PropertyCasualtyFocus

  • All Topics
  • Contributors
  • About
  • Contact
  • Subscribe
You are here: Home / Notice/Prejudice / Federal Court Rules “Unauthorized Network Access Exclusion” Precludes Coverage for $1.3M Payment From Hacker’s Fraudulent Email

Federal Court Rules “Unauthorized Network Access Exclusion” Precludes Coverage for $1.3M Payment From Hacker’s Fraudulent Email

July 15, 2022 by Benjamin Stearns

image of hacker on computerThe U.S. District Court for the Eastern District of Pennsylvania ruled that an insurance policy issued by Federal Insurance Co. excluded coverage for the transmission of $1.3 million by the insured in response to an email request from a hacker purporting to be one of the insured’s business partners.

The insured, Construction Financial Administration Services (CFAS), was a third-party construction funds administration company that disbursed funds for contractors whose clients required performance and payment bonds from sureties. CFAS contracted to administer project payments for another company, SWF Constructors. Their contract provided for CFAS to receive an itemized budget of project costs, including the name, subcontract price, and contact information for each subcontractor or supplier on the project. CFAS was also to be provided copies of payment applications, a disbursement voucher summary for each payment, an identification of what line item funded the payment, and a waiver and release form signed and notarized for each subcontractor to be paid from the disbursement account. The contract also contained two “indemnification” clauses: one indemnifying CFAS against any and all liabilities or losses “arising out of or relating to CFAS’s activities pursuant to this agreement” and a second providing that “CFAS shall not be liable for … any claims or remedies … arising out of any breach of this Agreement by CFAS, CFAS’s disbursement or handling of the Disbursement Account.”

CFAS received an email request from a hacker purporting to be an employee of SWF. The email requested that CFAS make a payment of $600,000 from SWF’s disbursement account to a company in Hong Kong named HK Canopy Technology Ltd. HK was not listed in the budget, nor had CFAS received a copy of an agreement between HK and SWF, a disbursement voucher for the payment, any identification of the line item associated with the payment, or a waiver or release signed by HK. Nevertheless, CFAS authorized the $600,000 payment on the same day the request was received. The next day, CFAS received another request for payment to HK, this time for $700,000. Again, the request did not include any of the documentation required by CFAS’ agreement with SWF and, again, CFAS processed the payment on the same day it received the request.

After authorizing the second payment, CFAS sent an email to SWF requesting additional documentation. SWF denied requesting or approving the transfers. Thereafter, CFAS contacted the bank and law enforcement, eventually recovering approximately $127,000. Before contacting Federal, CFAS borrowed $1 million and placed it into the disbursement account to avoid SWF’s default on payments owed to actual subcontractors.

CFAS then made a claim under the policy issued by Federal for the $1.3 million. Federal denied the claim, reasoning that because SWF alleged CFAS “improperly transferred funds … based on a fraudulent email stream,” the matter was therefore based upon, arose from, or was in consequence of “the unauthorized access to or use of a computer program, software, computer, and/or computer system.” As such, Federal advised that coverage was excluded by the policy’s unauthorized network access exclusion endorsement. CFAS filed suit asserting that Federal had breached its contract by wrongfully denying coverage.

CFAS claimed Federal’s denial was improper because the claim against it was not “based upon, arising from or in consequence of” any unauthorized access or use of a computer system, as necessary to implicate the policy exclusions. CFAS argued that its failure to obtain the proper paperwork was a proximate cause of the fraudulent transfer, in addition to the hacker’s unauthorized access to the computer system and emails to CFAS. CFAS argued that coverage is not excluded where “there is more than one cause of an injury and only one of the causes is excluded.” The court disagreed that the failure to obtain the proper paperwork was sufficient to bring the claim within the policy’s coverage, holding that it was not an independently occurring cause of the injury. “The existence of the loss did not depend on the existence (or lack thereof) of the documentation, but rather upon the unauthorized emails.”

In addition, the court noted the broad language of the exclusion, which applied to injuries “based upon, arising from or in consequence of any unauthorized” access to any computer program or network. The court held that the plain and ordinary meaning of the phrase “in consequence of” expanded the excluded perils to include “a result that follows as an effect of something that came before.” The court had “no doubt” that the transfers were completed as a result of the fraudulent emails. Thus, “even under the narrowest construction,” the court found the exclusion still applied to the insured’s claim.

Separate from the unauthorized access exclusion, the court also found no coverage for CFAS’ claim due to its failure to comply with its obligations to provide timely notice and to refrain from entering any settlement or making any admission without Federal’s consent. Federal argued that its ability to assert defenses to SWF’s claim pursuant to the indemnification clauses in CFAS’ contract with SWF was prejudiced by CFAS’ unilateral decision to pay SWF’s subcontractors. Rather than presenting Federal with notice of a potential claim, “CFAS presented a settled claim, giving [Federal] no chance to investigate or evaluate any available options given the situation, as agreed upon in the Policy.” The court held that Federal should not be held liable for the obligation assumed by its insured for this additional reason.

Print Friendly, PDF & Email

« Previous Article

Southwest Marine and General Insurance Co. v. United Specialty Insurance Co.: A Lesson in Common Limitations of Additional Insured Provisions

Next Article »

Sixth Circuit Holds Attorneys’ Fee Award Does Not Constitute Damages Under Professional Liability Policy

About Benjamin Stearns

Benjamin Stearns is an associate at Carlton Fields in Tallahassee, Florida. Connect with Benjamin on LinkedIn.

Related Articles

  1. Arizona Supreme Court Finds That Reasonableness of Insurer’s Refusal to Consent to Settlement Under D&O Policy Is in the Eye of the Insurer
  2. One Way Out: California District Court Finds Insurer Had Right to Pay Limits Despite Possible Defense
  3. Consent to Settle: Third Circuit Reminds Insureds to Obtain Prior Written Consent Required by a Claims-Made Policy or Face Claim Denial, and Rejects Bad Faith Claim in Absence of a Finding of Coverage Under New Jersey Law
Carlton Fields Logo
A blog focused on legal developments in the property-casualty industry by the attorneys of Carlton Fields.

Get Weekly Updates!

Send Me Updates!

Focused Topics

  • Additional Insured
  • Bad Faith
  • Business Interruption
  • Class Action
  • Construction/Builder’s Risk
  • Coronavirus / COVID-19
  • Cybersecurity
  • Declaratory Judgment
  • Duty to Defend
  • Environmental
  • Flood
  • Homeowners
  • Occurrence
  • Pollution/Pollutant
  • Property
  • Regulatory
  • VIEW ALL TOPICS »

Recent Articles

  • Connecticut Federal Court Construes Ambiguous Policy Exclusion in Favor of Coverage, but Rejects Bad Faith Claim
  • Third Circuit Holds Harassment Exclusion Bars Coverage for Sexual Assault Suit Under Pennsylvania Law
  • Tenth Circuit Interprets Excess Policy’s Definition of “Medical Incident” as Applying to the Injuries of One Single Person

Carlton Fields

  • carltonfields.com
  • Practices
  • Industries
  • ExpectFocus Magazine

Related Industries/Practices

  • Insurance
  • Financial Lines Insurance
  • Property & Casualty Insurance
  • Financial Services & Insurance Litigation

About PropertyCasualtyFocus

  • All Topics
  • Contributors
  • About
  • Contact
© 2014–2025 Carlton Fields, P.A. · Carlton Fields practices law in California as Carlton Fields, LLP · All Rights Reserved · Privacy Policy · Disclaimer

Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please contact us. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites. This site may be considered attorney advertising in some jurisdictions. Web Design by Espo Digital Marketing