On April 17, 2018, the Ninth Circuit affirmed a district court decision finding that an exclusion barred coverage for a $700,000 loss resulting from a social engineering scheme. Aqua Star (USA) Corp. v. Travelers Cas. & Surety Co. of Am., No. 16-35614 (9th Cir. Apr. 17, 2018). The scheme involved fraudsters who, while posing as employees, directed other employees to change account information for a customer. The employees changed the account information and sent four payments to the fraudsters.
The crime policy at issue contained a broadly worded exclusion providing that the policy “will not apply to loss resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.” The court found that the exclusion squarely applied because the employees that changed the account information and sent the payments to the fraudulent accounts had authority to enter the policyholder’s computer system.
The Ninth Circuit’s decision is another reminder that policyholders should carefully consider whether their existing coverage would protect against losses from social engineering schemes, which continue to rise in prevalence. While coverage may be available under insurers’ form policy language, many insurers also offer endorsements designed specifically to cover social engineering scheme losses. Regardless of the instrument used to convey the coverage, however, careful drafting of the language used is critical to ensure that the broadest scope of coverage is actually obtained.