Recent court decisions have offered conflicting views on whether and how crime insurance policies should respond to social engineering scams, reflecting an ongoing industry discussion on how best to handle this rising tide of crime.
In late July, the United States District Court for the Southern District of New York ruled that the “funds transfer fraud” provision in a crime policy issued to Medidata Solutions by Federal Insurance, a Chubb subsidiary, would cover the loss of funds due to spoof emails directing a wire transfer. In a similar case decided Aug. 1, American Tooling Center v. Travelers, the United States District Court for the Eastern District determined that the “computer fraud” provision of a Travelers policy would not cover a similar social engineering scam.
The Court stated, “Although fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the ‘use of any computer to fraudulently cause a transfer.’ There was no infiltration or ‘hacking’ of ATC’s computer system. The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails.”
The cases added a new layer to the issue and offer a few takeaways, according to Roman Itskovich, founder and chief risk officer for At-bay, a cyber insurance startup with roots in the tech world. He commented, “The comparison is interesting because it clearly demonstrates two trends. The first: there’s a lack of general understanding of what is and what is not covered under cyber related coverages. The many variations of cyber coverage wording in the market and the relatively small amount of case law in this space doesn’t help. Furthermore, explicit exclusions of cyber triggers are not common in many policies. The second is that cyber attack vectors permeate increasingly more lines of traditional, non-technological insurance.”
However, while case law gets has been getting hashed out, the insurance industry appears to have already come up with a solution – loss of funds due to social engineering or impersonation fraud should be covered by endorsements on crime policies. Experts say that updates to the “computer fraud” provisions of crime policies were long overdue, having been drafted in some cases decades ago, and should reduce litigation in coming years.
“Lots of people have blurred the lines or had trouble distinguishing between cyber insurance and crime insurance,” said Bill Jennings, crime manager with Beazley. “We try to oversimplify the distinction. If there’s money that’s missing, that’s a crime policy. It’s there’s data missing, that’s cyber.”
Cyber policies can also act as excess coverage or difference-in-conditions over crime policies, according to Robert Parisi, cyber product leader for Marsh.
“The one thing that these two cases can do is make clear to the buyer that this isn’t well settled,” said Parisi, adding that pressing insurers for clear policy language is key. He predicted brokers would hold insurers’ “feet to the fire” for broad coverage.