Do commercial crime policies cover cyber crimes?

In some instances, a commercial crime insurance policy may offer coverage for a loss due to a cyber-attack. The 11th U.S. Circuit Court of Appeals in Atlanta has ruled that an insurer must indemnify a policyholder that was scammed out of more than $1.7 million in a phishing incident under its commercial crime policy.
​

The decision is good news for companies who have not purchased cyber insurance but have commercial crime policies.

This is at least the third precedent-setting case in which a court has ruled that a commercial crime policy can cover losses "directly" resulting from computer fraud.

Crime insurance companies, when denying hacking claims that resulted in monetary losses, will often argue that hacks and phishing scams are "indirect" losses, which are not covered by their commercial crime policy because someone on the outside duped an employee into transferring funds to a third party.

In the most recent case, an employee received an email purported to be from the company's managing director, directing her to write $1.7 million to an account at a Chinese bank. The communication said she would receive instructions in an email from an attorney. When she did, she initiated the transfer.

Before the bank issued the wire, its fraud unit intervened and held the money transfer. The controller contacted the "attorney," who confirmed that the managing director had approved the transaction. Upon receiving that information, the bank released the wire.  Unfortunately, it was all a fraud, and the managing director knew nothing about it.

After the fraudulent request was discovered, the insured filed a claim under its commercial crime policy, but the claim was denied.  The insured subsequently sued the insurer, and the local court ruled in its favor. The insurer appealed, but the appeals court upheld the lower court's ruling.

In rejecting the insurer's argument that the loss did not result directly from the fraudulent instruction, the court found that the ordinary meaning of the phrase "resulting directly from" requires proximate causation between a covered event and a loss, not an immediate link. The court held that as a matter of law, there was proximate cause, and the intervening communications, including the bank's hold, were not sufficient to sever the causal chain.

This decision follows two 2018 rulings by federal appellate courts - the Second Circuit in Medidata Solutions, Inc. vs. Federal Insurance Company, and the Sixth Circuit in American Tooling Center, Inc. vs. Travelers Casualty & Surety Co. - which ruled that the insurers' policies in both cases covered losses "directly" resulting from computer fraud.

In the American Tooling case, the court wrote that the policy language did not distinguish between frauds based on how they induce a transfer.
 
What to do

• Educate employees on how to recognize phishing scams and other suspicious emails.
• Invest in the latest security measures.
• Set up stricter protocols for paying large sums to new accounts.
• Review your crime coverage and any policy relating to computer, business email compromise, or social-engineering fraud to see if you are covered.
• If you do suffer a breach and loss, promptly notify all potentially implicated lines of insurance coverage.