Yesterday, I wrote about the application of the “voluntary parting” exclusion in Schmidts v. Travelers, a 2015 case out of the Southern District of Ohio. If you couldn’t tell, I didn’t agree with the result.
The Sixth Circuit offered a more reasoned and more recent view of insurance coverage for email/wire scams in American Tooling Center, Inc. v. Travelers (July 13, 2018). An American manufacturer received an email purportedly from its Chinese subcontractor. The sub said that the next payment should be wired to a new bank account due to an ongoing audit. The company wired the money. The sub emailed again, saying there was a problem with the account and asking for a new wire to a different account. This happened four times. $834,000 later, the real sub started asking where its payment was…
The company sought coverage under its Wrap+ business insurance, which contained “computer fraud” coverage. It read: “The Company will pay the Insured for the Insured’s direct loss of…Money…directly caused by Computer Fraud.” The policy defined “computer fraud” as the “use of any computer to fraudulently cause a transfer of Money…”.
Travelers denied the claim, making two arguments relevant to our humble two-part miniseries.
First, Travelers argued that this wasn’t computer fraud because the policy “requires a computer to fraudulently cause the transfer. It is not sufficient to simply use a computer and have a transfer that is fraudulent.” Basically, Travelers believed that, to trigger coverage, the policy required the malicious actor to gain access to or control an insured’s computer to cause a fraudulent wire (as is the case in some cyberinsurance policies). Only, the policy didn’t say that. It said “use of any computer to fraudulently cause a transfer of Money.” The fake sub used a computer to email fraudulent wiring instructions, which fraudulently caused the company to wire money into the infinite abyss. The Sixth Circuit enforced the policy’s clear language, and held that the claim was a covered computer fraud loss.
Travelers also argued that the policy’s “voluntary parting” exclusion applied. This one read a little differently from the exclusion in Schmidts, stating: “This Crime Policy will not apply to loss resulting directly or indirectly from the giving or surrendering of Money…in exchange or purchase, whether or not fraudulent, with any other party not in collusion with an Employee.” Travelers argued that the insured surrendered the payments (read: voluntarily parted with its cash) for goods it had bought from the sub, thereby triggering the exclusion. The company argued, somewhat like the insured in Schmidts who contended that its payment wasn’t “voluntary” because it was induced by fraud, that it didn’t make the payment in exchange for anything. It was fraudulently induced to pay an impersonator for nothing. The Sixth Circuit agreed and refused to apply the exclusion.
So, businesses need coverage for email fraud. If you’re going to rely on commercial crime or similar non-cyber coverage, make sure to say so during the application process. If you intend to rely on your cyberinsurance, make sure you select or tailor your coverage appropriately. The coverage is available in cyber lines (as I wrote here), but it isn’t in every cyberinsurance policy. And if you’re an underwriter or broker familiar with cyber lines incorporating coverage for email/wire fraud scams, let me know and I’ll links to samples on my resources page.