A federal judge in Georgia held last week that a Commercial Crime Policy must cover a $1.7 million wire-transfer of funds precipitated by a fraudulent e-mail, purportedly authored by one of the insured’s managing directors. The decision marks yet another attempt by insurers to improperly narrow the scope of coverage afforded for cyber and technology-related losses.
In Principal Solutions Group, LLC v. Ironshore Indem., Inc., Judge Richard Story found ambiguity in the policy’s “Computer and Funds Transfer Fraud” provision which, by its terms, purported to afford coverage for “Loss resulting directly from a ‘fraudulent instruction’ directing a ‘financial institution’ to debit your ‘transfer account’ and transfer, pay or deliver ‘money’ or ‘securities’ from that account.” According to the insurer, however, the provision’s use of the term “directly” meant that coverage would not apply to a loss, such as the one suffered by Principal, where the loss resulted from an e-mail directing Principal’s controller to wire funds as part of a fictitious acquisition transaction. According to the insurer, the loss did not result “directly” from the fraudulent e-mail because additional information was conveyed to the policyholder after the initial e-mail and because the policyholder’s employees set up and approved the wire transfer.
The Court rejected the insurer’s application of the term “directly,” finding that in this case, as with all corporations, the corporate policyholder can act only through its officers and employees, thus necessitating some level of employee intervention. The Court concluded, therefore, that if some employee interaction between the fraud and the loss was sufficient to allow the insurer to avoid payment under the policy, the provision would be rendered “almost pointless,” rendering the coverage illusory.
Not only does the decision illustrate the ease with which cyber-criminals can infiltrate a target’s most secure space simply by impersonating a high-ranking employee or corporate officer, but the decision underscores the need for a robust cyber-protection policy or insurance program that is properly tailored to the policyholder’s specific vulnerabilities. Finally, the decision serves as a reminder that, given the absence of case-law interpreting many of the cyber-related coverage provisions in use by insurers, policyholders should give strong consideration to engaging experienced coverage counsel to review any cyber-related denial of coverage.