The number of decisions considering claims for insurance coverage resulting from Business Email Compromise (“BEC”) scams has been increasing, providing policyholders with some hope, and some clarity, in this muddy area. (Here and here).
Policyholders got a recent win when a federal court in New York found in Medidata Solutions, Inc. that a data-services provider’s commercial crime policy covered an almost $5 million loss suffered as a result of a BEC scam. The Court in Medidata found coverage under the insured’s computer fraud and funds transfer rider, reasoning that “fraudulent access to a computer system” extends to email spoofing. Parting company with the Fifth Circuit in Apache , the Court in Medidata recognized that such spoofing can be a legal cause of the insured’s loss. And even though an authorized employee willingly initiated the transfer, the funds were not transferred with Medidata’s “knowledge or consent.”
Despite recent wins, there remains enough uncertainty in the coverage landscape (here and here) that we suspect insurers will continue their full-on fight against coverage for these losses. To help policyholders prepare for battle, here are five things you can do NOW to maximize insurance coverage for losses from a BEC scam.
1. Review proposed policy language carefully.
The placement of coverage terms and modifiers matter. Review policy language carefully, as terms such as Computer Violation, modifiers such as fraudulent, and qualifiers such as entry of Data or change to Data can make all the difference. For example, the court in Medidata Solutions, Inc. emphasized that the policy’s placement of the word “fraudulent” before the word “entry” contemplated the “deceitful and dishonest access” to a computer system entailed by a spoofing attack.
2. Narrow (or eliminate) any “direct loss” or “directly caused by” qualifiers.
Depending on a policy’s precise language, so-called “intervening events”—that is, actions that take place between the first step in a fraudster’s scam and the actual loss suffered by an insured—could seriously impact a right to recovery. For example, a federal court in Michigan recently denied coverage for loss resulting from a BEC scam in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. because it found that acts taking place between the receipt of a fraudulent email and the policyholder’s loss—including the insured’s failure to verify the purported vendor’s notification of change of bank account and its subsequent authorization of the fraudulent transfer—broke the “direct loss” chain.
While some formulation of “direct loss” is a typical requirement for crime policy coverage, not all policy language is created equal. Policyholders should review the various expressions of “direct loss” to find language that diminishes the importance of “direct” and therefore increases the likelihood that a chain of events going back to the “computer fraud” will be covered.
3. Consider negotiating for a choice-of-law provision favoring broad causation principles.
Insurance coverage for a BEC scam may turn on which state-law doctrines of causation applies. A pivotal question is often whether an employee’s unknowing participation in a fraud—as opposed to a schemer’s fraudulent instructions—was the legal cause of an insured’s loss. Some states, such as Minnesota, take an insured-friendly approach to make that determination, relying on the so-called “concurrent causation” doctrine: when multiple legal causes exist, the court will look to the “overriding cause” of loss to determine coverage. That analysis played out favorably for the insured in State Bank of Bellingham v. BancInsure, Inc. . Other states, such as Texas, take a narrower approach to the causation question. Choice of law matters. When you have a choice, choose favorable state law.
4. Consider purchasing a broader BEC and computer fraud endorsement.
Insurers offer special endorsements that provide broader and express coverage for a wider variety of computer fraud. While we continue to believe that insureds expect and should be covered for BEC scams under the computer fraud and funds transfer coverages of existing crime policies, the availability of more specific insuring agreements may avoid a coverage dispute. Policyholders may wish to consider these specialized coverage endorsements.
5. Adopt internal procedures that help ensure early detection and reporting of computer fraud.
While early detection and reporting is not a sure path to coverage, companies that have strong fraud-detection practices and effective, timely reporting may be better positioned in a court’s eyes. Of course, good practices and procedures will help avoid losses in the first place, but if they happen to you (and BEC scammers are increasingly finding victims), it may help to show you were diligent and responsible.