In case you missed it, the Ninth Circuit (in an unpublished decision) weighed in last month on a coverage issue surrounding a set of facts that in recent years has become all too common: where an employee of a company is duped by a hacker, via a spoofed email, into effectuating wire transfers of large sums of money. With many organizations slow to get on board with procuring cyber insurance (or a social engineering fraud endorsement to a traditional crime policy), these companies may be faced with the grim reality that such a loss may not be covered under traditional crime or computer fraud coverage. That point was driven home in Taylor & Lieberman v. Federal Insurance Company, 2017 WL 929211 (9th Cir.), where despite the best efforts of the Plaintiff to attempt to shoe-horn social engineering email fraud into an insurance policy’s crime coverage, the Ninth Circuit, reflecting what is becoming a trend, rejected their arguments.
The Plaintiff in Taylor is an accounting firm that performed business management services for a client (the “Client”), including managing Client’s financial accounts by issuing payments, transferring funds, having Power of Attorney over funds, writing checks and wiring transfers. The dispute arose when a hacker fraudulently took hold of Client’s email account and sent wire payment instructions via that email address to the email account of Plaintiff’s employee (the “Employee”) on three different occasions. The first two emails were signed with the Client’s name at the end, and Employee, believing them to be legitimate, effectuated two transfers of almost $100,000 each. When a third email was sent, purportedly from Client but from a different email address, Employee became suspicious and placed a call to Client to confirm, and the fraudulent scheme was discovered. The Plaintiff immediately tried to recover the first two transfers, and was able to get back most of the first transfer, but none of the second transfer. Plaintiff then tendered that loss under the crime coverage of an insurance policy (“the Policy”) that it purchased from Defendant prior to the incident at issue. The Defendant determined that coverage was not afforded for the loss, denied the claim, and litigation ensued.
In the District Court, the Plaintiff argued that Defendant breached their contract because the Policy should have been honored under each of three different sections: Forgery (because the emails constituted a forged signature), Computer Fraud (because the emails sent to Plaintiff constituted computer violations), and Funds Transfer Coverage (because Plaintiff is a financial institution per a policy covering “fraudulent written electronic instructions issued to a financial institution”). In turn, the Defendant argued that Plaintiff did not, as a matter of law, show that it suffered a “direct loss” as required by the Policy because the emails did not immediately, and without intervening cause, result in a loss. The District Court agreed and granted summary judgment in Defendant’s favor without performing an analysis pursuant to the three Policy sections at issue.
On appeal, the Ninth Circuit affirmed the District Court’s decision, but on other grounds; specifically, an analysis of the three Policy sections at issue. First, the Ninth Circuit addressed the Policy’s Forgery Coverage, which stated that “[t]he Company shall pay the Parent Corporation for direct loss sustained by an Insured resulting from Forgery or alteration of a Financial Instrument committed by a Third Party.” Relying on the “Last Antecedent Rule,” Plaintiff argued that the words “financial instrument” only limit coverage for an alteration, and that a covered forgery need not be of a financial instrument. The Ninth Circuit swiftly rejected that argument, holding that “[a]n exception to the last antecedent rule provides that when several words are followed by a clause that applies as much to the first and other words as to the last, the natural construction of the language demands that the clause be read as applicable to all. Moreover, where, as here, a clause only has two antecedents, the force of the last antecedent rule diminishes . . . in accordance with ordinary English usage. Accordingly, under a natural reading of the policy, forgery coverage only extends over the forgery of a financial instrument.” Given what the coverage was designed to protect against, it seems as though the Ninth’s Circuit’s analysis was on point, not only from a technical perspective, but also from a common sense perspective.
Moreover, the Ninth Circuit noted, the emails instructing Plaintiff to wire money were not “financial instruments”, like checks, drafts, or the like. Under the Policy, financial instruments included “checks, drafts or similar written promises, orders or directions to pay a sum certain in money, that are made, drawn by or drawn upon” an insured, its agent, “or that are purported to have been so made or drawn.” And even if the emails were considered equivalent to checks or drafts, they were not “made, drawn by, or drawn upon” Plaintiff, the insured. Rather, they simply directed Plaintiff to wire money from Plaintiff’s client’s account. Accordingly, there could be no forgery coverage. Again, such an analysis makes perfect sense in the context of a natural reading of the Policy.
Next, the Ninth Circuit found that under the facts before it, there could be no Computer Fraud Coverage pursuant to the Policy, which provided that: “[t]he Company shall pay the Parent Corporation for direct loss sustained by an Insured resulting from Computer Fraud committed by a Third Party.” The Plaintiff argued that the computer fraud coverage applied because the emails constituted an unauthorized (1) “entry into” its computer system, and (2) “introduction of instructions” that “propogate[d] themselves” through its computer system. Both of those arguments were rejected by the Ninth Circuit. First, the Circuit found that there was no legal support for the “contention that sending an email, without more, constitutes an unauthorized entry into the recipient’s computer system.” While that may be true, it seems debatable as to whether or the act of a hacker who illegally spoofs an email in the manner at issue here can constitute “an unauthorized entry into the recipient’s computer system.” If anything, the Ninth Circuit’s finding underscores the importance of policy wording and definitions in the digital age.
Second with respect to Computer Fraud Coverage, the Ninth Circuit found that “the emails were not an unauthorized introduction of instructions that propagated themselves through [Plaintiff’s] computer system. The emails instructed [Plaintiff] to effectuate certain wire transfers.” Thus, “under a common sense reading of the policy, these are not the type of instructions that the policy was designed to cover, like the introduction of malicious computer code. Additionally, the instructions did not, as in the case of a virus, propagate themselves throughout [Plaintiff’s] computer system; rather, they were simply part of the text of three emails.” Accordingly, the Ninth Circuit found that under the plain meaning of the policy, the computer fraud coverage does not apply.
Finally, the Ninth Circuit found that there was no Funds Transfer Fraud Coverage pursuant to the Policy, which provided that “[t]he Company shall pay the Parent Corporation for direct loss sustained by an Insured resulting from Funds Transfer Fraud committed by a Third Party.” Under the Policy, fraud transfer fraud encompassed “fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver Money or Securities from any account maintained by an Insured Organization at such Institution, without an Insured Organization’s knowledge or consent.” The Court found such coverage to be inapplicable because the Plaintiff “requested and knew about the wire transfers. After receiving the fraudulent emails, [Plaintiff] directed its client’s bank to wire the funds. [Plaintiff] then sent emails confirming the transfers to its client’s email address. Although [Plaintiff] did not know that the emailed instructions were fraudulent, it did know about the wire transfers. Moreover, [Plaintiff]’s receipt of the emails from its client’s account does not trigger coverage because [Plaintiff] is not a financial institution.” Clearly, the “knowledge and consent” provision of the Policy was fatal to Plaintiff’s argument, and once again, we see the importance of policy wording and definitions in the cyber world that we now live in.
All organizations should take heed of the Taylor decision; it reflects a prime example of an instance where an insured thought it has coverage for a loss, when it did not. It also serves a reminder that all organizations, big and small, should evaluate all of their policies of insurance and ensure that they have sufficient coverage for the current and evolving threats posed by social engineering, business compromise fraud, phishing, ransomware, and other cyber risks.