Insurers’ recalcitrance to providing coverage for the “Business E-mail Compromise” (BEC) scam is a topic we’ve frequently discussed. On Monday, the Ninth Circuit heard oral argument in a BEC coverage action, Taylor & Lieberman v. Federal Insurance Company, a California case we’ve previously described.
The fraudster in that case sent spoofed e-mails in 2012 to an accounting firm purporting to be from one of the firm’s clients. At the “client’s” request, the accounting firm executed two wire transfers from the client’s bank account, over which the firm had power of attorney, in amounts just under $100,000 each to banks in Malaysia and Singapore. The firm finally detected the scheme when it called the client for confirmation after receiving a third e-mail requesting another transfer of $128,000 to Malaysia. The accounting firm was able to recover most of the first wire transfer but nothing from the second, resulting in a $100,000 loss to the client’s account, which the firm restored.
“Business E-mail Compromise” (BEC) scams, which we have previously discussed, are becoming an increasing concern. The FBI’s most recent report in June 2016 identified a 1,300% increase in reported incidents, reaching 22,000 victims targeted for $3.1 billion. Policyholders victimized by BEC scams should cheer the most recent decision addressing coverage for such scams. In Principle Solutions Group v. Ironshore Indemnity, a federal district court in Georgia ruled on summary judgment that a commercial crime policy covered a BEC scam in which a fraudster deceived a Principle Solutions employee into wiring $1.72 million to an account in China. The court rejected the insurer’s argument that the wire transfer was not directly caused by the BEC scam.
Principle Solutions suffered a hallmark BEC scam. The fraudster sent a spoofed email, purportedly from Principle Solutions’ CEO, to the company’s controller. The spoofed email instructed the controller to work with a specified attorney to wire funds that day for a highly confidential company acquisition. The controller then received an email from the named “attorney” with the wiring instructions. The “attorney” called the controller, representing that the CEO had approved execution of the wire and emphasizing the urgency of the funds transfer.
The controller initiated the necessary steps to execute the transfer that day. She logged into the company’s online account at its financial institution to enable the transfer approval, instructed another employee to create the wire instructions, and approved the wire transfer. The financial institution’s fraud prevention unit flagged the transaction and requested verification of the wire. The controller called the “attorney” to verify how he had received the wire instructions. The “attorney” told her he had received the instructions verbally from the CEO. The controller relayed this information to the financial institution, which then allowed the transaction to proceed.
The company discovered the fraud the next day when the controller told the CEO she had completed the wire transfer. The company immediately reported the fraud but unfortunately could not recover the funds.
The Eighth Circuit’s decision last Friday in State Bank of Bellingham v. BancInsure, holding that computer systems fraud insurance indeed insures against such fraud, even where employee negligence was a contributing factor, was a positive development for financial institutions as well as any crime insurance policyholder. The Eighth Circuit agreed with the district court that under Minnesota’s concurrent-causation doctrine, the insured could recover under a standard Computer Systems Fraud insuring agreement regardless of whether any excluded peril, i.e., employee negligence, contributed to the loss because the covered peril of computer systems fraud was the “efficient and proximate cause” of the loss.
The case involved a small Minnesota bank that was the victim of a computer fraud attack. It began with a bank employee, who initiated a legitimate wire transfer through a bank computer using a security USB token issued to her by the Federal Reserve, the password provided by the security token, and her personal passphrase. The employee inappropriately verified the wire transfer using another employee’s security token, password, and passphrase. She then improperly left both security tokens in the computer and the computer running when she left the bank for the day.
Unbeknownst to anyone at the bank, a hacker had previously infected the computer with a Trojan horse virus. The next morning, the hacker accessed the bank computer through the malware delivered via the virus. The hacker used the security tokens that had been left in the computer, along with the passwords and passphrases of the two bank employees, to complete two fraudulent wire transfers to bank accounts in Poland totaling $940,000. The bank employee discovered the fraudulent transfers within an hour. The bank was able to recover the funds from one of the wire transfers, but could not recover the funds from the other wire transfer.
The bank sought coverage for the loss of these bank funds under its financial institution bond, which provides coverage similar to a crime insurance policy. The policy had a Computer Systems Fraud insuring agreement, which covered loss resulting directly from a fraudulent entry or change of electronic data or computer program on the bank’s computer systems. The issuer of the policy apparently conceded that the Computer Systems Fraud insuring agreement would cover the loss but argued that several exclusions operated to preclude coverage: exclusions for loss caused by an employee, for loss resulting from theft of confidential information, and for loss resulting from mechanical failure or gradual deterioration of a computer system.
Your company’s controller receives an email instruction from your CEO to wire funds to complete a time-sensitive and confidential deal–seems like a clear directive to execute, but it’s not. It’s an increasingly common scam known as the “Business E-mail Compromise” (BEC).
In a BEC scam, as we previously described, fraudsters send spoofed e-mail to trick employees into making unauthorized transfers of funds, generally through wire transfers. The employee, usually a controller or other individual responsible for wiring money, receives an e-mail which appears to be from a high-level company executive, company lawyer or advisor, or even a trusted long-standing supplier or vendor. The e-mail pressures the employee to transfer company funds to a bank account, often offshore, urgently and secretly. The scammers may attempt to add credibility by sending the targeted employee spoofed e-mails from multiple trusted accounts or by plying the employee with fraudulent telephone calls, websites, and documents on formal letterhead. As discussed by our White Collar defense colleagues, victims of the BEC scam have reported to the FBI and international law enforcement agencies over $1.2 billion in exposed losses, much of which occurred in 2015 alone. While being victimized by a BEC scam can be costly, some of these losses may be covered by insurance.
What’s a risk manager to do? The “cyber” insurance marketplace can seem like an impenetrable thicket filled with a baffling array of disparate, disconnected coverages, a lack of any uniformity in policy wording, vast disparities in cost, and little available guidance. Comparing the quality and cost-effectiveness of competing products is a daunting task. It’s enough to make a risk manager’s headache: How do I choose among the products the broker has presented to me? Am I buying the right types of coverage, in the right amounts, and at the right price? How can I demonstrate to my management that I am making the right choice?
The challenge is often compounded because the company approaches the purchasing decision from the wrong direction. When a company decides it needs cyber coverage, it generally starts by asking its broker: What’s available in the marketplace? What’s the broadest coverage I can get at the best price? The broker then collects basic information about the company’s business and finds some insurers willing to quote. The broker comes back to the company with several proposals—each consisting of a policy form, a schedule of coverage limits the insurer is willing to offer, and the corresponding premiums at which the insurer is willing to sell. Although the policy forms are not standard vis-à-vis one another, each one is standard for that insurer. Consequently, each insurer’s receptiveness to changes to the form may range from minimal to non-existent. The package may include a few endorsements designed to address issues specific to the individual company, but the policy as a whole can hardly be said to be tailor-made.
All too frequently, the company doesn’t start by asking itself the most important questions: Why do we need cyber coverage? What is our risk in relation to cyber events? Without knowing the answers to these questions, selecting from among the often widely differing options becomes an even more bewildering process. The result can be a cyber package including a hodgepodge of coverages, many of which are not responsive to the company’s risk profile—providing unnecessary coverages for which the company nevertheless must pay premiums, and leaving important gaps in coverage.
By contrast, the more rigorous the company is in analyzing its own risk factors before approaching the marketplace, the better job the broker can do in identifying the right insurers with the right policy forms, the better job the insurers can do in assessing the risk and pricing the coverage, and the better job the risk manager can do in evaluating the products being offered.
Cyber criminals posing as company executives have successfully made off with millions from company coffers by tricking company employees into sending them the cash. Insurers are increasingly taking the position that this type of fraud is not covered under cybercrime policies.
As we recently discussed in a client alert, in a “Business E-mail Compromise” or “BEC” scam, criminals identify and target employees at a company who are responsible for transmitting the company’s money. An impostor then poses as a high-level executive and contacts a mid-level employee via e-mail, directing that employee to transfer company funds to an external bank account (that is usually overseas). By the time the employee—or the company—realizes that this “boss” is not his or her actual boss, the funds are long gone. According to the FBI, BEC scams have claimed nearly 2,000 victims and almost $215 million since 2013. While it would seem that the losses stemming from such a scam should fall squarely within a company’s cybercrime policy, insurance companies may disagree.