No Crime Coverage for Social Engineering Fraud
The United States Court of Appeals for the Ninth Circuit, applying California law, has held that a crime policy did not afford coverage for a loss caused by an insured’s initiation of wire transfers based on fraudulent email instructions. Taylor & Lieberman v. Federal Ins. Co., 2017 WL 929211 (9th Cir. Mar. 9, 2017) .
The insured, an accounting firm, received several emails from a client’s email address with instructions for transferring client funds. Believing the instructions to be genuine, the insured initiated the transfers. The insured subsequently learned that a third party had gained access to the client’s email address and sent the payment instructions as part of a fraudulent scheme. It then sought coverage for the loss under its crime policy, but the insurer denied coverage and coverage litigation ensued. The district court granted summary judgment in favor of the insurer after concluding, as a threshold matter, that the insured could not show a “direct loss” because there were intervening causes between the initial fraudulent emails and the resulting loss. (For the district court opinion, see here.)
On appeal, without addressing the “direct loss” issue, the court affirmed the decision on alternative grounds.
First, the court determined that the loss did not result “from Forgery or alteration of a Financial Instrument by a Third Party.” The insured had contended that the words “financial instrument” only limited coverage for an alteration, and that a covered Forgery need not be of a financial instrument. The court disagreed, holding that “under a natural reading of the policy, forgery coverage only extends to forgery of a financial instrument.”
Second, the court rejected the insured’s argument that the computer fraud coverage applied because the emails constituted an unauthorized “entry into” its computer system or “introduction of instructions” that “propogate[d] themselves” through the insured’s computer system. The court reasoned that unwanted emails, without more, could not be considered an “unauthorized entry” into the recipient’s computer system. In addition, “under a common sense reading of the policy,” the court found that the fraudulent emails were “not the type of instructions that the policy was designed to cover, like the introduction of malicious computer code.” The court found the computer fraud coverage to be inapplicable on those grounds.
Third, the court ruled that the insured was not entitled to coverage for the “fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver Money or Securities from any account maintained by an Insured Organization at such Institution, without an Insured Organization’s knowledge or consent.” The court reasoned that, because the insured requested the wire transfers, the transfers were made with both its “knowledge” and “consent.” The court also ruled that the coverage did not apply for the independent reason that the insured accounting firm was not a “financial institution.”