Social engineering attacks, particularly fraudulent transfers, are becoming one of the most utilized cyber scams. As a result, there has been a flurry of litigation, and a patchwork of decisions, concerning coverage disputes over social engineering losses. Most recently, the United States District Court for the Eastern District of Virginia found in Midlothian Enterprises, Inc. v. Owners Insurance Company, that a so-called “voluntary parting” exclusion provision in a crime policy should exclude coverage for a fraudulent transfer social engineering scheme. The decision illustrates why policyholders must vigilantly analyze their insurance policies to ensure that their coverages keep pace with what has proven to be a rapidly evolving risk landscape.
Midlothian Enterprises (“Midlothian”) sought coverage for a cyber incident that occurred when a fraudster, impersonating Midlothian’s president, emailed a Midlothian employee asking her to wire thousands of dollars from Midlothian’s bank account to a bank account in Alabama. As is all too common in these instances, Midlothian did not discover that a fraudster sent the email until after the employee wired the money.
Midlothian sought coverage under its Owners Insurance Company crime policy. The insurer denied coverage, citing the voluntary parting exclusion, which purports to bar coverage for “loss resulting from your, or anyone acting on your express or implied authority, being induced by any dishonest act to voluntarily part with title to or possession of any property.” Midlothian challenged the denial, arguing that the transfer was not voluntary because the employee was a victim of fraud, could not be deemed to have consented or voluntarily parted with the funds, and was not acting on express or implied authority because the president did not authorize the transaction. The court sided with the insurer and held that the “fact that another individual pretended to authorize the transaction does not negate the voluntariness of the transfer or the authority [the employee] had to make these types of transactions,” and concluded that the voluntary parting exclusion was “not ambiguous.”
The court also rejected Midlothian’s argument that the policy’s forgery or alteration endorsement provided coverage for the fraudulent transfer. The forgery or alteration endorsement covered loss for “Covered Instruments resulting directly from Covered Causes of Loss.” Covered Instruments were defined as “checks, drafts, promissory notes, or similar written promises, orders or directions to pay a sum certain in ‘money’ that are: (a) made or drawn by or drawn upon you; (b) made or drawn by one acting as your agent; or that are purported to have been so made or drawn.” The parties disagreed about whether the email from the fraudster directing the employee to wire funds to the fraudulent account constituted “an order or directions” to pay money under the forgery or alteration endorsement. Midlothian argued it did, but Owners argued that “orders or directions to pay,” under the endorsement, must be similar to a covered instrument, and the fraudulent email was not similar to a check, draft, or promissory note. Ultimately, the court agreed with Owners and concluded that the fraudulent transfer was not covered under the alteration or forgery endorsement because the fraudulent email was not a Covered Instrument.
The Midlothian Enterprises case underscores the need for policyholders to review their insurance policies to make sure they have adequate coverage in place to protect against cyber losses. While some traditional insurance policies may offer some protection, most insurers have incorporated exclusions in traditional policies that preclude coverage for cyber-related losses. A critical review by experienced coverage counsel can help spot and remedy deficient or outdated coverage provisions that might be implicated by rapidly evolving social engineering schemes.