Does Your Insurance Cover Phishing Attacks and Business Email Compromise? The Uncertainty Continues…

Vendor-Impersonation E-mail Scam Illustration of Two Computers Facilitating Online Money Transfer

The coverage landscape for “Business E-mail Compromise” (BEC) scams remains somewhat tenuous, as organizations and carriers continue to battle in court over the extent of coverage. Although recent positive, policyholder-friendly trends in the Eighth Circuit (hacker who took over a bank’s computer system) and federal district court in Georgia (scheme based on spoofing a CEO’s e-mail) found insurance coverage for fraudulently transferred funds, a recent unpublished Fifth Circuit opinion moves in the other direction.  Unfortunately, this new ruling—and the uncertainty it creates—may embolden insurers in fighting coverage for these scams under crime insurance policies.

Background

In Apache Corp. v. GAIC, the Fifth Circuit Court of Appeals held that the diversion of $7 million to the bank account of scammers using spoofed e-mail to pose as a trusted vendor–another common type of BEC scam–was not covered under the policy as computer fraud.  These scammers tricked Apache employees into believing that one of Apache’s vendors wanted to update its bank account information in Apache’s records.  The scammers used a bogus e-mail that attached a fraudulent change request letter on faked vendor letterhead and fraudulent phone calls.  In response, Apache employees replaced the vendor’s actual bank account information in Apache company records with the scammers’ bank account information.  For the next month until the scam was detected, Apache directed approximately $7 million in vendor payments to the fraudsters’ bank account.

On appeal from the district court’s grant of summary judgment to Apache, Apache argued that its loss was covered under the plain meaning of the insurance policy’s computer fraud provision (“We will pay the loss of … money … resulting directly from the use of any computer to fraudulently cause a transfer”) and that any ambiguity in the provision should be resolved in favor of Apache’s expectation of coverage. However, the court declined to find ambiguity in the provision.  Instead, it found that fraudulent e-mail correspondence was not sufficient “computer use” to trigger the coverage provision.  The court explained that it was not the scammers’ fraudulent e-mail that caused the funds transfer but rather the vendor’s legitimate invoices.  Vacating the lower decision, the court held that although Apache suffered a loss due to fraud, its loss was not caused by use of a computer and thus was not covered under the policy’s computer fraud provision.

Takeaway

Contrary to the Court’s ruling, most policyholders expect that computer fraud coverage will cover loss from crimes, such as fraud, perpetrated using computerized means, such as spoofed e-mail. However, these types of disagreements in the case law will make it even more difficult for policyholders to obtain that coverage without a lengthy fight.  In light of that, policyholders may wish to evaluate whether alternatives, such as specialized endorsements are a worthwhile complement to their existing insurance portfolios.  Organizations should also consider additional controls to reduce their exposure to these scams.