Vendor impersonation is one of the typical varieties of “Business E-mail Compromise” (BEC) scams. In spoofing the e-mail of a trusted vendor, the fraudster persuades a company to redirect its vendor payments to a fraudulent bank account. While courts have found that commercial crime policies cover loss from BEC scams, a recent Fifth Circuit decision found no coverage for the victim of a vendor-impersonation BEC scam under the computer fraud provision of the company’s crime protection policy. Rejecting the company’s arguments that the coverage provision was ambiguous, the court held that the fraudulent e-mail was not the cause of the fraudulent transfer. Orrick attorneys Russell Cohen, Aravind Swaminathan, and Harry Moren comment on this troubling decision at our sister blog, Trust Anchor.
In one of the first court decisions to consider the scope of cyber insurance and whether it covers credit card brand fraud recovery assessments, the policyholder, PF Chang’s, came up short. Following a 2014 data breach in which hackers accessed and posted online 60,000 credit card numbers belonging to PF Chang’s customers, MasterCard levied a $1.9 million fraud recovery charge against the restaurant chain. PF Chang’s tendered those charges to its cyber insurer but Federal refused to provide coverage. Coverage litigation followed and last week a federal judge in Arizona handed down a decision in favor of Federal. For a discussion of the case and its implication for cyber insurance policyholders—or those considering it—you can read the full article by Russell Cohen and Darren Teshima at Orrick’s Trust Anchor blog.
The Eighth Circuit’s decision last Friday in State Bank of Bellingham v. BancInsure, holding that computer systems fraud insurance indeed insures against such fraud, even where employee negligence was a contributing factor, was a positive development for financial institutions as well as any crime insurance policyholder. The Eighth Circuit agreed with the district court that under Minnesota’s concurrent-causation doctrine, the insured could recover under a standard Computer Systems Fraud insuring agreement regardless of whether any excluded peril, i.e., employee negligence, contributed to the loss because the covered peril of computer systems fraud was the “efficient and proximate cause” of the loss.
The case involved a small Minnesota bank that was the victim of a computer fraud attack. It began with a bank employee, who initiated a legitimate wire transfer through a bank computer using a security USB token issued to her by the Federal Reserve, the password provided by the security token, and her personal passphrase. The employee inappropriately verified the wire transfer using another employee’s security token, password, and passphrase. She then improperly left both security tokens in the computer and the computer running when she left the bank for the day.
Unbeknownst to anyone at the bank, a hacker had previously infected the computer with a Trojan horse virus. The next morning, the hacker accessed the bank computer through the malware delivered via the virus. The hacker used the security tokens that had been left in the computer, along with the passwords and passphrases of the two bank employees, to complete two fraudulent wire transfers to bank accounts in Poland totaling $940,000. The bank employee discovered the fraudulent transfers within an hour. The bank was able to recover the funds from one of the wire transfers, but could not recover the funds from the other wire transfer.
The bank sought coverage for the loss of these bank funds under its financial institution bond, which provides coverage similar to a crime insurance policy. The policy had a Computer Systems Fraud insuring agreement, which covered loss resulting directly from a fraudulent entry or change of electronic data or computer program on the bank’s computer systems. The issuer of the policy apparently conceded that the Computer Systems Fraud insuring agreement would cover the loss but argued that several exclusions operated to preclude coverage: exclusions for loss caused by an employee, for loss resulting from theft of confidential information, and for loss resulting from mechanical failure or gradual deterioration of a computer system.
Your company’s controller receives an email instruction from your CEO to wire funds to complete a time-sensitive and confidential deal–seems like a clear directive to execute, but it’s not. It’s an increasingly common scam known as the “Business E-mail Compromise” (BEC).
In a BEC scam, as we previously described, fraudsters send spoofed e-mail to trick employees into making unauthorized transfers of funds, generally through wire transfers. The employee, usually a controller or other individual responsible for wiring money, receives an e-mail which appears to be from a high-level company executive, company lawyer or advisor, or even a trusted long-standing supplier or vendor. The e-mail pressures the employee to transfer company funds to a bank account, often offshore, urgently and secretly. The scammers may attempt to add credibility by sending the targeted employee spoofed e-mails from multiple trusted accounts or by plying the employee with fraudulent telephone calls, websites, and documents on formal letterhead. As discussed by our White Collar defense colleagues, victims of the BEC scam have reported to the FBI and international law enforcement agencies over $1.2 billion in exposed losses, much of which occurred in 2015 alone. While being victimized by a BEC scam can be costly, some of these losses may be covered by insurance.
Led primarily by the U.S. DOJ and SEC, global anti-corruption efforts have escalated markedly over the past decade. The increased number of investigations and high-dollar penalties associated with FCPA have caught the attention of the both insurers and insureds, even leading some companies to purchase standalone liability policies that cover FCPA-like violations. But while a number of significant international treaties promoting the fight against corruption were enacted beginning in the mid-1990s, member states beyond the U.S. have been somewhat slow to join the enforcement brigade. UK prosecutors have shown some desire to bring cases under the UK Bribery Act, but thus far their efforts have not nearly approached those of prosecutors in the U.S. But in the past few years, a completely new player has emerged: the World Bank.
The World Bank (and other multi-lateral development banks) has its own anti-corruption enforcement authority and framework through which it investigates, prosecutes, tries, and sanctions private-sector companies for misconduct (i.e., fraud, corruption, collusion, coercion, and/or obstruction) in relation to Bank-financed projects. Whenever a company signs a Bank-financed contract, such as a government contract to perform work on a development project financed by World Bank funds, it submits to this jurisdiction.
The World Bank is now showing that it’s not shy about exercising this authority. In fiscal year 2015 alone, the Integrity Vice Presidency (“INT”), the World Bank’s investigatory arm, opened 323 preliminary inquiries pertaining to 86 countries; selected 99 of those inquiries for full investigation; and found sufficient evidence to conclude in 60 of those investigations that it was more likely than not that sanctionable misconduct had occurred. (Unlike in criminal proceedings in U.S. courts, the World Bank can impose sanctions merely upon a finding that it is “more likely than not” that sanctionable misconduct occurred.)
The World Bank’s aggressive enforcement efforts will have serious implications for many companies engaged in development work and other work in the developing world. First, sanctions can include restitution and, more critically, temporary or permanent “debarment”. Debarment not only makes a company ineligible to participate in future Bank-funded projects, it can extend to affiliates, successors and assigns, can result in either formal or informal “cross-debarment” by other development banks, and results in publication of the company’s name on a list of debarred entities. Moreover, as when facing a DOJ investigation into possible FCPA infractions, the cost of investigation and response to a World Bank inquiry itself can be very expensive. Given the relative novelty of World Bank anti-corruption enforcement, targets of investigation may not always consider whether their insurance covers these large expenses. But they should.
Cyber criminals posing as company executives have successfully made off with millions from company coffers by tricking company employees into sending them the cash. Insurers are increasingly taking the position that this type of fraud is not covered under cybercrime policies.
As we recently discussed in a client alert, in a “Business E-mail Compromise” or “BEC” scam, criminals identify and target employees at a company who are responsible for transmitting the company’s money. An impostor then poses as a high-level executive and contacts a mid-level employee via e-mail, directing that employee to transfer company funds to an external bank account (that is usually overseas). By the time the employee—or the company—realizes that this “boss” is not his or her actual boss, the funds are long gone. According to the FBI, BEC scams have claimed nearly 2,000 victims and almost $215 million since 2013. While it would seem that the losses stemming from such a scam should fall squarely within a company’s cybercrime policy, insurance companies may disagree.