News & Insights  |  Newsletters

‘Business E-Mail Compromise’ Scheme Losses Not Covered by Traditional Insurance

April 2017
Privacy in Focus

Introduction

According to the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3), there has been a total of more than $3 billion in losses resulting from “business e-mail compromise” (BEC) schemes. See Business E-Mail Compromise: Cyber- Enabled Financial Fraud on the Rise Globally. Oftentimes in these crimes, a third-party criminal actor provides fraudulent wire instructions to a company’s accounting department and then, upon completion of the transaction, the criminal withdraws the funds. These losses can be very significant, and there are reported cases where sophisticated corporate parties have fallen victim to such schemes and lost millions of dollars at a time.

The existence of a loss gives rise to a related question – is there insurance coverage for these losses under traditional commercial crime insurance policies? To date, the answer appears to be a resounding “no.” In a recent case, the U.S. Court of Appeals for the Ninth Circuit, applying California law, added to the weight of authority finding no such coverage. Taylor & Lieberman v. Federal Ins. Co., 2017 WL 929211 (9th Cir. Mar. 9, 2017).

Taylor & Lieberman

The insured in Taylor & Lieberman, an accounting firm, received several emails from a client’s email address with instructions for transferring client funds. Believing the instructions to be genuine, the accounting firm initiated the transfers. The firm subsequently learned that a third party had gained access to the client’s email address and sent the payment instructions as part of a fraudulent BEC scheme. It then sought coverage for the loss under its commercial crime policy, but the insurer denied coverage and coverage litigation ensued. The district court granted summary judgment in favor of the insurer after concluding, as a threshold matter, that the accounting firm could not show a “direct loss” because there were intervening causes between the initial fraudulent emails and the resulting loss.

On appeal, without addressing the “direct loss” issue, the court affirmed the decision on alternative grounds.

First, the court determined that the loss did not result “from Forgery or alteration of a Financial Instrument by a Third Party.” The accounting firm had contended that the words “financial instrument” only limited coverage for an alteration, and that a covered forgery need not be of a financial instrument. The court disagreed, holding that “under a natural reading of the policy, forgery coverage only extends to forgery of a financial instrument.”

Second, the court rejected the accounting firm’s argument that the computer fraud coverage applied because the emails constituted an unauthorized “entry into” its computer system or “introduction of instructions” that “propagate[d] themselves” through the insured’s computer system. The court reasoned that unwanted emails, without more, could not be considered an “unauthorized entry” into the recipient’s computer system. In addition, “under a common sense reading of the policy,” the court found that the fraudulent emails were “not the type of instructions that the policy was designed to cover, like the introduction of malicious computer code.” The court found the computer fraud coverage to be inapplicable on those grounds.

Third, the court ruled that the accounting firm was not entitled to coverage for the “fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver Money or Securities from any account maintained by an Insured Organization at such Institution, without an Insured Organization’s knowledge or consent.” The court reasoned that, because the accounting firm requested the wire transfers, the transfers were made with both its “knowledge” and “consent.” The court also ruled that the coverage did not apply for the independent reason that the accounting firm was not a “financial institution.”

Conclusion

Taylor & Lieberman illustrates that traditional commercial crime policies may not afford coverage for losses caused through fraudulent instructions. However, there are specialized coverages available to protect against this exposure. In addition to evaluating operating policies and procedures in an attempt to avoid losses in the first instance, companies should evaluate their insurance coverage and consider purchasing specialized coverage to protect against losses caused by BEC schemes and related events.