“Business E-mail Compromise” (BEC) scams, which we have previously discussed, are becoming an increasing concern. The FBI’s most recent report in June 2016 identified a 1,300% increase in reported incidents, reaching 22,000 victims targeted for $3.1 billion. Policyholders victimized by BEC scams should cheer the most recent decision addressing coverage for such scams. In Principle Solutions Group v. Ironshore Indemnity, a federal district court in Georgia ruled on summary judgment that a commercial crime policy covered a BEC scam in which a fraudster deceived a Principle Solutions employee into wiring $1.72 million to an account in China. The court rejected the insurer’s argument that the wire transfer was not directly caused by the BEC scam.
Principle Solutions suffered a hallmark BEC scam. The fraudster sent a spoofed email, purportedly from Principle Solutions’ CEO, to the company’s controller. The spoofed email instructed the controller to work with a specified attorney to wire funds that day for a highly confidential company acquisition. The controller then received an email from the named “attorney” with the wiring instructions. The “attorney” called the controller, representing that the CEO had approved execution of the wire and emphasizing the urgency of the funds transfer.
The controller initiated the necessary steps to execute the transfer that day. She logged into the company’s online account at its financial institution to enable the transfer approval, instructed another employee to create the wire instructions, and approved the wire transfer. The financial institution’s fraud prevention unit flagged the transaction and requested verification of the wire. The controller called the “attorney” to verify how he had received the wire instructions. The “attorney” told her he had received the instructions verbally from the CEO. The controller relayed this information to the financial institution, which then allowed the transaction to proceed.
The company discovered the fraud the next day when the controller told the CEO she had completed the wire transfer. The company immediately reported the fraud but unfortunately could not recover the funds.
Principle Solutions notified its commercial crime policy insurer of the fraud and sought reimbursement for its loss under the policy’s funds transfer fraud coverage, which covered:
Loss resulting directly from a “fraudulent instruction” directing a “financial institution” to debit your “transfer account” and transfer, pay or deliver “money or “securities” from that account.
The insurer denied coverage, arguing that the loss did not result “directly” from a fraudulent instruction because there were intervening events between the spoofed email and the unauthorized transfer of funds. First, the “attorney” provided additional information to the controller. Second, Principle Solutions’ employees took the necessary steps to execute the wire transfer.
The court determined that the policy language was ambiguous about whether intervening events affected coverage, and thus resolved the ambiguity in favor of the policyholder. The court noted that it was reasonable for the policyholder to interpret the policy to provide coverage even if intervening events existed between the fraud and the wire transfer. The insurer’s interpretation, the court held, would render the funds transfer fraud coverage “almost pointless” and result in “illusory coverage” because Principle Solutions could only act through its officers and employees.
The court’s ruling affirms the reasonable expectations of Principle Solutions and other policyholders, as we have explained, that the funds transfer fraud coverage encompasses BEC scams that ensnare their employees. Insurers, on the other hand, have been marketing other products that ostensibly cover such fraud, as we previously discussed. In this case, the insurer attempted to introduce into evidence a “cyber deception coverage” endorsement to illustrate the type of product Principle Solutions should have purchased if it had desired coverage for BEC scams. The court excluded the endorsement, explaining that it was not relevant to the policy Principle Solutions actually had purchased.