Why Securing Broad Crime Coverage is the Best Protection Against Cyber-Threats

WHY SECURING BROAD CRIME COVERAGE IS THE BEST PROTECTION AGAINST CYBER-THREATS

By David A. Gauntlett*

Introduction

Our prior blogs have addressed Cyber/Media policies[1] as well as aspects of “social engineering fraud,”[2] one of the most prevalent, problematic, and challenging theft plagues sweeping the country.[3] The best resource against such incidents of Loss is a comprehensive separately secured Crime policy. A recent decision from the Ninth Circuit reversing the district court’s ruling in favor of the policyholder clarified why Crime Policy may be the best to address this risk in Ernst & Haas Management Co. v. Hiscox Inc. (“Ernst”).[4]

Social Engineering Fraud Scams Impersonating Employees, Vendors, or Suppliers

The most common tactic of social engineering scams is to impersonate vendors, buyers, or company employees by hijacking their email and utilizing internal conventions to lead other employees to believe that the emails sent by the scammers were authored by the purported employee whose email had been hijacked. Often with remote operations, changes in personnel, or shortcuts in routines and procedures to facilitate wire transfers do not implement the necessary careful checks and balances which can put companies at high risk of falling victim to these scams. Pre-wire transmission procedures need to be tightened significantly, especially where “out of office” employees may not have informal opportunities to raise questions about why a wire transfer is being sent to a particular financial institution or address. Heightened security procedures for wire transfers include assuring a meaningful double check of how wires are authorized and sent, as well as having a proactive interaction by the bank in place.

Clarifying that instructions come from the person whose email or other form of electronic text communication it appears to be from that is making the wire transfer request should be standard procedure. While cumbersome, the effort is essential. Especially when personnel are on vacation or out of office and there is not in office opportunity to double check these items. No matter how respected and senior the person in the organization, there instructions need to be confirmed both internally and with a bank officers who is in the loop.          

The Logic of The Ernst & Haas Order

The Ninth Circuit in Ernst determined that the district court erred when it held that a $200,000 Loss issued under a 2012 version crime insurance policy from Hiscox in that the insured suffered a Loss resulting “directly” from fraud entitling it to policy coverage. Pursuant to the “Funds Transfer Fraud” clause, the court clarified that the Loss resulting directly from a fraudulent actor’s email instructions sufficed to trigger coverage.

It also improperly relied on an embezzlement based coverage analysis improperly applied to a “computer fraud” provision where funds transferred were directed by a fraudulent email with no intervening event.[5] There was no question but that Ernst’s Loss directly followed from fraudulent instructions (i.e. email) which spoofed the identity of an Ernst employee to direct a distinct employee to transfer funds and provide fraudulent wire details and fraudulent authorization, thus falling under the “Funds Transfer Fraud provision within the Hiscox policy.

Pertinent facts are undisputed.

“At the time, Krystale Allen was an Accounts Payable Clerk for Enrst. On March 12, 2019, Allen received an email purporting to be from her superior, David Haas, directing her to make a payment. As the accounts payable clerk, Allen regularly disbursed payments according to Ernst’s protocols. But this email was different. Unbeknown to Allen, the email was sent by a fraudulent actor (Fake David). And unfortunately for Allen, she believed the email was authentic and from the founder and managing broker of the Ernst, David Haas (Real David). The email included an invoice for $50,000, which Allen was directed to pay to Zang Investments, LLC (Zang) by wire transfer. Believing the email instruction was from Real David, Allen processed the payment by wire transfer to Zang.

After the first transfer, Allen received two more email instructions from Fake David, for payments of $150,000 and $470,000. Allen completed the same steps for the $150,000 payment and wired the money to Zang. But before authorizing the $470,000 payment, Allen suspicions were raised, and she emailed Real David to confirm the authenticity of the invoice. Upon receiving Allen’s email, Real David informed her that he had not requested the prior transfers. Allen attempted to stop the previous wire payments form the bank, but because the $50,000 and $150,000 wire transfers had already been completed, Ernst could not recover the funds.”[6]

Coverage for Wire Fraud Under Hiscox Policy

Notably, the suggestion by Hiscox that a more comprehensive coverage should have been purchased than that sold misperceives that Ernst had procured the reduced coverage in the 2019 policy rather than in the 2012 policy that governs this dispute. The district court does not address the dispute of whether the 2012 or the 2019 policy applies and chooses to apply and interpret the 2012 policy.

The 2012 policy’s Computer Fraud provision covers loss resulting “directly” from Fake David’s email instructions.

“The computer fraud provision states Hiscox will cover Loss ‘resulting directly from the use of any computer to fraudulently cause a transfer of property from’ Enrst to a person or location outside of Ernst.”[7]

Notably, the Ninth Circuit concluded that prior case authority in the majority of Federal Court of Appeals rulings in favor of is construction of this provision.[8]

Extending Coverage for Social Engineering Fraud

Crime coverage becomes narrower over time. Specific coverages sought might require an endorsement as demonstrated by the newer 2019 policy issued by Hiscox was lees comprehensive in addressing coverage for “social engineering fraud”. Endorsement such as eCrime coverage found in a Cyber policy issued by Beazley[9] extend coverage to acts of social engineering fraud under the Funds Transfer Fraud provision. Like to the Coverage D: Computer and Funds Transfer Fraud provision in the 2012 Hiscox policy, an endorsement, like Beazley’s, covers Loss resulting from “fraudulent written, electronic...or telephone instructions by a third party issued to a Financial Institution directing such institution to transfer, pay, or deliver Monies or Securities from any account maintained by the Insured Organization.”[10]

Distinct from the Beazley endorsement, in a Crime policy issued by Federal Insurance Co., a CHUBB entity,[11] provides, under Insuring Clause (E), coverage for “direct loss…resulting from Computer Fraud[12] committed by a third party.” This express language requiring “direct loss” restricts the policy coverage in that the insured must demonstrate that the Loss directly resulted from or was directly caused by a Computer Fraud (i.e. email spoofing).

Conclusion

The following steps are essential to avoid insurance gaps for social engineering fraud:

First, review existing Cyber policies to determine how they would interface with a more comprehensive Crime policy and ensure procurement of computer fraud coverage in the broadest form available in the market.

Second, avoid incidents by having a second person within the company to confirm wire instructions and a separate bank officer have oral interaction with the person making the request to confirm they authorized it.

Third, where any monies disappear immediately contact the bank and check if they have a recapture program and alert all federal and state agencies that can assist in recovery of monies lost.

If you enjoy this content, you can find my full list of blogs here: https://docs.google.com/document/d/1N3YsMmn0Ii1GqHWSBEE1pPzh1jQbU6htkJZ2e55Y2eM/edit?usp=sharing

* David A. Gauntlett is a principal of Gauntlett & Associates and represents policyholders in insurance coverage disputes. For more information, visit Gauntlett & Associates at www.gauntlettlaw.com. 

[1] See, David Gauntlett, Finding Appropriate Media Policy Coverage. www.gauntlettlaw.com (Oct. 22, 2021) 

[2] See, David Gauntlett, Insurance Coverage for and IT Consultant’s Role in Media/Cyber Policy Application. www.gauntlettlaw.com (Oct. 14, 2021); David Gauntlett, Coverage or Malware Attacks – Cyberjacking and Ransomware. www.gauntlettaw.com (Dec. 2, 2021) 

[3] Heidi Mitchell, That Great Job Offer? It May be a Scam. The Wall Street Journal. (Sept. 9, 2021)

[4] Ernst & Haas Management Co. v. Hiscox, Inc., Case No. 20-56212, 2022 U.S. App. LEXIS 2372 (9th Cir. (Cal.) Jan. 26, 2022)

[5] Pestmaster Services, Inc. v Travelers Cal. & Surety Co. of Am., 656 Fed. App’x 332 (9th. Cir. (Cal.) 2016).

[6] Ernst & Haas, Case No. 20-56212, at *4-5

[7] Id. at *14

[8] American Tooling Center, Inc. v. Travelers Cas. & Sur. Co. of Am., 895 F.3d 455, 457 (6th Cir. (Mich.) 2018) (“ATC received a series of emails, purportedly from its Chinese vendor, claiming that the vendor had changed its bank accounts and ATC should wire transfer its payments to these new accounts.”); Principle Solutions Group, LLC. v. Ironshore Indem., Inc., 944 F.3d 886, 890-891 (11th Cir. (Fla.) 2019) (An email directing an employee recipient to initiate a wire transfer through a bank satisfied the requirement that a fraudulent instruction “direct a financial institution” to transfer funds as the misdirecting email required Principle’s financial controller to transfer money from Principle’s account, provided payment details, and provided fraudulent authorization to transfer funds.)

[9] Beazley USA Services, Inc., Breach Response, F00653 112017 ed. (April 2021)

[10] Id. at 8 of 23

[11] CHUBB Group of Insurance Companies, Crime Coverage Part, Form No. 14-02-17277. (Issued April 15, 2021)

[12] Id. at 2 of 14 (“Computer Fraud means the unlawful taking of Money, Securities, or Property resulting from a Computer Violation.”)