Fraudulently-induced money transfers: crime or cyber?
In the USA there seems to be a real struggle emerging from their court judgments on whether ‘computer fraud’ (or social engineering scams) - which lead to fraudulently-induced money transfers - are properly covered under crime and fidelity policies.
This is an issue our own market is grappling with, as we hear on the street that ML lines have taken a loss-ratio ‘beating’ of late, and cyber insurers are contemplating new coverage offerings that better target social engineering losses.
But is a fraud perpetrated on-line any different from a traditional fraud claim? Should it sit in the realm of crime cover or more properly within cyber insurance?
The US experience is illustrating a divergence of opinion. Whilst there have been a string of court cases in the last two years that have held that ‘typical’ computer fraud provisions do not extend to losses resulting from this type of fraud, more recent cases are emerging with a differing point of view.
The most recent case to grab the headlines is the decision last year (which is currently under appeal) in Medidata Solutions Inc v Federal Insurance Company. In July, a federal judge in New York awarded summary judgment against Chubb (and in favour of its insured Medidata) for the $4.8million loss Medidata suffered after it was tricked into wiring funds to a fraudulent account.
The claim arose after employees in Medidata’s finance department were deceived into transferring that amount to a Chinese bank, based on emails that falsely appeared to come from the company’s president. Federal Insurance Company, a unit of Chubb Corp, insured Medidata under a policy providing coverage for (amongst other things), computer fraud, forgery and funds transfer fraud.
The claim was denied by the insurer on a number of bases, including that there had been no manipulation of Medidata’s computers and Medidata “voluntarily” transferred the funds. However the court agreed with Medidata that:
- the fraudsters changing of the code in the emails (to alter the sender’s address and include the executives’ pictures, email addresses and signatures) amounted to a change or manipulation of the “data” in their computer systems; and
- the chain of events causing the loss began with the receipt of a spoofed email (purportedly from Medidata’s president), and that but for this email the employee would not have “voluntarily” transferred the funds.
The court said the manipulation of code in the email messages amounted to the kind of “deceitful and dishonest access” required to trigger cover under the policy. A sufficient causal nexus was established between the fraudulent conduct and the resulting transfer to trigger a claim under that policy.
In contrast, a New Jersey district court in November granted an insurer’s application to deny similar cover. This time, cover was sought by Postco Daewoo America Corporation under a computer fraud insuring clause in a crime insurance policy.
The facts differed from Medidata in that Daewoo did not seek indemnity for money transferred out of its own accounts. It sought cover for amounts that had been designated for payment to Daewoo by a third party supplier (Allnex), but had been stolen from that supplier after a criminal impersonated a Daewoo employee. The court in this case held that the crime policy did not cover the lost sums, because Daewoo did not “own” the money stolen from the supplier.
And in a 2018 application filed in an American appeals court, American Tooling Centre Inc has argued for the reversal of a 2017 decision which found it had no insurance cover under its crime policy for the $800,000 it lost after a false email tricked its employees into wiring that amount to a fraudster.
The earlier court had found that the insurance policy did not provide cover because the insured did not suffer a “direct loss” that was “directly caused by computer fraud”. It placed weight on intervening events, (such as the insured’s verification of production milestones, authorisation of the transfers and initiating the transfers without verifying the bank account information), as evidence of a lack of directness or direct causal connection between the loss and the use of a computer.
Whilst we will continue to watch with interest, a few home-truths are already evident.
Firstly, as with all coverage disputes, the ultimate outcome will always depend upon the particular wording of the policy and the specific factual matrix of the claim under consideration. These cases should serve as a timely reminder for Australian policyholders to carefully review the scope of cover available to them under their crime and cyber policies for social engineering and other fraudulently-induced losses.
Secondly, the Medidata decision in particular involved extensive evidence and expert forensic and IT opinion being produced and exchanged by the parties on the manner in which the fraudsters actually manipulated Medidata’s computer systems. It’s a great reminder of the complex factual and technical questions that can arise in these types of policy arguments, and the cost these disputes can attract.
 See Apache Corp. v. Great Am. Ins. Co., (5th Cir. 2016); Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., (9th Cir. 2016); Taylor & Lieberman v. Fed. Ins. Co., (9th Cir. 2017).