Cyberinsurance: Federal Court Interprets Banking Fraud Policy
It’s like déjá vu all over again. A company purchased cyberinsurance and paid premiums for years. They had a cybersecurity incident, filed a claim and—guess what? The insurance company refused to pay. On January 26, 2022, the federal circuit court in California considered the case of Los Angeles-based property management company Ernst and Haas, which purchased an insurance policy that covered certain internet-based crimes and fraudulent activity.
The insurance policy provided coverage for computer funds transfer fraud, which included the loss of funds resulting from the use of any computer to fraudulently cause a transfer of funds from the insured to any outside third party. The policy also covered loss of funds resulting directly from fraudulent instruction; in other words, directing a financial institution to transfer or pay money from the insured’s account to initiate a transfer or payment.
In March of 2019, an Ernst employee received an email that purported to be from her superior. An attached invoice directed her to make a wire transfer of $50,000 to a particular vendor or supplier, Zang Enterprises. Of course, the email was fake but the employee followed the instructions in the fake email and initiated the wire transfer as directed. This was followed by two additional fake emails and invoices directing additional payments of $150,000 and $470,000. The last invoice finally raised the employee’s suspicions and a real employee confirmed that the $50,000 and $150,000 invoices were fake. The property management company could not recover the fraudulently induced transfers and filed an insurance claim.
Cyberinsurance Déjá Vu
Regular readers know what happened next. The insurance company refused to pay the claim because there was no fraudulent instruction to the financial institution directing the institution to pay funds. Instead, it was a fraudulent internal communication from the fake employee directing the real employee to contact the bank with a real communication to direct a fraudulently induced transfer. If the distinction between hacking an email from the company to the bank to direct a fraudulent wire transfer and an email from the company to another company employee to direct a fraudulent wire transfer is lost on you, well, it’s clear you haven’t written an insurance policy.
At trial, the district court found that the insurance policy did not cover the loss of the $200,000, noting that the loss did not result directly from fraudulent emails instructing an Ernst employee to transfer funds to a deceptive third party. Because the court reasoned that both the computer fraud and funds transfer fraud provisions required the loss to result directly from the fraudulent emails, it found neither provision applied to Ernst. The lower court noted that the computer fraud provision in the insurance contract stated that the insurance company would cover loss “resulting directly from the use of any computer to fraudulently cause a transfer of that property from” the insured to a person or location outside of the insured. The district court limited its interpretation of a loss “result[ing] directly from use of a computer to fraudulently cause transfer” to only a loss resulting directly from unauthorized use of the insured’s computers or hacking.
Put simply, because the employee read the fraudulent email and then had to do something (the wire transfer), the “loss” resulted not from the fraudulent email, but from the employees’ action (doing what the fraudulent email asked). Thus, the loss did not result “directly” from the fraudulent activity. This kind of indirect fraud (if it really is “indirect”) is nothing new—and neither is an insurance company’s initial refusal to pay claims that result from it.
Linguistic Differences
The federal court of appeals reversed. Relying on a federal circuit court opinion out of Florida, the court in California found that the fraudulent wire transfer did result directly from the fraudulent email which induced the transfer. It was not required that the insured show that its computers were hacked and that the hacker then accessed the bank account or directed the funds transfer. It was sufficient that the insured suffered a “loss” as a result of the fraudulent use of computers to facilitate a fraudulent transfer of funds. In addition, the transfer of funds was facilitated by the fraudulent email, which constituted a covered “fraudulent instruction” that “directed a financial institution” to transfer funds. It was not necessary that the “fraudulent instruction” be directed to the financial institution. It was sufficient that the fraudulent instruction cause the financial institution to make the transfer. It’s the linguistic difference between the policy saying “a fraudulent direction to a financial institution” and a fraudulent direction that directed a financial institution to make the transfer.
At the end of the day, insurance policies are not designed to be read in a hypertechnical manner, and coverage should be implied if the common meaning of the words would indicate to a reasonable person that the risk or loss was covered. In the area of cyberinsurance coverage, there are always going to be areas of ambiguity—what is damage? Who ‘owns’ data in the cloud? What is ‘reasonable’ or ‘adequate’ security? Does a duped employee ‘participate’ in a fraud scheme sufficient to eliminate coverage that excludes crimes ‘committed’ by employees? As a result of these ambiguities, insureds who think they have coverage for cyber-related losses find that their insurance providers balk at paying claims—which is kinda the point of having insurance. Companies need to examine the scope and extent of their insurance policies, including cyberinsurance and non-cyberinsurance policies, as well as the nature of the risks they think they are insuring against. There are a host of traps for the unwary and the insurance discussion should include inside and outside counsel, risk management, HR and the cybersecurity team. The worst thing you can do is think you have coverage, pay for what you think is covered and find out that it’s not covered. The second worst is to only find out that it is covered after spending hundreds of thousands of dollars in legal fees.
