Losses from social engineering schemes continue to grow exponentially. According to FBI data published in early 2017, losses from these schemes totaled over $3 billion between 2013, when the FBI started tracking data, and the end of 2016. One recent estimate suggests projected growth to over $9 billion in 2018 alone. The problem is not going away; it’s getting much, much worse.
Under these schemes, perpetrators trick company employees into believing that they have received instructions from a high-ranking officer such as a CFO or CEO, to change wiring information to vendors or other trusted recipients, who then appear to corroborate the instructions when contacted. A common method of perpetrating the fraud involves the company’s email system, which is why some variants of social engineering fraud are referred to as business email compromise (or BEC). These schemes are becoming more complex and are often perpetrated using phones, letters, or even in-person meetings. As the FBI explains, these schemes are becoming increasingly sophisticated:
At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception. But the level of sophistication in this multifaceted global fraud is unprecedented, according to law enforcement officials, and professional businesspeople continue to fall victim to the scheme.
Carried out by transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers, BEC can take a variety of forms. But in just about every case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners – except the money ends up in accounts controlled by the criminals.
These schemes often involve, but don’t exclusively rely on, the use of email specifically or computer systems generally. This facet of the scheme is at the heart of the coverage issues with which courts have struggled over the last couple years, because the fraudster is not so much using a computer, as they are using a human dupe, who then conducts authorized, non-fraudulent uses of a computer (or phone, etc.), unwittingly furthering the fraud.
Because wire transfers are the predominant focus of these schemes, financial institutions are uniquely vulnerable. Many financial institutions have looked to their insurers to cover losses from social engineering schemes under the “computer fraud” coverage of crime/fidelity/financial institution bonds. This has become one of the most hotly litigated “cyber” coverage issues, and the results are decidedly mixed.
One thing the coverage litigation has made clear is that computer fraud coverage was created long before the social engineering schemes that have recently garnered so much attention. Given the patchwork of coverage law that continues to evolve on the issue, policyholders, brokers, and insurers should carefully consider coverage for this particular risk. For policyholders, it is important to be up front, asking specifically about coverage for social engineering losses. Brokers should carefully follow the ever-changing landscape of coverage litigation on this issue to ensure they give policyholders the most up-to-date advice. The recent Ninth Circuit decision serves as a conspicuous reminder that precise policy language is necessary for the insurer and the insured to determine the scope of the coverage intended with respect to these risks, and if an insurer does not intend to cover social engineering loss under the computer fraud coverage of crime/fidelity policies, it should consider explicitly excluding the risk.
What is Computer Fraud Coverage Under a Fidelity Bond?
Typically, the computer fraud coverage in a fidelity policy covers loss “resulting directly” from the fraudulent use of or “change” to a computer system to cause a transfer of funds to an outside entity, or to cause some other defined fraud loss.
Courts have generally interpreted the “fraud” language to require that the use of or “change” to a computer be unauthorized in some fashion, generally meaning perpetrated by an unauthorized user. To wit, New York’s high court found no coverage under a computer systems fraud rider for a Medicare fraud scheme perpetrated by a health care provider using an electronic payment system submitted through his company’s computer network. The court noted that the computer fraud coverage was not meant to cover any fraud committed by an authorized user of a computer, but rather was meant to cover “losses resulting from a dishonest entry or change of electronic data or computer program, constituting what the parties agree would be ‘hacking’ of the computer system.” Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 25 N.Y.3d 675, 681, 37 N.E.3d 78, 81 (2015) (emphasis added)
Consistent with this analysis, the Eighth Circuit Court of Appeals held that a direct hack of the insured bank’s computer network by an unauthorized (and unknown) user that resulted in the wiring of funds to a foreign account set up by the hacker was covered under the computer fraud coverage of its financial institution bond. See State Bank of Bellingham v. BancInsure, Inc., 823 F.3d 456 (8th Cir. 2016).
Direct Hack Versus ‘Social Engineering’
While the foregoing appellate cases provide some guidance, neither involved social engineering schemes. One of the first cases to deal with the issue was Apache Corp. v. Great Am. Ins. Co., No. 4:14-CV-237 (S.D. Tex. Aug. 7, 2015). The court addressed a typical social engineering scheme, by which the insured suffered $2.4 million in losses before it was detected. The court held that this was covered, because the fraudster’s scheme was perpetrated, in part, through the insured’s computer network, insofar as it involved email.
The decision was later cited favorably in Principle Solutions Group, LLC v. Ironshore Indem., Inc., No. 1:15-CV-4130-RWS (N.D. Ga. Aug. 30, 2016), where an insured suffered a $1.7 million loss from a similar scheme, and the court likewise held it was covered under a computer systems fraud rider.
On the other hand, the Ninth Circuit Court of Appeals vacated a similar decision from a California federal court, finding no coverage for losses from a social engineering scheme under a computer fraud rider. See Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 Fed. Appx. 332 (9th Cir. July 29, 2016) That court reasoned:
The Policy defines Computer Fraud as “[t]he use of any computer to fraudulently cause a transfer….” Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a “General Fraud” Policy. While [the insurer] could have drafted this language more narrowly, we believe protection against all fraud is not what was intended by this provision, and not what [the policyholder] could reasonably have expected this provision to cover.
Citing the Ninth Circuit decision, the Fifth Circuit followed suit and reversed the Texas ruling in Apache, finding no coverage. Like the Ninth Circuit, the Fifth Circuit pointed out the ubiquity of electronic communication. “[W]hen the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between ‘computer’ and ‘telephone’ was already blurred. In short, few – if any – fraudulent schemes would not involve some form of computer-facilitated communication.” Apache Corp. v. Great Am. Ins. Co., 662 Fed. Appx. 252 (5th Cir. Oct. 18, 2016).
Unsurprisingly, the Fifth Circuit’s decision was cited by the insurer in a motion for reconsideration in the Georgia Principle Solutions case, and was cited by the insurer in a similar case pending at the time in New York federal court. In the meantime, the Ninth Circuit reaffirmed its position in another order finding no coverage for a social engineering loss. See Taylor & Lieberman v. Federal Ins. Co., 681 Fed. Appx. 627 (9th Cir. 2017).
Nevertheless, what appeared to be a developing trend has been thrown into considerable doubt by some recent district court rulings, and appeals on this coverage issue are pending in the Second, Sixth, and Eleventh Circuits.
In American Tooling Center, Inc. v. Travelers Cas, & Surety Co. of Am., No. 16-12108 (E.D. Mich., Aug. 1, 2017), a Michigan federal court followed what appeared to be the developing trend after the Fifth and Ninth Circuit’s guidance discussed above. In American Tooling, the court similarly held there was no coverage under the computer fraud provision of a fidelity policy for a scheme where the insured’s VP received instructions to change the wiring of payment for legitimate invoices to a new bank account. The policyholder has appealed and that decision is now pending in the Sixth Circuit Court of Appeals.
On the other hand, a district court in New York made waves in finding coverage for a similar scheme. See Medidata Solutions, Inc. v. Federal Ins. Co., No. 15-CV-00907 (S.D.N.Y. July 21, 2017). In this long, winding saga, and after the court called for supplemental summary judgment briefing with expert analyses on the inner-workings of email technology, the court found coverage for a social engineering scheme under a computer fraud rider. The insurer appealed, and the appeal remains pending in the Second Circuit.
In Principle Solutions, discussed above, after reconsideration based on the insurer’s submission of supplemental authority from the Fifth and Ninth Circuit cases, the court nevertheless maintained its ruling in favor of coverage for a social engineering scheme under the insured’s commercial crime policy, specifically distinguishing Apache and Pestmaster.
One of the defendant insurer’s arguments in Principle Solutions was that the company had separate coverage available for “Cyber Deception” which it contended was designed for the type of scheme at issue, and which the insured had declined to purchase. The court gave that argument short shrift, finding that language from an insurance policy not at issue was not relevant and, therefore, inadmissible at the summary judgment stage. The insurer appealed, and the case is pending in the Eleventh Circuit.
As we anxiously await those rulings, the Ninth Circuit has again spoken on this issue, and is again ahead of the curve. In Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co., No. 16-35614 (9th Cir. April 17, 2018), the court reviewed a Washington federal district court decision. In that case, the plaintiff, Aqua Star, a Seattle-based seafood company, sued its crime insurer, alleging it must cover losses the company suffered when it was manipulated into wiring funds to a fraudster who posed as a vendor in emails, arguing, as other policyholders have, that its crime policy does not limit coverage to direct hacking incidents. Rather, it asserted that the computer fraud provision in its crime policy extended coverage to scenarios where the policyholder was fraudulently induced into sending money to a criminal.
The scheme at issue is familiar, and similar to the schemes in each of the social engineering cases discussed above. Using emails that were manipulated or “spoofed” by a fraudster posing as one of the company’s seafood vendors, Zhanjiang LongWei Aquatic Products Industry Co. Ltd., Aqua Star was tricked into wiring more than $700,000 to overseas bank accounts controlled by the fraudsters. Aqua Star submitted a claim for the misdirected wires under the computer fraud coverage in its crime policy. The insurer denied coverage, not only on the basis that the computer fraud coverage is limited to “direct” hacking, but also on the basis of an exclusion to the policy, stating that coverage “will not apply to loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System . . . .”
U.S. District Judge Robert S. Lasnik of the Western District of Washington ruled in favor of the insurer in July 2016, finding that coverage was precluded by the exclusion. The district court found there was no unauthorized use of Aqua Star’s computer system and coverage was deemed not to apply. In its short affirmance, the Ninth Circuit agreed, citing the exclusion as the basis of its holding, “even assuming without deciding that the policy generally covers ‘Computer Fraud’ of the kind that duped Aqua Star.”
So what are the lessons in all of this? What are insurers, policyholders, and/or brokers to do? First, social engineering fraud will only continue to increase in complexity and frequency. Every company in the market for insurance coverage should inquire specifically about coverage for social engineering schemes. A sublimit can provide some clarity for insurers and insureds.
For insurers, establishing a sublimit may reduce the risk to the extent that any questions arise in connection with a loss involving a social engineering scheme. For insureds, a sublimit should put them on notice that they have limited coverage for such risks, and if they desire coverage for social engineering schemes they will need a cyber policy to complement their fidelity coverage. Second, brokers should continue to keep abreast of the ever-changing coverage landscape in this arena to ensure they are giving policyholders accurate, up-to-date advice and meeting their insureds’ needs. Third, it may not be enough for insurers to simply point to the availability of standalone cyber coverage specifically designed for social engineering losses, as the insurer in Principle Solutions learned. Rather, a more prudent approach may be to exclude social engineering fraud explicitly from the computer fraud coverage grant altogether, while the courts continue to struggle with the issue.
Republished with permission from Law360. View original publication here.