Litigation trends in cyber insurance coverage for wire fraud
Wire fraud typically involves cybercriminals posing as a person of authority to trick a business into transferring money.
Companies increasingly face the rampant threat of wire fraud. Wire fraud typically occurs where cyber criminals pose as legitimate persons of authority, such as a high-ranking company executive, a vendor, or a customer, and trick the business into wiring money to the fraudster’s bank accounts. Businesses targeted by such attacks often turn to their insurance companies to recover their resulting losses.
Previously, courts across the country overwhelmingly found that such attacks were covered under “Computer Fraud” provisions, which commonly appear in crime and cyber policies, such as those in Principle Solutions Group LLC v. Ironshore Indemnity, Inc., 944 F.3d 886 (11th Cir. 2019; Medidata Solutions Inc. v. Federal Insurance Co., 729 Fed. App’x 117 (2d Cir. 2018); and American Tooling Center, Inc. v. Travelers Casualty & Surety Co. of American, 895 F.3d 455 (6th Cir. 2018). In finding coverage for wire fraud, these Circuit Court decisions rejected the argument frequently made by insurers that the actions of an insured’s employees, deceived by the fraudster into making a transfer, break the causal chain between the fraudster’s use of a computer and the insured’s losses.
Recently, the Ninth Circuit followed this rule in Ernst & Haas Management Company, Inc. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022). There, a property management company suffered $200,000 in losses after an employee was tricked by a fraudster posing as one of the company’s founders. The Ninth Circuit held that the losses from the wire fraud were covered under both “Computer Fraud” and “Funds Transfer Fraud” insuring agreements in the policy and found that the losses resulted directly from the computer fraud.
The Ninth Circuit further distinguished the third-party email fraud at issue in Ernst & Haas from other types of crimes such as embezzlement, which the Ninth Circuit has previously found was not covered under “Computer Fraud” coverage in Pestmaster Services Inc. v. Travelers Casualty & Surety Company of America, 656 Fed. App’x 332 (9th Cir. 2016). The Ernst & Haas panel reasoned that third-party email fraud, where an insured’s employee is unwittingly deceived into sending a wire transfer based on fraudulent instructions, is different from the scenario presented in Pestmaster, which involved an authorized contractor embezzling the money with which it had been entrusted. In the situation presented in Ernst & Haas, the third-party email fraud constituted “Computer Fraud” because the actions of the deceived employee did not amount to an intervening event between the computer fraud and the loss.
Despite these rulings, insurance coverage for wire fraud remains hotly contested. Consequently, litigation is on the rise, particularly as insurers adjust their policy terms. In an attempt to minimize coverage for wire fraud attacks, many insurers offer separate social engineering or impersonation fraud coverage and take the position that losses are capped by the often significantly lower limits of liability for these coverages.
In City of Unalaska v. National Union Fire Insurance Company, 2022 U.S. Dist. LEXIS 51387 (D. Alaska 2022), the court addressed the question of whether these alternative coverages may reduce the policyholder’s potential insurance recovery. The City of Unalaska was the victim of a wire fraud attack in which a fraudster impersonated one of the City’s regular vendors and fraudulently directed a city employee to transfer nearly $3 million to the fraudster’s bank account. The government crime policy at issue contained both “Impersonation Fraud Coverage,” with limits of $100,000, and “Computer Fraud” coverage, which provided a substantially higher limit. While the insurer accepted coverage under “Impersonation Fraud Coverage,” it denied any responsibility under the “Computer Fraud” coverage. The court found the insurer responsible for providing coverage under both insuring agreements, allowing for recovery of the higher “Computer Fraud” limits. In reaching its conclusion, the court analyzed whether the requirements of the Computer Fraud insuring agreement had been satisfied. Because the wire fraud at issue in that case qualified as “Computer Fraud,” and not just “Impersonation Fraud,” the court allowed for recovery of the higher “Computer Fraud” limits. Drawing upon the above precedent, the court reasoned that the fraudster’s use of the computer, including the sending of emails, brought the fraud under the policy’s Computer Fraud provision. The court stated that “[b]y its plain language, the [Computer Fraud Insuring Agreement] applies under these circumstances; the City experienced a loss of money resulting directly from the fraudster’s use of a computer – sending an email impersonating the City’s vendor—to fraudulently cause a transfer of the funds from the City to the fraudster’s bank account.” The court further stated a reasonable insured would expect coverage under the Computer Fraud insuring agreement, and the plain language of the provision did not require more than proximate causation between the use of the computer and the loss.
The Unalaska decision represents a significant win for policyholders who seek coverage for wire fraud losses beyond their policy’s “social engineering” or “impersonation” coverages and reaffirms the long-held rule that these types of losses fall squarely within the “Computer Fraud” coverage provided by many crime and cyber policies.
The litigation trends in the cyber insurance space confirm the need for policyholders to review the wording of their policies carefully with their risk managers, brokers, and advisers. Broad cyber coverage remains an important business asset given the increased cyber risks. But as premiums rise for this valuable coverage, insurers continue to signal restricted coverage for many cyber risks as evidenced by Lloyd’s of London’s recent announcement that all cyber policies underwritten by Lloyd’s from March 2023 onward must exclude coverage for losses arising from state-backed cyberattacks.
As the cyber market and cyberattacks continue to evolve, in the event of a cyberattack, policyholders should review their policies closely and ask their insurers to provide the bases for their coverage positions in writing and by a date certain to ensure the insurance carriers’ position complies with the policy language and the coverage the policyholder purchased.
Cynthia “Cindy” M. Jordano, a partner at Cohen Ziffer Frenchman & McKenna in New York, focuses her practice on every stage of insurance recovery cases. She also advocates for clients in commercial cases, including complex litigation, contract disputes, securities actions and business fraud. She represents a wide range of companies in state and federal courts, as well as in arbitration. She previously clerked in the United States District Court for the Southern District of New York.
Adam S. Ziffer, founding partner of Cohen Ziffer Frenchman & McKenna, represents policyholders in actions for damages and declaratory relief and counsels clients on a range of insurance-related issues. He is known nationally and internationally for his successful litigation and arbitration strategies and execution. Adam litigates some of the most cutting-edge, precedent-setting insurance coverage cases in trial and appellate courts throughout the country and is regarded as one of the most skilled coverage attorneys in the nation.
These views are the authors’ own.