It’s (approximately) the ides of National Cybersecurity Awareness Month. Yes, it’s a thing. A 15-year old thing. Appropriately, I spent last night at a cybersecurity seminar hosted by Citrin Cooperman (thanks, by the way). It sparked this first of a two-part blog post about the “voluntary parting” exclusion. Get your popcorn ready.
First, the scene. We’re at the Union League in Philadelphia. It’s kind of dark, because it’s always kind of dark in there. Everyone is wearing coats, because everyone has to wear coats there. Despite the lighting and formality (to which I should really be more accustomed in my 11th year as a lawyer), the panel is exceptional. An ethical hacker demonstrates the ease with which he can figure out all of our passwords using software that makes billions of guesses per second. A valuation expert explains the process of quantifying cyber incident losses. Of most interest to me, the general counsel of a sophisticated insurance brokerage offers specific claims insights (no names, of course).
Consistent with the narrative that many of us are hearing, she emphasizes that carriers are by and large responding quickly to, and paying, the majority of cyber claims. So, I ask: “Are there any exclusions that you are seeing create some deviation from that narrative, maybe exclusions that could be addressed during the front-end application process given the tailored nature of cyber policies?”
The answer was surprising. It’s not a cyber exclusion that’s creating some ‘friction.’ It’s a commercial crime exclusion that insureds may be surprised to see rear its head after what they are sure was a “cyber incident.” It’s the “voluntary parting” exclusion, and there is nothing sweet about its application.
Take, for example, Schmidt v. Travelers (S.D. Ohio 2015). Way back in 2012, in slightly more innocent days, a law firm receives an email from a new client in Japan (you know where this is going). The lawyer emails an engagement agreement. The client signs it and emails it back. The lawyer emails a demand letter to a would-be defendant using contact information provided by the client (via email). The defendant emails back, saying, ‘sure, we’ll pay you the $378,000 in two equal installments.’ The lawyer receives what appears to be a $189,000 cashier’s check from the defendant. The client emails the lawyer instructions to wire him $141,750, accounting for the lawyer’s 25% contingency fee. The lawyer wires the funds. And then finds out that the check was fraudulent.
The lawyer sought coverage under the Computer Fraud endorsement of his business owner’s insurance. That coverage applied to losses “resulting directly from the use of any computer to fraudulently cause a transfer of the property” to a third party. The fake client used a computer to fraudulently induce the lawyer to send him money. Square peg, square hole. Right?
The policy contained a “voluntary parting” exclusion. It excluded coverage for the “voluntary parting with any property by you or anyone else to whom you have entrusted the property.” The lawyer argued that the fake-client’s fraud precluded a finding that any of his conduct was “voluntary,” which is not exactly an off-the wall position. But the court rejected the argument and held that the lawyer voluntarily wired the funds, triggering the exclusion. The money was gone, and there was no insurance for the loss.
These email schemes are now commonplace. The level of sophistication is incredible. Cyber criminals are extraordinarily capable of making fraudulent emails look authentic. There are even increasing instances where criminals use both email and the telephone to perpetrate the fraud. Employee training is important, but as in so many other contexts, it is exceedingly difficult to keep up with the rapidly evolving nature of the threat. Risk transfer is essential.
Policyholders may be surprised to learn that not all cyberinsurance policies cover this type of loss, leaving insureds to rely on commercial crime and other similar coverages. Insureds must therefore be wary of “voluntary parting” and similar exclusions, or they must tailor their cyberinsurance to cover email-based fraud.
Tomorrow, I’ll tell you about American Tooling Center, Inc. v. Travelers (6th Cir. 2018). Spoiler – similar facts, opposite result.