No Coverage for Loss in Consequence of Social Engineering Fraud

Wiley Rein LLP

Applying North Carolina law, a federal district court has held that an E&O insurance policy does not provide coverage for loss arising from social engineering fraud despite the fact that the insured’s negligence also contributed to the loss. Constr. Fin. Admin. Servs. LLC d/b/a CFAS v. Fed. Ins. Co., 2022 WL 2073824 (E.D. Pa. June 9, 2022).

An insurer issued an E&O Policy to a third-party construction funds company whose business required it to disburse its client funds directly to construction contractors and subcontractors. The policy contained two exclusions barring coverage for claims based upon, arising from or in consequence of “unauthorized access to, or use or alteration of . . . computer systems” and “unauthorized or exceeded authorized access to, use of or alteration of, any . . . computer system.” The policy also provided that the insured would not “settle or offer to settle any Claim . . . or otherwise assume any contractual obligation or admit any liability” without the insurer’s prior written consent.

During the policy period, an executive at the insured was duped into wiring $1.3 million of a client’s funds to a fraudster who had gained access to a subcontractor’s email system. The executive did so without following the protocols relating to confirming the authenticity of the request as outlined in the insured’s contract with its client. After discovering the fraud loss, and before providing notice to its insurer, the insured reimbursed its client for the missing funds. It later sought coverage for the loss, but its insurer declined coverage, and coverage litigation ensued.

On cross-motions for summary judgment, the court granted summary judgment to the insurer, holding that claim was “arising from” or “in consequence of” the fraudster’s unauthorized access or use of the subcontractor’s computer systems. The court rejected the insured’s argument that the exclusions did not apply because the insured’s own negligence in failing to authenticate the payment request was the proximate cause of the loss, explaining that the exclusion applied “so long as the excluded conduct played a role in the claimed loss.” Here, as the unauthorized access to the subcontractor’s email account played such a role, the exclusion applied.

The court also held that coverage was unavailable because the insured breached the policy’s consent clause by replacing the missing funds in its client’s account before providing notice to the insurer. The court found that the insurer was prejudiced by the unilateral settlement because it was deprived of the ability to assert defenses under the contract between the insured and its client.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wiley Rein LLP | Attorney Advertising

Written by:

Wiley Rein LLP

Wiley Rein LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.