For the second time in ten days, a federal appeals court ruled a crime insurance policy provides coverage for losses arising from a business email compromise. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, No. 17-2014, 2018 WL 3404708 (Sixth Circuit July 13, 2018), the Sixth Circuit held that Travelers was obligated to provide coverage for a loss the insured suffered when it wired $834,000 to a thief’s bank account, believing that it was transmitting a payment to one of its Chinese subcontractors.
Losses arising from business email compromise exceeded $12.5 billion between October 2013 and May 2018. Business email compromise is a form of social-engineering fraud that targets both businesses and individuals who make payments by wire transfer. Thieves accomplish business email compromise by accessing e-mail accounts of vendors or customers of the insured or by invading the computer system of the insured. The thief then provides fraudulent instructions to the insured to wire funds to the thief’s bank account, usually for the stated purpose of paying legitimate invoices.
The Loss: ATC hired a Chinese company, YiFeng Automotive Die Manufacturer, Co., to make stamping dies. To receive payment for its work, YiFeng sent invoices to ATC, and ATC paid by wire transfer. Prior to making the wire transfers, ATC completed several steps to confirm that the payment amount was correct and going to the proper bank account.
In 2015, an unidentified person intercepted an email from ATC to YiFeng. This person then impersonated an employee of YiFeng and told ATC that because of an audit, ATC should wire payment to YiFeng for several outstanding invoices to a new bank account. ATC complied with the instruction, which resulted in wire transfers of over $800,000 to the thief’s bank account. ATC learned of the theft when YiFeng inquired about payment of its invoices. ATC agreed to pay 50% of the amount that it owed to YiFeng, and the parties agreed that the remaining 50% would be contingent on ATC’s insurance claim.
The Insurance Claim and the Trial Court Decision: ATC made a claim under its Wrap+ business policy with Travelers, which included “Computer Fraud” coverage. Travelers refused to pay the claim. ATC filed suit, and the district court granted summary judgment for Travelers.
The Sixth Circuit’s Ruling: Travelers argued that the loss was not covered because ATC did not suffer a loss until it paid the outstanding YiFeng invoices, and therefore, the insured did not suffer a “direct loss” as required by the policy. In making its direct loss argument, Travelers relied on cases interpreting employee-fidelity bonds. The Sixth Circuit rejected Traveler’s argument and held that under Michigan law (which applied in this case), the term direct loss means a loss resulting from an “immediate” or “proximate” cause as distinguished from a remote cause. The court found that ATC immediately lost money when it made the wire transfer to the thief. “There was no intervening event,” the court stated, and therefore, the loss was direct.
The Sixth Circuit then addressed whether the thief’s conduct amounted to Computer Fraud, which the policy defined as “[t[he use of any computer to fraudulently cause a transfer of Money inside the Premises or Financial Institute Premises . . . to a person outside the Premises or Financial Institute Premises.” Travelers argued that this definition required a computer to “fraudulently cause the transfer” and that it was not sufficient “to simply use a computer and have a transfer that is fraudulent.” The court rejected this argument stating that the policy definition did not require that the fraud “cause any computer to do anything.” The court further stated that it was not proper to limit the definition of computer fraud to hacking or other actions by which the thief gains access to the insured’s own computer.
The court also rejected Traveler’s reliance on exclusions in the policy. Two of these arise regularly in coverage disputes arising from social engineering fraud. First, the court held that the exclusion for losses arising from the “giving or surrendering of Money . . . in any exchange or purchase” did not bar coverage. The court found that ATC did not “give or surrender money to the impersonator in an exchange or purchase.” Second, the court rejected Travelers’ argument that the claim was barred by an exclusion for loss or damage resulting “from the input of Electronic Data” into the insured’s computer system. Travelers argued that when the ATC employee entered the name and address of the thief into its computer system to wire the money, ATC caused the loss. The court also rejected this argument, because the policy defined Electronic Data to exclude “instructions or directions to a Computer System.”
Impact: United States courts of appeals have reached different conclusions regarding whether coverage exists under crime policies for business email compromise. This decision follows on the heels of a July 6 decision in which the Second Circuit also ruled in favor of a policyholder in a phishing coverage dispute – Medidata Sols. Inc. v. Fed. Ins. Co., No. 17-2492, 2018 WL 3339245, (2d Cir. July 6, 2018).
The decision in ATC is significant because it rejects two arguments that carriers typically make to avoid coverage for business email compromise claims. First, the court found that to trigger the computer fraud coverage, the thief does not have to hack into or otherwise gain access to the insured’s own computer system. It is sufficient for the fraud to be caused by emails originating from a distant computer system to cause the insured to send money to the thief. Second, insurers typically argue, as Travelers did here, that a business email compromise is not a direct loss because the insured “voluntarily” wired the money to the perpetrator after receiving the instruction. Insurers claim that the insured’s voluntary act makes the fraudulent email from the perpetrator an “indirect” cause of the loss. The court also rejected this argument.
The terms of cyber insurance policies and grants of cyber coverage within other policies, like the Traveler’s Wrap+ policy in this case, are quickly evolving. Decisions like ATC have caused underwriters to change policy language to exclude this risk or to grant affirmative “social engineering” coverage for these losses, which is almost always offered with low sublimits. Policyholders should review carefully the terms of their cyber and crime policies and take steps to ensure that coverage exists, with appropriate limits, for this regularly-occurring criminal activity.