Court sides with insurer in phishing attack case

Coverage was initially denied because the plaintiff never “held” the funds.

Because RealPage never held the funds at issue, National Union was within its rights to deny coverage of the stolen funds intended for RealPage’s property manager clients. . . And because National Union’s coverage was not exhausted, Beazley was also within its right to deny coverage under RealPage’s excess policy.” (Credit: Supermicro/Shutterstock)

The 5th U.S. Circuit Court of Appeals in New Orleans has affirmed a lower court’s decision in finding that a commercial crime insurer was right in denying coverage in a multimillion-dollar loss in a phishing incident was proper because the insured never “held” the funds intended for its clients, nor did it control the funds designated for them.

This case resulted from a successful phishing expedition. In 2018, a RealPage, Inc. employee accidentally clicked on a fake link in a seemingly innocuous email, and provided login information for RealPage’s account with a third-party processing site called Stripe, Inc. Phishers stole the login credentials. The phishers then used the credentials to divert millions of dollars in rent payments from tenants intended for RealPage’s property manager clients.

RealPage and Stripe recovered some of the stolen funds, but ended up losing about $6 million to the crooks. RealPage reimbursed its clients and filed claims under its $5 million commercial crime insurance policy with AIG unit National Union Fire Insurance Co. of Pittsburgh and its $5 million excess fidelity and crime policy with Beazley Insurance Co. for the stolen funds. National Union determined that RealPage owned the funds that Stripe had earmarked as RealPage’s transaction fees and reimbursed the company for $1.1 million, but the insurer denied coverage for the remainder of the stolen funds on the basis that the phished funds were not covered losses because RealPage never “held” them.  RealPage then filed this action challenging the denial of coverage. The district court agreed with RealPage’s insurer and granted summary judgment. A three-judge appeals court panel affirmed that decision.

The ruling said that National Union’s coverage provided that policyholders must “hold” the funds involved. According to the decision, “[e]ssentially, RealPage provided routing instructions to Stripe, who effectuated the transactions and handled the funds transferred from tenants to property managers.”

“Because RealPage never held the funds at issue, National Union was within its rights to deny coverage of the stolen funds intended for RealPage’s property manager clients. . . And because National Union’s coverage was not exhausted, Beazley was also within its right to deny coverage under RealPage’s excess policy.”

Editor’s Note: With increased numbers of employees working from home, companies are finding themselves more susceptible to phishing schemes. Here, one may wonder how the case even got to the level it has reached. According to the Experts at our sister publication, FC&S Ex, it seems obvious from a cursory review that the funds were never in RealPage’s possession.

Related: