Despite the rise of social engineering, many businesses are still not prepared, or insured, for these risks, which can involve costs such as revenue loss, business disruption, legal fees, public relations expenses and forensic analysis. When such an attack occurs, policyholders have historically turned to their crime insurance policies for coverage. Social engineering attacks may fall outside the scope of coverage afforded by traditional crime policies, however.
Among other issues, there are often questions of causation and of whether there has been a voluntary transfer of funds. For example, in the July 2016 Pestmaster Services, Inc. v. Travelers Casualty & Surety Company of America decision, the U.S. Court of Appeals for the Ninth Circuit held that there was no insurance coverage for a social engineering attack that left pest control company Pestmaster in debt to the Internal Revenue Service. In 2009, Pestmaster hired a firm to handle its payroll and payroll tax work. The payroll company was given authorization by Pestmaster to initiate transfers of funds from Pestmaster to its bank account, so it could pay invoices pre-approved by Pestmaster. Instead of paying the approved invoices, however, the payroll company fraudulently used Pestmaster’s funds to pay its own expenses, ultimately leaving the pest control company indebted to the IRS for payroll taxes in excess of $350,000. Pestmaster sought indemnity under both its funds transfer fraud and computer fraud insurance coverages.
The Ninth Circuit held that there was no coverage under the funds transfer fraud insuring agreement, however, because that agreement did not cover authorized electronic transactions, even though they may be related to a fraudulent scheme. In other words, because Pestmaster had pre-authorized the payroll company to initiate the transfer of funds, there was no fraudulent transmission. The court further noted that there was no evidence that the payroll company gained unauthorized entry, pretended to be an authorized representative, or otherwise altered the electronic instructions in order to wrongfully divert money from the rightful recipient.
The Ninth Circuit also affirmed the district court’s holding that there was no coverage under the computer fraud insuring agreement. The computer fraud coverage indemnified Pestmaster for the fraudulent loss of money caused by the use of a computer to transfer funds. The Ninth Circuit interpreted this wording as requiring an unauthorized transfer, which is consistent with the computer fraud jurisprudence requiring an element of unauthorized access or a hacking incident. The court noted that the use of a computer was merely incidental to, and not directly related to, the insured’s losses and, further, that reading this provision to cover all transfers that involved both a computer and fraud at some point in the transaction would convert this crime policy into a general fraud policy. Accordingly, it ruled, there was no insurance coverage for Pestmaster’s claim.
Almost three months after the Ninth Circuit decided Pestmaster, the Fifth Circuit ruled on Apache Corp. v. Great American Insurance Co. The case involved an employee who received a telephone call from a person claiming to be an employee of one of the company’s vendors requesting that Apache change that vendor’s payment information. After an email using a similar domain name to that of the vendor reiterated the request and Apache implemented the change, approximately $7 million intended to pay legitimate vendor invoices was directed into a fraudulent account.
Apache had been issued a crime protection policy containing computer fraud coverage that stated, “We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer.” Apache argued that the email sent by the fraudsters was computer fraud and directly caused the transfer of funds. In other words, despite the intervening steps (a confirmation phone call and supervisor clearance) that took place after receiving the email, the fraudulent email still caused the loss. The insurer argued that, because of the human intervention that took place between the fraudulent email and the loss, the loss did not result directly from the email.
The Fifth Circuit found that the insured’s loss was not a covered occurrence under the computer-fraud provision. Relying partially on the Ninth Circuit’s interpretation of Pestmaster’s coverage to require an unauthorized transfer of funds, the Fifth Circuit remarked that, in this case, the “computer use” was an email with instructions to change a vendor’s payment information. Once the email was received, however, an Apache employee called the telephone number provided on the fraudulent letterhead in the email attachment instead of, for example, calling an independently-provided telephone contact for the vendor. Had that simple confirmation call been properly directed, or had Apache performed a more thorough investigation, the court noted, it would never have changed the vendor-payment account information.
Concluding that no coverage was available for Apache under the computer fraud coverage, the court held that the legitimate vendor invoices, not the fraudulent email, were the primary reason for the funds transfers. Further, the court echoed the Pestmaster reasoning that interpreting the computer-fraud provision as covering any fraudulent scheme in which an email communication was part of the process would convert the computer-fraud provision to one for general fraud.
Many insurers now offer endorsements specifically tailored to respond to a social engineering attack that address the coverage gaps highlighted by the Pestmaster and Apache decisions. In light of several courts’ interpretation of the wording of traditional crime policy wording to essentially afford coverage only in unauthorized and/or hacking situations, businesses should consider these types of specifically tailored endorsements.
While insurance can be a valuable resource, there are also other prudent steps companies should take to minimize the risk of social engineering attacks including:
- Establishing a call-back requirement for transfers and documenting call-backs
- Requiring sign-off by more than one employee for transfers
- Conducting frequent risk assessments
- Creating a database of known account numbers and transfer information
- Confirming new account information with someone other than the email sender
- Requiring multiple layers of authentication
- Retaining an outside network security firm
- Training employees regularly on anti-fraud procedures
- Hiring a chief information security officer
By implementing these practical cybersecurity procedures, in addition to obtaining coverage specifically tailored to respond in the event of a social engineering attack, companies can be in the best position to mitigate risk.