In Midlothian Enter., Inc. v. Owners Ins. Co., 2020 U.S. Dist. LEXIS 30237 (E.D. Va. Feb. 5, 2020), hackers obtained access to a business owner’s email and directed a fraudulent email to an employee to send a $42,000 wire. The insured sought coverage under policy endorsements for “money and securities” and “forgery or alteration.” The court held the first “does not cover a loss caused by an employee . . . voluntarily wiring money to another account due to a fraudulent email,” finding its “voluntary parting exclusion” applicable. Id. at *9-10. As to the latter, the court found “an email from a business owner telling an employee to wire money to a bank account does not have the same form or legal effect as a check, draft, or promissory note” and “does not constitute a ‘covered instrument’ under the explicit terms of the endorsement.” Id. at *11.

Weeks before another judge found emails covered in Quality Plus Services, Inc. v. Nat’l Union Fire Ins. Co., 2020 U.S. Dist. LEXIS 7337 (E.D. Va. Jan. 15, 2020). There an insured’s employee sent five wires totaling $1.6 million to overseas accounts based on fraudulent emails ostensibly from its CEO. The court held coverage otherwise existed under the policy’s Funds Transfer Fraud Provision, which covered “loss of Funds resulting directly from a Fraudulent Instruction directing a financial institution to transfer, pay or deliver Funds from the Insured’s Transfer Account.” Id. at *8. Though the emails were not payment orders (i.e. under UCC Article 4A), the court appeared to find them covered under the policy’s partial definition of Fraudulent Instruction as “an electronic, computer . . . or written instruction initially received by the Insured” which was “fraudulently transmitted by someone else without the Insured’s or the Employee’s knowledge or consent,” and thus constituted an “Occurrence” or an “act or event” that “directly” causes the insured’s loss. Id. at *20. Applying a but-for test, the court concluded: “Without the emails, Quality Plus would not have suffered the losses.” Id. at *21. Ultimately, the court denied cross-motions for summary judgment, given fact disputes over (1) the location from which the fraudulent emails were sent, implicating the policy’s territory condition that was limited to the United States and Canada, and (2) the number of individuals who sent them, implicating the $1 million per Occurrence limit of liability. Id. at *22-28. The case then settled, weeks before trial.

Similarly, in Cincinnati Ins. Co. v. Norfolk Truck Ctr., Inc., 2019 U.S. Dist. LEXIS 220076 (E.D. Va. Dec. 20, 2019), an insured sent a wire transfer of $333,724.00 in response to an imposter’s email with fraudulent payment instructions for legitimate invoices. The commercial crime policy’s “Computer Fraud” provision covered “loss of . . . money . . . resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises . . . [t]o a person . . . outside those premises.” Id. at *2-3. The court defined “directly” as “something that is done in a ‘straightforward’ or ‘proximate’ manner and ‘without deviation’ or ‘without intervening agency’ from its cause,” citing various dictionaries. Id. at *31. Relying primarily on American Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 895 F.3d 455 (6th Cir. 2018), and noting contrary appellate authority is unreported, the court concluded:

the Imposter here somehow learned of the [legitimate] invoices, created a false Internet domain to mimic [the] vendor, impersonated [the] vendor, learned about [the] balance due, and sent e-mail messages . . . with false payment information. Upon receiving that fraudulent e-mail, [the insured] immediately communicated with its bank through a series of e-mails to initiate a transfer by computer as requested. Since the wire transfer involved a loan requiring documentation, it continued in a straightforward and proximate manner, uninterrupted, until the money was wired to the Imposter.

Id. *32.

Each case involved different policy provisions, which may superficially explain the varying outcomes, but coverage results in email funds transfer claims continue to be unpredictable. The computer fraud and funds transfer fraud policies in Norfolk Truck and Quality Plus were not designed to cover fraudulent emails, but rather computer hacking or unauthorized payment orders from an insured to its bank. This essential point was lost in both cases, and absent it being more effectively developed and presented, similar results may be expected to continue.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

The Joint Statement focuses on six key aspects of cybersecurity risk management, which we summarize as follows:

Response, Resilience, and Recovery Capabilities.  Maintain comprehensive, documented, and current incident and business resilience plans that include responding to and recovering from a destructive cyber attack.  One consideration is the use of cyber insurance as part of a broader risk management strategy.

Identity and Access Management.  Use and validate the effectiveness of authentication controls, such as multifactor authentication, to segment and safeguard access to critical systems and data on the network.

Network Configuration and System Hardening.  Review the appropriateness of default system settings, change default user profiles, configure security settings, implement security monitoring tools, and apply security updates and system patches.

Employee Training.  Ongoing employee training on recognizing cyber threats, phishing, and suspicious links.

Security Tools and Monitoring.  Use qualified cybersecurity staff or provider to actively monitor systems for network threat and vulnerability information available from industry sources.

Data Protection.  Maintain a data classification program to identify sensitive and critical data.  Encrypt or tokenize sensitive and critical data in transit and at rest.

The Joint Statement is the latest in a growing line of cybersecurity regulations applicable to banks.  For a discussion of relevant guidelines, see L&R’s latest article, Robert W. Ludwig, Salvatore Scanio, and Joseph Szary, Technology and Salvage: Using Social Media in Recovery and Allocating Cybercrime Funds Transfers to Third Parties, Am. Bar Ass’n, Tort Trial & Insurance Practice Section, Fidelity and Surety Law 2020 Midwinter Conference, Jan. 31, 2020, at 25-30.

Like other banking agency guidelines, the Joint Statement also expands the guideposts for evaluating whether bank security procedures are commercially reasonable under UCC Article 4A. See, e.g., Patco Constr. Co., Inc. v. People’s United Bank, 684 F.3d 197, 201-04 (1^st Cir. 2012).

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605.