United States: Turning To Crime Insurance Policies For Phishing Losses

Spear-phishing attacks present significant cyber exposures for businesses in all industries. It is a familiar scenario: A fraudster crafts a communication apparently from a trustworthy source—an executive, a legal advisor, a vendor—and tricks the employee into wiring money to the fraudster's bank account. Once the money hits that account, it disappears with the fraudster. Businesses have lost billions of dollars collectively as a result of these scams.

 Certainly, an ounce of prevention is worth a pound of cure. Training employees to recognize suspicious emails and investing in the latest security measures remain the best defense. As spear-phishing attacks become more tailored and technologically more sophisticated, employees increasingly will take the bait and fall victim.

When a loss occurs, employers should promptly consider their insurance coverage, including their crime insurance policies. Crime insurance companies have argued in response to many such claims that their policies only cover brute force, direct "hacks." This past summer, however, two federal appellate courts—the Second Circuit in Medidata Solutions, Inc. v. Federal Insurance Company, and the Sixth Circuit in American Tooling Center, Inc. v. Travelers Casualty & Surety Co.— contradicted that argument. While not identically worded, the policies in both cases covered losses "directly" resulting from computer fraud, with neither insurance product restricting coverage to brute-force hacking attacks.

In Medidata, an employee received an email, purportedly from a Medidata senior executive that included the executive's picture. The cyber fraudster "spoofed" the email code to alter the "From" field to make it look like an email from the executive and requested the transfer of almost $5 million. After emailing and speaking with an "attorney," the employee obtained management approval and wired the money. Federal Insurance Company declined to pay the loss under a policy that included coverage for "direct loss of money" from computer fraud. The policy defined "computer fraud" to include "entry of data into" or changing of data in Medidata's system.

Although Medidata conceded that no hack occurred, the Second Circuit found that "the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata's email system." According to the court, the attack introduced the spoofing code into the system, which changed a data element and altered the appearance of the email to fraudulently indicate the sender.

The Second Circuit also found that the employees' intervening actions to transfer the funds pursuant to the fraudulent emails did not make the loss indirect. The court noted that, under New York law, "direct loss" equates to "proximate cause," and here, "it is clear to us that the spoofing attack was the proximate cause of Medidata's losses." The court found that since the employees believed that they were acting at the executive's behest, their actions did not sever the causal relationship between the spoofing attack and the loss.

A week later, the Sixth Circuit, in American Tooling, found that an industrial policyholder (ATC) was entitled to crime insurance for a phishing scam. There, a thief impersonating an ATC vendor intercepted emails requesting the vendor's invoices for payment. Through numerous emails made to look authentic by using an email address very similar to the vendor's, the fraudster instructed ATC's treasurer to wire over $800,000 in payments to various accounts over several months. Travelers refused to pay under its computer crime/fraud policy, arguing that the policy only covered "direct loss" of money "directly caused" by computer fraud.

The Sixth Circuit reversed the district court's acceptance of the insurance company's direct loss defense. It held that under either a proximate cause analysis or a "direct means immediate" approach, ATC's loss was a "direct" one. Applying an analogy to debunk Travelers' arguments, the court explained that if "Alex" owes "Blair" five dollars, and before Alex pays the five dollars, "Casey" snatches the bill from Alex's fingers, "Travelers would have us say that Casey caused no direct loss to Alex because Alex owed that money to Blair and was preparing to hand him the five-dollar bill." Thus, the Sixth Circuit concluded, "ATC received the fraudulent email at step one. ATC employees then conducted a series of internal actions, all induced by the fraudulent email, which led to the transfer of the money to the impersonator at step two. This was the 'point of no return' making the theft from the computer fraud a 'direct loss' to ATC." The court also made clear that "computer fraud" coverage was not limited to "hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured's computer."

With the amount of trickery going into computer-based thefts these days, crime insurance companies too often use the many steps involved in a fraudulent scheme to argue that losses are indirect and otherwise uncovered. The recent decisions of the Second Circuit and Sixth Circuit on the "direct loss" argument and the scope of computer fraud coverage recognize the sophistication and reality of phishing scams, and that the policy language does not distinguish between frauds based on how they induce a transfer. Employers should be familiar with their crime coverage and any policy relating to computer, business email compromise or social engineering fraud and promptly notify all potentially implicated lines of insurance coverage when a cyber incident occurs. n

Note: The authors were amicus counsel for United Policyholders in the Medidata Solutions, Inc. v. Federal Insurance Company case before the Second Circuit.

Originally published by Risk Management.

Dennis J. Nolan is a shareholder in Anderson Kill's New York office and member of the firm's insurance recovery and cyber insurance recovery groups. Joshua Gold is a shareholder in Anderson Kill's New York office and chair of Anderson Kill's Cyber Insurance Recovery Group. He regularly represents policyholders in insurance coverage matters and disputes concerning arbitration, time element insurance, electronic data and other property/casualty insurance coverage issues.

About Anderson Kill

Anderson Kill practices law in the areas of Insurance Recovery, Commercial Litigation, Environmental Law, Estates, Trusts and Tax Services, Corporate and Securities, Antitrust, Banking and Lending, Bankruptcy and Restructuring, Real Estate and Construction, Foreign Investment Recovery, Public Law, Government Affairs, Employment and Labor Law, Captive Insurance, Intellectual Property, Corporate Tax, Hospitality, and Health Reform. Recognized nationwide by Chambers USA and best-known for its work in insurance recovery, the firm represents policyholders only in insurance coverage disputes - with no ties to insurance companies and has no conflicts of interest. Clients include Fortune 1000 companies, small and medium-sized businesses, governmental entities, and nonprofits as well as personal estates. Based in New York City, the firm also has offices in Philadelphia, PA, Stamford, CT, Washington, DC, Newark, NJ and Los Angeles, CA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions