A reminder to take a look at your crime policy
As you may have seen, the 11th Circuit issued an opinion affirming a district court ruling that a firm’s payment instruction fraud losses are covered under the “fraudulent instruction” provisions of the applicable commercial crime policy.
This insurance coverage dispute involved a $1.7 million loss the insured, Principle Solutions Group, incurred after an employee of the firm received an email imposter posing as a company employee. A classic phishing scam.
Most hear phishing scams and immediately think cyber
However, crime policies cover the direct loss of your funds, whether through maleficence, employee dishonesty, or social engineering, whereas cyber policies cover economic damages arising through a failure of network security or privacy controls, which may cause indirect losses.
And yet, according to the Identity Management Institute, 90% of all cyberattacks are successfully executed with credentials stolen or socially engineered, from employees. Meaning, losses would be covered by a company’s crime policy.
As reported in The D&O Diary, when thinking about the larger implications of the aforementioned court decision, here’s two things we must keep in mind: This coverage dispute depends on the courts’ interpretation of a “fraudulent instruction” provision in the Computer and Funds Transfer Fraud section of the crime policy at issue. Many of the other published cases involving disputes in which policyholders sought to have their crime policies reimburse them for payment instruction fraud losses have involved policies whose Computer Fraud sections do not have this same “fraudulent instruction” provision.
Take a look at your crime policy. Does it include a “fraudulent instruction” provision? More importantly, are you working with a broker who knows what both your crime policy and cyber policy cover? Most businesses should probably have both.
And we know there are businesses that have suffered these types of losses, and never even knew to submit it on their crime policy. This is exactly the type of miss we wouldn’t allow happen.
We’ve seen it before…
“Unfortunately, cyber is a trendy buzzword some brokers use for the sake of attaching themselves to a hot topic, but you really need to work with someone who specializes in it. We have picked up clients who were misdirected and thought their cyber coverage would include phishing scam loss. For example, one client executive sent $500,000 to a fraudulent email address. The company is still working to recoup the loss. Their now former broker signed them up for a cyber policy immediately following the event, but they never had a crime policy, until we took over, which covers funds transfer fraud and computer fraud. Had they decided to stay with the former broker, they would still be exposed to an uncovered loss of this nature again. It kills me to see this happen.” – Aaron Schwen, EPIC Client Advocate
Catch up on the case:
- The company reported the loss to its crime insurer. It’s important to note that the policy’s Computer and Funds Transfer Fraud section included a payment instruction fraud provision, which covers “loss resulting directly from a fraudulent instruction directing a financial institution to debit [Principle’s] transfer account and transfer, pay, or deliver money or securities from that account.”
- The insurer denied coverage for the loss because the initial bogus email purporting to be from the managing director did not “direct a financial institution to debit” the account (because it only told the controller to communicate with Leach) and also because the loss did not “result directly from” a fraudulent instruction, as Leach conveyed the necessary details to the controller after the initial email, and also because Wells Fargo held the funds awaiting verification before the transfer went through.
- Principle sued the insurer seeking payment under the policy, alleging bad faith.
- The parties filed cross-motions for summary judgment.
- The district court judge granted summary judgment for Principle on the breach of contract claim, finding that the relevant policy provision was ambiguous and applied Georgia insurance construction principles to find in favor of the policyholder.
- The district court granted the insurer’s summary judgment motion on the bad faith claim.
- The insurer appealed the district court’s ruling on the breach of contract claim.
- In a December 9, 2019 opinion, written by Judge William H. Pryor, Jr. for a 2-1 majority (Judge Gerald Tjoflat dissenting), the 11 Circuit affirmed the district court’s ruling.
Sign Up for a Crime & Cyber Policy Review
Please complete all fields.
[pardot-form id=”4963″ height=”600″ title=”Cybersecurity Awareness Month”]
Required fields are marked with an (*).
EPIC’s Cybersecurity Team
The impact and publicity of major breaches has driven boards of directors to significantly increase budgets for cybersecurity programs across most companies. Though some companies have implemented increased measures, the reality is that most of these measures are inadequate. Security breaches create significant business disruption, negatively impact stock performance, and are frequently resulting in termination of company officers. The professionals at EPIC have identified cyber risk exposure through emerging technologies to be the top risk facing the business and industry.