Cyber criminals posing as company executives have successfully made off with millions from company coffers by tricking company employees into sending them the cash. Insurers are increasingly taking the position that this type of fraud is not covered under cybercrime policies.
As we recently discussed in a client alert, in a “Business E-mail Compromise” or “BEC” scam, criminals identify and target employees at a company who are responsible for transmitting the company’s money. An impostor then poses as a high-level executive and contacts a mid-level employee via e-mail, directing that employee to transfer company funds to an external bank account (that is usually overseas). By the time the employee—or the company—realizes that this “boss” is not his or her actual boss, the funds are long gone. According to the FBI, BEC scams have claimed nearly 2,000 victims and almost $215 million since 2013. While it would seem that the losses stemming from such a scam should fall squarely within a company’s cybercrime policy, insurance companies may disagree.
A policyholder and its insurer are currently wrestling over this issue in Medidata Solutions, Inc. v. Federal Insurance Co. In 2014, an impostor posed as a Medidata executive and e-mailed three employees who oversaw wire transfers. The impostor’s e-mail included the actual executive’s picture and signature, and the “From” line was altered to appear as if it had been sent from the executive’s company e-mail address. The employees were instructed to contact another individual, who posed as an attorney. Through a series of e-mails and phone calls, the impostor and fake attorney convinced the employees to transfer nearly $4.8 million to a bank account in China. The company caught on—and the impostor disappeared—when the impostor requested an additional $4.8 million. The money that had already been transferred, though, was never recovered.
Medidata sought coverage under its crime policy (which has a “Computer Fraud Coverage” clause) for its losses, its insurer declined, and Medidata brought suit. The insurer argues that the policy “differentiates between voluntary transfers effected by the insured and involuntary transfers effected by a hacker.” It points to a recent New York Court of Appeals decision in which the Court found that insurance that covered “fraudulent entry” into a computer system did not cover losses from the entry of fraudulent information into a computer system by an authorized user (there, health care providers authorized to enter claims into an health insurer’s system entered millions of dollars in fraudulent claims for services they had not provided). Medidata argues, in response, that the impostor’s e-mail, which contained forged or fraudulent information (the altered “From” line, the executive’s likeness, the request for payment, etc.) and was transmitted into the company’s system, constitutes a fraudulent entry of data directed against the company, within the scope of the policy.
Both sides have moved for summary judgment, so policyholders and insurers may have some guidance as to the extent of coverage available for BEC-related losses in the near future.
At their base, these BEC scams involve (i) fraud; (ii) committed via a company’s computer system; (iii) resulting in a direct loss of money. It is therefore surprising that insurers are seeking to evade coverage. It should not matter that the system vulnerability the criminal utilized was, at least in part, human. And it does not seem reasonable to contend, as some insurers have, that the duped employee—believing he or she was acting at the direct orders of a superior—made a “voluntary” payment that caused the loss. Trying to read such distinctions into policy language could defeat the reasonable expectations of companies that thought they bought cybercrime coverage.
Of course, coverage language in cybercrime policies varies, so it would be prudent to review your specific policies to identify any potential issues that may arise—and, of course, to ensure that your company’s personnel are aware of this type of scam so they can avoid it in the first place!