Finding Coverage for the Latest E-mail Scams


As CYBER scams and hacker attacks grow, the insurance industry has been frantically trying to keep up in providing appropriate coverage for these events. Hacks, viruses, ransomware and exposure of sensitive personal information of your customers or employees, and any resulting regulatory implications, are often covered by cyber liability insurance. But what about the recent trend of criminals spoofing a company executive’s e-mail address, posing as them and ordering accounts payable to cut a check and send it to the fraudsters?

Well, two firms suffered similar incidents, but different federal appeals courts issued opposite opinions – one saying that a crime insurance policy covered the event, while the other court said it didn’t. The fact that two courts came out with two different rulings illustrates how many traditional and even cyber policies are slow to keep up with evolving hi-tech threats to businesses. The devil is always in the details, so read your policies and discuss your concerns with us.

The number of business e-mail compromise scams quadrupled in 2017, and losses averaged $352,000 per business and topped out at $3 million, according to an analysis of insurer Beazley’s clients. The FBI says these schemes are one of the fastest-growing cybercrimes.

Court case one: Covered

Employees of Medidata, a clinical-trial software firm, wired $4.7 million for what they thought was for an acquisition by their employer. They were sent a series of fraudulent e-mails that they thought were from their company president and the firm’s outside lawyer.

The company didn’t have a cyber insurance policy, but it had an executive protection policy, which had a crime section that included coverage for computer fraud, funds transfer fraud and
forgery. The insurer rejected the claim and the firm sued in federal court. The lower court ruled in favor of the insurer, but upon appeal, the federal appeals court ruled that the policy did in fact cover the loss.

The insurer argued the policy applies to only hacking-type intrusions. The appeals court found that while no hacking occurred, fraudsters inserted spoofing code into the firm’s e-mail system, which the court said is part of the computer system. The court held that the insurer must pay under the computer fraud portion of its policy.


Court case two: Not covered

A federal district court found no crime policy coverage after a Michigan tool and die firm wired $800,000 in funds to a fraudster’s account in the belief the account belonged to one of its vendors. The insurer faulted the company for not verifying the bank account with the vendor. The district court agreed with the insurer that the loss was not a “direct loss” caused by the “use of a computer,” and thus the crime policy did not apply.


The takeaway

Computer fraud is evolving rapidly, so it’s important that you talk to us about the types of fraud that appear in the news. We will work with you to ensure that your coverage is forward-looking and covering more than just threats from last year. We can also discuss with you how computer fraud coverage interacts with other types of cybercrime policies.