Wire transfer fraud claims resulting from cyber attacks have increased dramatically over recent years, and companies are losing millions of dollars in these attacks. As is common when a new business risk develops, organizations look to their insurance policies to help cover their losses. As we have shared in previous examples, the coverage is not always adequate.
The extent of coverage for a company that has been a victimized may be sparse, and the costs of any breach are ongoing. Consequences of a fraudulent wire transfer depend not just on the specific wording in the policies a business has purchased, but as seen in the following instances, also being upheld differently in different states.
Cyber Or Crime Insurance?
Several cases involving crime insurance policies provided by various insurance companies demonstrate the issue of terms used within the coverage provided, specifically policies that provide coverage for “computer fraud.”
How Does This Wire Transfer Scheme Work?
A spate of appellate decisions has successfully applied the computer fraud coverage to cases of fraudulent wire transfer schemes. The schemes sometimes involve hackers impersonating customers or vendors via email. The perpetrators would intercept regular business communications with customers and vendors. The crime occurs once they provide false wire transfer instructions for already scheduled payments- so the money would be redirected to the criminals.
Different Findings When Courts Decide What Is Or Is Not Covered
Most recently, a three-judge panel in the Sixth Circuit overturned a decision in favor of Travelers Ins. Co. finding that such attacks did not constitute computer fraud. The district court had argued that because there were several intermediate steps between the receipt of the email and the completion of the wire transfer, the loss was not “directly caused” by computer fraud as required by the policy. In overturning that decision, the Sixth Circuit found that proximate causation (aka “but for” causation) was sufficient to meet the “directly caused” requirement of the policy.
That decision follows many other decisions around the country. Courts in New York and Georgia have similarly found that computer fraud coverage in commercial crime policies covers these types of business email scams. However, Courts in the Fifth Circuit and Ninth Circuit have issued opinions finding the opposite. These decisions often shift on small differences in policy language and quirks in the way each state interprets insurance policies.
What Is Being Done To Protect Businesses?
With this particular type of scheme being seen in more and more industries, and the increase in damages resulting, the insurance industry is reacting by specifically tailoring exclusions to preclude courts in the future from considering this type of scheme computer fraud. Instead, insurance companies have decided to start offering specific social engineering coverage, often at lower limits than the rest of the usual crime policy.
Businesses Need To Develop Procedures While Protecting Their Business's Risk
The increase in these incidents heightens the need for companies to both thoroughly understand the extent and limits of their insurance coverage as well as to drill their employees and tighten up their procedures to ensure these types of losses are not suffered n the first place. This problem affects both sides of your accounting department's roles: receivable and payable. No one wants to be on the hook for a million-dollar payment that went missing or involve a customer or vendor in a messy payment dispute because someone fell victim to a scam.