Will Insurance Cover Your Business Loss If an Unsuspecting Employee Follows a Hacker’s Fraudulent Scheme and Wires Company Funds to a Third Party?
By Michael C. Perlmuter, JD
President and General Counsel of the Alex N. Sill Company, LLC
I was hacked! Figuratively, that is, my computer and not physically. Hard to tell which is a worse fate.
In pre-computer days, one of our worst nightmares was getting held up for our wallets. It was our “money or our lives.” Usually, the perps wanted our cash and credit cards. Assuming we were not physically harmed, this was a nightmare with “limitations.” All we really lost (in addition to peace of mind) was the cash we were carrying, the time spent canceling and replacing credit cards and the tedious trip to the DMV for a replacement driver’s license.
Well, during the recent holiday season and the short time I was traveling with family, some fraudster was able to evade all our layers of encryption and various other protections built into our system and “hacked” my computer.
Hacked is not a word anyone of us north of 40 years of age grew up with (other than as to “cut with heavy blows”). In today vernacular, “hacked” is defined in the internet online dictionary at point 2 as “use of a computer to gain unauthorized access to data in a system.” Well, that happened to me.
Here’s how it went down: A third-party schemer impersonating me sent an email purportedly from me and my email address which instructed our bookkeeper and CFO to wire funds in the amount of $79,500 to another third party “TODAY.”Of course, specific wire instructions were attached.
The timing by the third party was “opportunistic” as I was traveling in the Caribbean and not readily available. Our financial people prepared the wire, but prior to wiring, successfully reached me by phone to confirm my instructions. Luckily, they reached me and I shut down the wire.
The event itself was troubling and disconcerting. What would have happened had they not been able to reach me? Would they have wired the funds?
That sent me to thinking. This isn’t a remote event. It undoubtedly happens every day to businesses and individuals all over America, in fact the world.
But here are the questions:
- Had we wired the funds and suffered a financial loss, did we have insurance coverage?
- Do others have coverage for such an event?
- Is such coverage even available?
The answers are Yes, Maybe and Yes,
Upon a review of our insurance policy, I verified the answer and in our case was Yes!
The fraudulent phishing activity is covered in one of our Crime policy endorsements, the so-called “Social Engineering Fraud Coverage Endorsement,” which specifically provides: “The Company shall pay the Parent Organization for loss resulting from an Organization having transferred, paid or delivered any Money or Securities as the direct result of Social Engineering Fraud committed by a person purporting to be a Vendor, Client or an Employee…”Social Engineering Fraud means the intentional misleading of an Employee, through misrepresentation of a material fact which is relied upon by an Employee, believing it to be genuine.”
But what if we didn’t have the special Crime policy endorsement for “Social Engineering Fraud?” Many, many business organizations do not.
What then? Would those companies so positioned have coverage? Interestingly, my research found the answer to be a resounding “Maybe/Maybe Not!”
Let me digress for a moment.
The type of phishing expedition described in this article is commonly referred to as a “Business Email Compromise” (BEC). BECs represent a significant risk to U.S. companies and to the economy as a whole. In a recent report, the FBI estimated that BECs have caused more than $5 billion in losses since 2013!
Now, back to coverage.
In the absence of a special Crime policy, generally speaking, claims to recover BEC funds would be made by business owners under several policy “additional coverages,” including Forgery; Money and Securities; and Computer Fraud. Typically, the Forgery provision states:
“We will pay for loss resulting directly from forgery or alteration of any check, draft, promissory note, or similar written promises, orders or direction to pay a sum certain in“money” that you or your agent has issued, or that was issued by someone who impersonates you or your agent”
Likewise, the Money and Securities coverage typically reads as follows:
“We will pay for loss of “money” and “securities” used in your business while at a bank or savings institution, within your living quarters or the living quarters of your partners or any employee having use and custody of the property, at the “scheduled premises”, or in transit between any of these places, resulting directly from …Theft”
Computer Theft coverage typically reads as follows:
“We will pay…for physical loss of or physical damage to “money”, “securities”, and other property having intrinsic value resulting from computer fraud.”
Do those coverage provisions cover a BEC loss of the type we almost experienced?
It is far from clear. Moreover, business policies typically contain a False Pretense exclusion, which often reads as follows:
“Voluntarily parting with any property by you or anyone else to whom you have entrusted the property if induced to do so by fraudulent scheme, trick, device or false pretense.”
So, where does that leave a scammed company that, in fact, wires funds to a third-party fraudster and hopes to rely on these non-Crime Policy provisions for insurance recovery?
That took me to case law. And, fortunately (I think), there was a very recent State of Vermont Supreme Court ruling exactly on point. The case is entitled Rainforest Chocolate, LLC v. Sentinel Insurance Company, Ltd. No. 2018-095 (Dec. 28, 2018). In Rainforest, a third-party fraudster impersonated a company manager sending an email to another employee to transfer $19,875 to a specified outside bank account through an electronic-funds transfer.
Unbeknownst to the employee, the fraudster had gained control of the manager’s email account and sent the email. The employee responded by wiring the funds. In attempting to recover the ill begotten wired funds, Rainforest made a claim under provisions of the policy covering losses due to “Forgery, for Forged or Altered Instruments”and for losses resulting from “Computer Fraud.” Sentinel Ins. Co. denied coverage primarily relying on an exclusion for physical loss or physical damage caused by or resulting from False Pretenses. In Rainforest, importantly, the False Pretenses exclusion read:
“We will not pay for physical loss or physical damage caused by or resulting from: False Pretense: Voluntarily parting with any property by you…” [Emphasis added]
Relying of the False Pretenses exclusion, the trial court ruled in favor of Sentinel. The Supreme Court reversed, finding that the False Pretenses exclusion did not apply because the loss in Rainforest was not a “physical” loss.
But importantly, the Court did not find that Rainforest did, indeed, have coverage. Rather, the Court remanded the case back to the trial court to determine whether the loss was covered by any of the policy provisions. The Court quickly dismissed the Computer Fraud provision because it only provided coverage “for physical loss of or physical damage to ‘money…resulting directly from computer fraud” and the Court had already concluded this loss was not physical.
We will be interested to see if the trial court finds any coverage for this loss in the remaining provisions of Rainforest’s policy. Personally, I am not confident that it will.
So, what have we learned?
First, we learned both how common and relatively simple it for a fraudster to access another person’s email account and direct a BEC.
Second, we learned a business can protect itself by obtaining coverage for such a potential occurrence. This would be in the form of a special “Social Engineering Fraud Coverage Endorsement.”
Finally, we learned that without such a special endorsement, an insurance company is likely to deny coverage for a BEC. Thus, the insured would be relegated to the uncertainty of the judicial system with and no assurance of a successful outcome.