Dickinson, Mackaman, Tyler & Hagen, P.C.

Organizations need to be careful when purchasing “cyber-insurance,” because the coverage may not be as broad as they assume. Many “cyber-insurance” policies only cover costs related to sending notices to customers whose data may have been compromised during a cybersecurity incident. If an organization loses its own money or data, however, it may need to look to forgery, computer fraud, social engineering, ransom, or funds-transfer fraud coverage.

This blog has covered numerous cases of insurance companies denying claims resulting from cybersecurity incidents. The insureds in every one of these cases was surprised to learn that their insurance coverage was more limited than they thought.

Sanderina, LLC v. GreatAmerican Insurance Company is yet another case where the insured found out they did not have the right kind of coverage. Sanderina’s controller received an email that purportedly came from Sanderina’s majority owner. The email asked the controller to initiate several wire transfers. Sanderina’s email domain was “usfantasy.com,” but the email came from the domain “usfontasy.com.” In reality, the fraudsters impersonated the majority owner and requested the controller initiate six transfers for a total of approximately $260,000. The controller authorized the transfers and the money went out. Once Sanderina identified the fraud, it was too late to recover the funds from the bank.

Sanderina had insurance through GreatAmerican Insurance Company with the following coverage provisions:

[F]orgery-or-alteration provision covers losses “resulting directly from forgery or alteration of checks, drafts, promissory notes, or similar written promises, orders, or directions to pay a sum certain in money....”

[C]omputer-fraud provision extends to losses “resulting directly from the use of any computer to impersonate you, or your authorized officer or employee, to gain direct access to your computer system, or to the computer system of your financial institution, and thereby fraudulently cause the transfer of money....”

[F]unds-transfer fraud provision covers losses “resulting directly from a fraudulent instruction directing a financial institution to transfer, pay or deliver funds from your transfer account.” . . . “[F]raudulent instruction” is defined as a “written instruction ... which purports to have been issued by you and which was sent or transmitted to a financial institution to establish the conditions under which transfers are to be initiated by such financial institution through an electronic funds transfer system and which was issued, forged or altered without your knowledge or consent.”

The court reviewed each of these coverage provisions and concluded that none of them applied to Sanderina’s loss. The forgery provision did not apply, because emails requesting the funds transfer are not similar to “checks, drafts, promissory notes, or similar written promises, orders, or directions to pay a sum certain in money.”

The computer-fraud provision did not apply, because Sanderina’s forensic investigators and employees could not find any evidence that fraudsters had unauthorized access to Sanderina’s systems. The nature of the fraud suggests fraudsters did not have access, because it is easy to register an email domain that appears similar to another email domain.

Finally, the funds-transfer provision did not apply because the instruction that Sanderina issued to its bank to pay the wires was not fraudulent. While it is true that Sanderina’s employees only issued that instruction based on a fraudulent communication, the instruction from Sanderina to its bank was valid and authorized.

Sanderina, like many victims, was caught without the right insurance coverage. There are insurance products that likely would have covered Sanderina’s loss. Organizations should make insurance assessments a part of their cybersecurity preparedness. This requires working with a knowledgeable insurance broker. Organizations may also want to engage an attorney to review the scope of coverage. In Sanderina’s case, a policy review may have alerted Sanderina to a potential coverage gap for this kind of social engineering fraud. If it had identified the coverage gap, Sanderina could have obtained a social engineering policy for much less than the $260,000 it lost.

Sanderina also might not have needed to learn about its coverage gap if it had a better process in place for authorizing wire transfers. Organizations should keep in mind that cybersecurity does not just mean having the most current hardware or software defenses. It also means identifying critical points in crucial processes like transferring money. Sanderina might have avoided this if more than one person had to be involved in the process of authorizing a transaction this large.