Cyber Insurance Found to Cover Fraudulent Wire Transfer
Note: This post was originally posted in our Southeast Financial Litigation Monitor.
The story is becoming all too common. A merchant (or consumer) is convinced to wire money to a fraudulent account because of an incorrect belief that they are wiring the money to the real party. A common example is a fraudster convincing a purchaser of a home to wire money in the mistaken belief that they are wiring the money to a closing attorney or agent. Another common example is a fraudster convincing a company to wire money in the mistaken belief that they are paying a valid vendor. These transactions can involve millions of dollars and it is rare that the money can be recovered after it is sent.
Can insurance cover these losses? Recently the Eleventh Circuit decided Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., 944 F.3d 886, (11th Cir. Dec. 9, 2019). There, the insured employer filed an action against insurer, seeking coverage for a wire transfer of funds made by insured’s employee to scammers. The employer claimed coverage under the “fraudulent instruction” provision of its commercial crime insurance policy, and asserted bad faith.
The loss stemmed from a sophisticated phishing scheme in which a scammer posing as an executive of Principle Solutions Group, LLC, persuaded the company’s controller to wire money to a foreign bank account, leading to the loss of $1.7 million dollars. The controller received an email, allegedly from a managing director, informing her that he had been “secretly working on a ‘key acquisition’ and asking her to wire the money… as soon as possible” and directing her to speak with “attorney Mark Leach” who would give her further instructions. Further, because the purported deal was not public, she was to treat the matter with “u[t]most discretion” and “deal solely” with this attorney. Next, she received an email and a call purporting to be from this attorney, which provided wiring instructions. Later, Principle’s bank demanded verification, which the controller confirmed. The controller realized the fraud the next day when she spoke with the managing director. but neither the company nor law enforcement able to recover the funds.
The policy covered “[l]oss resulting directly from a fraudulent instruction directing a financial institution to debit [Principle’s] transfer account and transfer, pay or deliver money or securities from that account.” The insurer denied coverage and argued that the scammer’s communications with the employee did not meet the conditions for a fraudulent instruction under the policy and that the loss did not result directly from the fraudulent instruction.
The Eleventh Circuit found coverage and held that the transfer of funds involved loss from a “fraudulent instruction directing a financial institution to transfer funds.” The court noted that the policy defines a “fraudulent instruction” as an “electronic or written instruction initially received by [Principle], which instruction purports to have been issued by an employee, but which in fact was fraudulently issued by someone else without [Principle’s] or the employee’s knowledge or consent.” The court rejected the argument that the two emails did not constitute an instruction when read together.
The court also rejected the insurer’s argument that the loss did not result “directly” from the fraudulent instructions because it was not an “immediate” link. Instead, the court determined that “resulted directly from” meant “proximately caused” and determined that the policy was satisfied. The majority expressly rejected the argument that the employee should have done more to prevent the fraud (and therefore proximate cause should have been a jury question). The majority held that “the relevant question is whether [the controller’s] failure to verify the transfer in the ways the dissent suggests was foreseeable. And that failure was foreseeable: the scammers set up a system designed to prevent [the controller] from verifying the request, which means that they foresaw [the controller’s] failure.” Therefore “[n]o unforeseeable cause intervened between  purported email and Principle’s loss.”
The lessons from this case are many. First, you should review your insurance policies to determine if you would have coverage from such an event. Second, you should institute two-factor confirmation in wire and ACH transactions. Third, you should train your financial employees regarding such fraud. For instance, a best practice would be to pick up the phone (using a phone number independently obtained and not from the originating email) to verify wiring instructions above a certain threshold. Finally, if you discover you have been the victim of a fraudulent wiring instruction, immediately file a complaint with the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx. They can help to quickly investigate and in some cases, if detected quickly enough, they can sometimes (but not always) recover the lost funds or a portion thereof.