Does Your Cybersecurity Insurance Policy Cover Spoofing Losses? It DependsJune 12, 2019 | Robert Tugander | |
It goes without saying that cybercrime is a growing concern. In April, the FBI released its annual IC3 (Internet Crime Complaint Center) Report, which showed that the FBI received over 350,000 cyber-crime complaints in 2018, with total losses of over $2.7 billion.
One common type of cyber crime is spoofing, which is the cyber version of false impersonation. It’s when someone pretends to be someone else for financial gain. For example, a company’s CFO receives an email purporting to be from the company’s CEO, instructing the CFO to transfer money to an account. But the email is really from a fraudster. When the CFO transfers the money, the fraudster, as the expression goes, ‘makes out like a bandit.’
Sometimes, the victims of spoofing attacks look to their insurers to repay their losses. But not all cyber policies are the same. Because different insurers use different policy language to cover cyber liabilities, similar fraud schemes can result in very different outcomes in terms of coverage. Three cases — all of which dealt with practically identical spoofing schemes — illustrate this.
One federal court in Washington recently rejected a policyholder’s attempt to obtain computer fraud coverage instead of supplemental funds transfer coverage for a spoofing attack. (See Tidewater Holdings, Inc. v. Westchester Fire Insurance Co., 2019 U.S. Dist. LEXIS 91584 (W.D. Wash. 2019)). Tidewater received an email instructing it to alter the payment details for one of its contractors. Tidewater changed the payment information. But the email was from a fraudster. Tidewater lost over $280,000 as a result of the spoofing scheme. When Tidewater tendered the claim to its insurer, the insurer offered to cover the claim under the supplemental funds transfer coverage, which had a $150,000 policy limit and a $25,000 deductible. Tidewater sued, seeking the higher policy limit of the computer fraud coverage.
The computer fraud coverage covered “loss . . . resulting directly from the use of any computer to fraudulently cause a transfer of that property” to another person. The supplemental funds coverage covered “loss resulting directly from the [policyholder] having transferred, paid or delivered any Money or Securities as the direct result of a Fraudulent Transfer Request . . .” A Fraudulent Transfer Request, in turn, was defined as “the intentional misleading of an Employee, through a misrepresentation of material fact which is relied upon by the Employee . . .”
The court held that there was no coverage under Tidewater’s computer fraud coverage because a policy exclusion stated that “the Insurer shall not be liable for any loss resulting from any Fraudulent Transfer Request,” except under the supplemental funds transfer coverage. As this spoofing scheme involved a Fraudulent Transfer Request as defined by the policy, coverage was only available under the supplemental funds transfer coverage, not computer fraud coverage.
But where no similar exclusion existed, policyholders were able to separately persuade two circuits of the United States Court of Appeals that spoofing losses were recoverable under computer fraud coverage. In both cases, the issue was whether loss was caused directly by the use of a computer. In American Tooling Center., Inc. v. Travelers Casualty & Surety Co. of America, 895 F.3d 455 (6th Cir. 2018), the policyholder received emails, purportedly from one of its manufacturers in China, changing the manufacturer’s bank account information. The email was actually from a fraudster. The policyholder remitted payment to the new bank account and only realized that it was the victim of fraud when the manufacturer inquired as to when it would receive payment. American Tooling sought coverage under the computer fraud provision of the policy, but the insurer disclaimed coverage.
The policy covered “the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” Computer Fraud, in turn, was “[t]he use of any computer to fraudulently cause a transfer of Money, Securities or Other Property . . .”
Unlike in Tidewater Holdings, the court held that the policy in American Tooling provided coverage under its computer fraud provisions. The court held that the fraudsters used a computer — specifically, sent emails to the policyholder — that induced the policyholder to send funds to a fraudulent bank account. The insurer argued that its policy required a computer to fraudulently cause the payment; ‘“[i]t [was] not sufficient to simply use a computer and have a transfer that is fraudulent.’” Id. The court rejected the insurer’s “attempt to limit the definition of ‘Computer Fraud’ to hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer . . . . If [the insurer] had wished to limit the definition of computer fraud to such behavior[,] it could have done so.” Id. at 462.
Similarly, in Medidata Solutions, Inc. v. Federal Insurance Co., 729 F. App’x 117 (2d Cir. 2018), the insurer was also the victim of a spoofing scheme and sought coverage under the computer fraud provision of its insurance policy. That “provision covered losses stemming from any ‘entry of Data into’ or ‘change to Data elements or program logic of’ a computer system.” 729 F. App’x at 118. Although there was no hacking,
the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata’s email system, which the parties do not dispute constitutes a ‘computer system’ within the meaning of the policy. The spoofing code enabled the fraudsters to send messages that inaccurately appeared, in all respects, to come from a high-ranking member of Medidata’s organization. Thus[,] the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system. The attack also made a change to a data element, as the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender.
Id. The spoofing attack was covered.
So what’s the lesson here? Different insurers are insuring cyber liabilities with very distinguishable language. The policies in American Tooling and Medidata, for example, did not have the exclusion in Tidewater. It is important for both insurers and policyholders to closely examine the specific policy language when disputes over coverage for cyber losses arise.
- Robert Tugander