E-Mail Phishing Scam: Coverage For
Joshua Mooney has authored: The Coverage Opinions article “E-Mail Phishing Scam: Coverage For “Social Engineering.” To access the publication, please go to Coverage Opinions.
With perhaps the exception of ransomware, the largest source of cyber loss for insurance carriers is phishing scams, commonly known as business-email-compromises (BECs), whereby an insured is tricked into sending money by wire transfer to a bank account controlled by a criminal organization. Some losses are seven-figures; some represent death by a thousand wounds. During the last two years, many courts have found for the existence of Computer Fraud coverage for such loss in somewhat complex and sometimes head scratching decisions.
Friday’s decision in Mississippi Silicon Holdings v. Axis Ins. Co., 2020 U.S. Dist. LEXIS 29967 (N.D. Miss. Feb. 21, 2020) marks some significant departures from current trends. While coverage was owed under a policy’s Social Engineering coverage part, the Mississippi federal court held that a loss from mis-wiring $1 million to a fraudulent bank account did not implicate Computer Transfer Fraud or Funds Transfer Fraud coverage. The court’s decision departs from more recent decisions involving the meaning of “direct” causation, and broadens the dispositive effect of language in the insurance provisions relating to the insured’s knowledge and consent of the wire transfers. The decision also breathes new life into the split among U.S. Courts of Appeals on the scope of insurance coverage in connection with BECs.
The insured Mississippi Silicon Holdings (MSH) manufactured silicon metal using as a part of its manufacturing process carbon electrodes. MSH purchased its electrodes from a Russian supplier, Energoprom. Miss. Silicon, 2020 U.S. Dist. LEXIS 29967 at *1. In October 2017, MSH’s Vice President of Finance and Chief Financial Officer (the CFO) engaged in email communications with Olga Rozina, an Energoprom employee, regarding purchases and invoices that had come due. On October 23, the CFO received an email listing “Olga Rozina” in the “from” line enclosing an attachment lisitng new bank information to which payments were to be wired. The email further stated that “MSH should send its payments to the new bank account, which was Energoprom’s agent collector’s account, ‘due to issues [Energoprom was] having with [its] account.’” Id. at *1-2.
Pursuant to the request, MSH wired $250,000 to that account. The process involved a three-person verification. The CFO electronically logged into MSH’s transfer account with its bank and initiated the wire transfer. Id. at *2. Thereafter, a second MSH employee logged into MSH’s account and confirmed the transfer. Following this authorization, a bank representative telephoned a third employee, MSH’s Plant Manager, who verbally authorized the transfer. Id. at *2-3. Almost one month later, the imposter Rozina contacted the CFO again inquiring about the payment of two additional invoices in the amount of $775,851. The CFO initiated another wire transfer involving the same three-person verification process. Id. at *4. The fraud was discovered when Energoprom inquired about receiving payment for the outstanding invoices. Id.
MSH sought coverage under its Privatus Platinum Insurance Policy, which provides coverage for Social Engineering Fraud ($100,000 policy limit), Computer Transfer Fraud ($1 million policy limit), and Funds Transfer Fraud ($1 million policy limit). Id. at *4-5.
The Social Engineering Fraud insuring agreement covered:
The Insurer will pay for loss of Money or Securities resulting directly from the transfer, payment, or delivery of Money or
Securities from the Premises or a Transfer Account to a person, place, or account beyond the Insured Entity’s control by:
a. an Employee acting in good faith reliance upon a telephone, written, or electronic instruction that purported tobe a Transfer Instruction but, in fact, was not issued by a Client, Employee or Vendor; or
b. a Financial Institution as instructed by an Employee acting in good faith reliance upon a telephone, written, or electronic instruction that purported to be a Transfer Instruction but, in fact, was not issued by a Client, Employee or Vendor.
The insurer concluded that coverage existed under the Social Engineering provision, but denied coverage for the Computer Transfer Fraud and Fund Transfer Fraud coverages, which each had significantly higher limits. Id. MSH disagreed, and coverage litigation ensued.
The policy’s Computer Transfer Fraud insuring agreement, similar to Computer Fraud insuring agreements in many policies, provided coverage for:
The Insurer will pay for loss of or loss from damage to Covered Property resulting directly from Computer Transfer Fraud that causes the transfer, payment, or delivery of Covered Property from the Premises or Transfer Account to a person, place, or account beyond the Insured Entity’s control, without the Insured Entity’s knowledge or consent. (emphasis added).
The policy defined Computer Transfer Fraud as “the fraudulent entry of Information into or the fraudulent alteration of any Information within a Computer System.” Id. at *13.
The insurer argued that the underlying claim did not satisfy insuring agreement’s causation requirement – “resulting directly from” – maintaining that “nothing ‘entered’ into or ‘altered’ within [MSH’s] Computer System (here the [MSH] email system) directly caused the transfer of any Money”; instead, the CFO working in conjunction with two other employees had caused the transfer of the Money. Id. at *13-14. Thus, because the fraudulent email itself had not manipulated MSH’s computer system, but instead only requested MSH’s employees to undertake an affirmative action, a “Computer Transfer Fraud” did not directly cause the transfers. Id. at *14. In other words, the employees’ affirmation actions were intervening events that broke the causal connection between the fraudulent email and the loss, rendering the Computer Transfer Fraud coverage inapplicable. MSH, on the other hand, argued that the fraudulent email, which ultimately caused the CFO to act and commenced the chain of events, was sufficient to trigger coverage. Id.
The court disagreed with MSH and determined that there was no direct causation to satisfy the insuring agreement for Computer Transfer Fraud coverage. Looking to the plain and ordinary meaning of “direct,” as defined by dictionaries including Black’s Law Dictionary, the court held that the word required an “immediate” causation, a standard more stringent than proximate causation. The court explained: “The Court finds it undeniable that the [original] October 23 email set in motion a series of events which ultimately led to the loss. It is also clear that the emails from [the imposter] ‘Olga Rozina’ did not themselves manipulate MSH’s system and automatically transfer the funds. Rather, the emails requested that MSH engage in affirmative conduct, particularly, initiating a transfer to the [imposter’s bank] account listed on the attachment.”
Critically, the court acknowledged MSH’s contention that the fraudulent email may have proximately caused the loss, but concluded that in any event the policy’s language would not allow coverage under such a determination: “While the Court recognizes and appreciates MSH’s argument in favor of a ‘proximate cause’ standard, it cannot be ignored that the provision itself specifically requires that the fraudulent act directly cause the loss. And it further cannot be ignored that MSH’s employees, not the fraudulent emails themselves, actually initiated the transfer. If a proximate cause standard or some other more expansive coverage was intended, that language undoubtedly could have been included in the Policy. However, it was not. Id. at *15-16 (emphasis in original).
Because the fraudulent email had not manipulated MSH’s computer system to ‘automatically transfer the funds,’ the events did not implicate coverage under the insuring agreement.
However, the court went on further to explain that even if direct causation did exist, coverage still would not exist because of the “without the Insured Entity’s knowledge or consent” clause in the insuring agreement. The insurer contended that the requirement was not satisfied because three separate MSH employees had knowledge of, and explicitly authorized, the wire transfers, thereby precluding coverage. The insurer argued that: “… the inclusion of the ‘without the Insured Entity’s knowledge or consent’ language, clearly establishes that there is no coverage ‘where an insured knowingly wires money to another (later determined to be [a] fraudster). Rather, in order for a loss to be covered under this insuring agreement, the fraudster must cause the transfer of currency, through a hack, and without the insured being aware.” Id. at *17.
The court agreed, concluding that the employees’ knowledge and authorization of the wire transfers on the insured’s behalf precluded coverage: “In the Court’s view, the inclusion of the ‘knowledge or consent’ requirement is telling as to the coverage that was intended. Had the provision been intended to cover losses which were specifically authorized by MSH’s employees acting in reliance upon false or fraudulent information, the ‘without the Insured Entity’s knowledge or consent’ language could have been omitted altogether. The inescapable fact, however, is that the ‘without the Insured Entity’s knowledge or consent’ language is included in the provision, and coverage therefore clearly and unambiguously only applies for losses that occur without MSH’s knowledge or consent.” Id. at *19. In other words, the ‘knowledge or consent’ clause precluded coverage for mis-wiring funds by artifice or trickery.
The court also looked to the coverage under the social engineering agreement to further bolster its conclusion that the ‘knowledge or consent’ clause precluded coverage for loss by trickery. Noting that coverage under the Social Engineering Fraud provision did not preclude coverage elsewhere under the policy, it also noted that the provision provided guidance when interpreting the Computer Transfer Fraud provision. Id. at *19-20. “Had the Computer Transfer Fraud provision been intended to cover a loss occurring when a funds transfer was effectuated by an employee acting in good faith reliance upon an electronic instruction which was ultimately determined to be fraudulent (exactly what occurred in this case), the same language used in the Social Engineering Fraud provision could have been incorporated into the Computer Transfer Fraud provision.” Id. at *20.
Because it was not, the court would not read trickery into an exception to the coverage provision’s restriction: “Ultimately, at least three MSH employees had knowledge of, and specifically authorized, the transfers. MSH cannot escape that reality, and its attempts to invoke coverage despite its employees’ undisputed knowledge and explicit authorization of the transfers bends the language of the Computer Transfer Fraud provision beyond the breaking point.” Id. at *21.
Finally, the court determined that the underlying phishing scam did not implicate the Fund Transfer Fraud. The provision covered: “The insurer will pay for loss of Money or Securities resulting directly from the transfer of Money or Securities from a Transfer Account to a person, place, or account beyond the Insured Entity’s control, by a Financial Institution that relied upon a written, electronic, telegraphic, cable, or teletype instruction that purported to be a Transfer Instruction but, in fact, was issued without the Insured Entity’s knowledge or consent.” Id. at *21-22 (emphasis added).
Again, the court held that the without “knowledge or consent” requirement was not met. “However, the impediment to coverage is that the transfer instruction upon which Trustmark Bank relied in order to complete the transfer was not ‘actually . . . issued without the Insured Entity’s knowledge or consent.’ … The undisputed evidence establishes that all three [MSH] employees, acting independently of each other, authorized Trustmark Bank to complete the transfers.” Id. at *23.
Also rejecting the contention that the court’s reading of the without ‘knowledge or consent’ requirement rendered the Computer Transfer Fraud and Fund Transfer Fraud coverages superfluous, the court explained: “While the coverage afforded under the Funds Transfer Fraud provision is similar, that provision requires that the loss involve a financial institution’s reliance on an instruction by the insured which was actually issued without the insured’s knowledge or consent. The Computer Transfer Fraud provision would apply when the insured’s system is manipulated without the insured’s knowledge and effectuates a transfer, while the Funds Transfer Fraud provision is only applicable when the financial institution relies upon an instruction from the insured which was ultimately not provided by the insured.” Id. at *24-25.
What this case means:
There is a lot to digest here, not the least of which is the court’s discussion of the Computer Transfer Fraud’s direct causation requirement. The recent trend among court decisions has been to hold the direct causation requirement satisfied where a fraudulent email triggered a chain of unbroken events that resulted in the wire transfer of funds to an account controlled by cyber criminals. E.g., American Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 895 F.3d 455, 461-62 (6th Cir. 2018) (“here the impersonator sent ATC fraudulent emails using a computer and these emails fraudulently caused ATC to transfer the money to the impersonator”).
The Mississippi Silicon court looked beyond the use of emails, citing with approval the reason expressed in Apache Corp. v. Great Amer. Ins. Co., 662 Fed. App’x 252, 258 (5th Cir. 2016). There, the court held the use of emails were incidental to the loss resulting from a BEC, concluding that “[t]o interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would . . . convert the computer-fraud provision to one for general fraud.” Id. Recent decisions in the Second and Sixth Circuits appeared to eschew such reasoning; Mississippi Silicon it back to the forefront.
Even the Second Circuit’s interpretation of the effect of PHP scripting in Medidata Sols, Inc. v. Fed. Ins. Co., 729 Fed. App’x 117, 119 (2d Cir. 2018) is contradicted here. Medidata held (I believe mistakenly) that the integrity of insured’s email system had been compromised by the use of a PHP script in the fraudulent email. Here, Mississippi Silicon requires more, holding that short of showing that the email both “manipulate[d] MSH’s system and automatically transfer[red] the funds,” the insuring agreement’s causal requirements were not satisfied. Given the amount of money at issue, it may be likely that the Fifth Circuit reviews this case on appeal.
From a cybersecurity standpoint, this case offers another observation. The insured had initiated a process whereby three separate employees had to approve a wire transfer that exceeded $100,000 in value. Nowhere in that process did there appear any requirement that, upon the change of banking information, the vendor itself be contacted using pre-existing contact information. A single phone call to Energoprom would have revealed the fraud and prevented the insured from wiring $1 million to a fraudulent account.