverage required a showing of "physical loss."