No Insurance Coverage for Phishing Scam
Last week, the Michigan federal court in American Tooling Ctr. v. Travelers Cas. & Sur. Co. of Am., held that a company’s financial losses for miswiring funds as a result of a phishing scam was not covered under a computer crime insurance policy. This case is another in which financial losses resulting from a phishing scam were not recoverable under insurance and highlights the need for companies to adopt employee training and best practices to better protect themselves against a costly cyber risk.
American Tooling Center (ATC) was a tool and die manufacturer that outsourced some of its work to other die manufacturing companies overseas, including a vendor called Shanghai YiFeng Automotive Die Manufacture Co., Ltd. (YiFeng). Typically, ATC issued purchase orders to YiFeng, which in turn manufactured the requested dies. ATC paid YiFeng in stages based upon completion of certain milestones. To receive payment, YiFeng submitted its invoices to ATC by email. Once ATC verified that the milestone had been met, it wired the appropriate payment to YiFeng.
In March 2015, ATC’s Vice President/Treasurer emailed his contact at YiFeng, requesting copies of all outstanding invoices. In response, the ATC officer received an email purportedly from YiFeng, but which really was a spoofed email from a third party. (The third party made the email appear to be from YiFeng by using the email domain “yifeng-rnould” domain, not the correct domain “yifeng-mould.com”). The third party, pretending to be from YiFeng, instructed ATC to send payments for several legitimate outstanding invoices to a new bank account. Without verifying these new instructions, ATC wire transferred approximately $800,000 to a bank account that was not controlled by YiFeng. When the fraud was detected, the money was gone.
ATC sought recovery under its computer crime policy. The policy provided that “The Company will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” The policy defined “Computer Fraud” as:
The use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises: to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or
- to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or
- to a place outside the Premises or Financial Institution Premises.
The carrier argued that coverage did not exist because there was no “direct loss” that was “directly caused by the use of a computer,” as required by the policy.
Noting that the Sixth Circuit, applying Michigan law, previously had held that the term “direct” means “immediate” and without intervening acts, the American Tooling court concluded that there was no direct loss directly caused by a computer to implicate coverage. Simply put, there were too many intervening acts between the phishing email and the transfer of money to satisfy the insuring language of the policy. The court stated that the “intervening events between ATC’s receipt of the fraudulent emails and the transfer of funds (ATC verified production milestones, authorized the transfers, and initiated the transfers without verifying bank account information) preclude a finding of ‘direct’ loss ‘directly caused’ by the use of any computer.”
Agreeing with the reasoning of the Fifth Circuit in Apache Corp. v. Great American Ins. Co. (written about in The Coverage Inkwell in October 2016), the American Tooling court stated that “the mere sending/receipt of fraudulent emails did not constitute ‘the use of any computer to fraudulently cause a transfer.’” The court explained:
Although fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the “use of any computer to fraudulently cause a transfer.” There was no infiltration or “hacking” of ATC’s computer system. The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails.
Further, because of the widespread use of computers as a means of communication, the court, like the Fifth and Ninth Circuits, feared that to allow the email to implicate coverage for computer fraud would transform the “computer fraud” coverage into coverage for any fraud: “Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.” To implicate coverage under computer fraud insurance, the computer must be a critical instrumentality of the fraud and not merely incidental to the fraud.
The case highlights the costs of phishing attacks. According to a May 4, 2017 FBI Bulletin, between October 2013 and December 2016 American businesses saw losses from phishing scams approach $1.6 billion, $500 million every year with dollar figures climbing sharply between January 2015 and December 2016.
The case also illustrates how phishing scams are not covered under many forms of insurance. Cyber insurance (not addressed in American Tooling Center) typically covers loss from data breaches, including forensic investigation fees, monetary losses caused by network downtime, data breach notification costs, litigation and legal expenses, and regulatory fines. Crime policies typically cover loss from theft or fraud, but the loss must be as a direct result of the fraud. Similarly, “computer fraud” coverage only covers loss directly from the use of a computer. In social engineering contexts, courts see too many intervening events to hold that a loss “directly” caused by the fraud or computer fraud took place to implicate insurance. However, some carriers offer social engineering by fraud endorsements that may provide coverage for phishing scams. The coverage is not standard and should be inquired about when purchasing insurance.
The important lesson here is that phishing scams represent a significant financial risk. Companies should implement appropriate cybersecurity measures, including employee training, to help prevent such loss. Companies also should inquire about potential insurance coverage options. Small investments in appropriate cybersecurity processes and insurance today can save a company from significant loss tomorrow.
If you have questions or would like additional information, please contact Josh Mooney (firstname.lastname@example.org; 215.864.6345) or another member of our Cyber Law and Data Protection Group.