A New Peril in Cyberspace

Have you ever heard of “business email compromise” or “CEO fraud”?  Well read carefully because this is becoming a claim reported with increasing frequency.

A CFO or other financial officer in a company receives an email from the CEO indicating that the CFO will receive a call from a specified person giving him instruction to transfer monies on a strategically significant and highly confidential business transaction.  Shortly, the specified person calls the CFO and instructs him to transfer several hundred thousand dollars to a bank in China for earnest money on a business deal.  The CFO makes the transfer but later becomes suspicious of the email only to discover that the email was fraudulent.  The company has a $1 million crime insurance policy which covers employee theft, computer and funds transfer fraud.  Are they covered?

The ISO Commercial Crime Coverage under the Insuring Agreement for Employee Theft pays for the loss or damage to “money” resulting from “theft” committed by an “employee.”  “Theft” is defined as “the unlawful taking of property to the deprivation of the insured.” In this case the CFO, employee, did nothing unlawful.  He initiated a funds transfer under the specific instruction by an email apparently sent from his CEO.  A criminal taking has occurred, but not by the employee.  It is, therefore, unlikely that coverage could be found under this insuring agreement.

The company also has coverage on their ISO Commercial Crime policy for Computer and Funds Transfer Fraud.  This coverage is a combination of two previously separate insuring agreements.  Section (1) of this insuring agreement covers direct loss from fraudulent entry or changes of electronic data or computer programs from within the Named Insured’s owned, leased or operated computer systems.  Provided the direct loss results in the transfer of money or other property or causes an account at a financial institution to be debited or deleted.  In this scenario, it is not entry or change to the Named Insured’s computer system that causes the money to be transferred.

Section (2) of the Computer and Funds Transfer Fraud Coverage pays for direct loss resulting from a “fraudulent instruction” directing a financial institution to transfer money.  A “fraudulent instruction” is defined to be a computer, fax, telephone, other electronic or written instruction which purports to be issued by the Named Insured directing the financial institution to transfer the money.  In plain English, a fraudulent instruction is a communication with the financial institution which is fraudulent, i.e., purporting to be from an authorized person but, in fact, is not.  In this scenario, the fraud is between the sender of the email and the CFO.  The CFO’s instruction to the financial institution to transfer the money is an authorized transaction.

It is unlikely that the facts in this case would fall within the scope of the Computer and Funds Transfer Insuring Agreement.  Actual filed claims with similar facts have been denied in several cases.  Thankfully, there is now an endorsement that can provide coverage in a fraudulent email impersonation situation.

Fraudulent Impersonation (CR 04 17 11 15) became available in November 2015.  This endorsement supplements the Employee Theft Insurance Agreement by paying for direct loss when the Named Insured transfers money, securities or other property, in good faith, relying upon a “transfer instruction” purportedly issued by an employee including officers, directors and trustees, if the “transfer instruction” proves to be fraudulently issued by an imposter without the knowledge or consent of an otherwise covered person.  It can also cover transfers purportedly issued by a “customer” or “vendor” which proves to be issued by an imposter without the knowledge or consent of the “customer” or “vendor.”

While there are not additional exclusions included in this extension of the Employee Theft Coverage, there are some additional conditions and definitions.  The principle additional condition involves a verification process.  There are three options for verification which apply to the coverage for “employees” and/or “customers/vendors.”  Option A requires verification for all “transfer instructions”.  Option B required verification of all “transfer instructions” in excess of a specified dollar amount.  And, Option C does not require verification of a “transfer instruction”.  It is hard to imagine an underwriting situation where the insurer would not want some form of verification.  However, if there is a high volume of small dollar transfers, Option B could be helpful in allowing the Named Insured to self insured transfers below a specific dollar threshold.

The potential for this type of loss can be reduced, if not prevented, with a consistent verification process.  Just pick up the phone and call the person from whom you received the email instructing the transfer and verify before the bank is called.

Just remember data breach is a cyber exposure.  However not all cyber exposures are data breaches.  Some are old fashion theft of money or property using the internet rather than a gun or crowbar.

Want to learn more? Don’t miss Stuart’s webinar on April 20th: “Don’t Get Derailed by a Data Breach” – Click here to register now!