Information To Protect What You Grow

Courts Trying To Find Coverage For Social Engineering

Written by Jeffrey Forbes | Feb 20, 2020 9:26:13 PM

Given the relative newness of cyber insurance policies, comparatively little case law exists interpreting these policies in the context of claims. Courts have sometimes struggled with how to interpret unique policy provisions in the context of variations of computer fraud. While some courts have taken highly technical approaches to the language contained in the policy, other courts have taken a more relaxed approach based on the understanding of the parties. A recent case out of the Eleventh Circuit Court of Appeals highlights these issues. Principle Solutions Group, LLC v. Ironhorse Indemnity, Inc. tackled a claim dispute between an insured business and an insurance company involving a cyber claim.

The Hack

The case involved a common phishing scam based on gaining access to a company’s internal email. Once there, hackers mimic the appearance of an email from the Chief Financial Officer or Chief Executive Officer instructing an employee to wire money to an external bank account. In the case at issue, the company’s controller received an email that appeared to be from the company’s managing director. The email informed the controller that she would be receiving an email from an attorney with wire transfer instructions and to comply with those instructions promptly. The controller then received a second email from the purported attorney instructing her to wire $1.7 million to a foreign bank account.

 

Phishing Resulting In Fraud

The sophisticated scam included someone impersonating the attorney over the phone to allay the concerns of a fraud prevention service and to convince the company’s bank to release a hold on the transfer prematurely. The entire scam was completed in under three hours. The company at issue reported the loss to their insurance carrier and to law enforcement as soon as the fraud was discovered. The funds could not be recovered.

Limits For Coverage

The company’s cyber insurance policy included coverage for “fraudulent instruction.” The specific policy language covered “[l]oss resulting directly from a fraudulent instruction directing a financial institution to debit [company’s] transfer account and transfer, pay, or deliver money or securities from that account.” A separate section defined a fraudulent instruction as an electronic or written instruction which purports to have been issued by an employee of the company. The insurance company, however, denied coverage for the claim. The insurance company asserted that the fraudulent instruction received by the controller purporting to be from an employee only told her to await instructions from a third party rather than providing the fraudulent instructions directly. To the insurance company, this distinction sufficed to render the claim uninsured.

The Court Disagreed With The Insurance Company

The Court disagreed with the insurance company’s interpretation. According to the Court, nothing in the policy prevented two separate emails from two separate people from being part of the same fraudulent instruction. The insurance company’s technical interpretation of the insurance contract did not stand up to the Court’s scrutiny.