The Eastern District of Pennsylvania recently gave another reminder why cyber insurance should be part of any comprehensive insurance portfolio. In Construction Financial Administration Services, LLC v. Federal Insurance Company, No. 19-0020 (E.D. Pa. June 9, 2022), the court rejected a policyholder’s attempt to find coverage under its professional liability insurance for a social engineering incident that defrauded over $1 million.
Construction Financial Administrative Services, which goes by CFAS, disburses funds to contractors. One of its clients, SWF Constructors, was hacked, and a bad actor posing as the client asked CFAS to distribute $600,000 to a sham third party. John Follmer, an executive at CFAS and the only person authorized to approve distribution of funds, approved it. The next day, the bad actor, again posing as the client, asked Follmer to transfer an additional $700,000. Follmer approved that distribution too.
Although Follmer approved both distributions, he did not follow the proper protocol for doing so. The third party was not listed in the approved budget; CFAS never received a copy of an agreement between the client and the third party; CFAS never received a disbursement voucher for the payment; CFAS never received a waiver from the client; and CFAS never received the additional information it needed to account for the disbursement. Even so, Follmer approved the payment.
After the fraud was discovered, CFAS tried to recover the funds it had been tricked into giving up, but it was too late. It recovered only $120,000 of the $1,300,000 it lost.
CFAS filed a claim under its errors and omissions policy—presumably because it did not have separate cyber coverage. Some non-cyber policies include “silent cyber coverage,” which is coverage not primarily intended to cover cyber losses, but which nonetheless applies to cyber-related losses based on broadly worded insuring agreements. Federal, CFAS’s insurer, attempted to exclude that sort of silent cyber coverage by including an unauthorized access exclusion in its policy. That exclusion bars claims “based upon, arising from or in consequence of any unauthorized or exceeded authorized access to, use of or alteration of, any computer program, software, computer, computer system.”
CFAS, in an apparent attempt to avoid that exclusion, did not make a claim for silent cyber coverage; in fact, it did not attempt to claim losses based on the bad actor’s actions at all. Instead, CFAS claimed that its losses were covered because Follmer had acted negligently by making the disbursements without collecting all of the necessary information. Although creative, that argument ultimately failed.
The court ruled that CFAS could not escape the broad language of the exclusion—eliminating coverage for all losses “in consequence of any . . . unauthorized access to . . . computers”—by rebranding the loss as arising from negligence. Under the law of North Carolina, which controlled, so long as the loss “follows as an effect of” the bad actor’s unauthorized access, it was “in consequence of” the unauthorized access and was therefore excluded.
Construction Financial Administration Services serves as a reminder to policyholders to ensure that proper, comprehensive insurance coverage is in place to cover all reasonably anticipated risks of loss. In today’s technology-dependent society, that must include robust cyber protection. Although some policies have traditionally provided “silent cyber coverage,” new, broad exclusions are being introduced to curtail such coverage, making it all the more important for businesses to ensure that their insurance portfolio specifically targets cyber risks.