ELECTRONIC CRIME THROUGH COMPUTER FRAUD ORSOCIAL ENGINEERING:

TWO SEPARATE PATHS, AND NEVER THE TWO SHALLMEET

THIRTIETH ANNUALNORTHEAST SURETY AND FIDELITY

CLAIMS CONFERENCESEPTEMBER 18th - 20th, 2019

PRESENTED BY:

TONI SCOTT REED Clark Hill Strasburger

901 Main Street, Suite 6000Dallas, Texas 75202

1

I. Introduction

For a number of years now, the hottest thing going in claims is cybercrime. Cybercrime is in the news. Cybercrime is a topic of great concern within the federal government. Cybercrime dominates the risk of loss for all kinds of businesses. And cybercrime continues to grow and to spread. The statistics tell the story.

How long will we continue to talk about cybercrime? There appears to be no end in sight. There is no sign that the criminals will slow down in their efforts to disrupt business, steal money and property, and commit data breaches.

Every aspect of business now revolves around technology and the cyber world. Every industry, profession, and business is dependent upon the use computers, electronic communications, electronic transactions, and various cyber activity. These high-tech methods of communication and operation dominate day-to-day operations for all companies, from large to small and from high tech to primitive. The use of technology permeates every aspect of life for business and its various consumers. The fact that technology and cyber operations are central to modern business means only one thing: someone will look for ways to steal, damage, or interrupt that cyber world for his or her own financial benefit or other purpose.

It is clear from every type of business publication that the sheer scale of loss and damage resulting from cyber-attacks continues to grow. When we refer to cybercrime, we now refer not only to high-tech methods of hacking computer systems and stealing confidential data and information, but also to low-tech methods of tricking people into acting, based upon their receipt of an email or other communication.

Former FBI Director Robert Mueller is credited with a statement that the FBI and other governmental agencies often repeat to describe our world today (even years after the statement was first uttered): “there are only two types of companies: those that have been hacked and those that will be.”1 That statement remains true, but so does the statement that every business will likely be directly impacted by Social Engineering this year, or sometime soon.

II. What Exactly is Cybercrime?

The term “cybercrime” is discussed in many contexts and settings, and while there are many variations on its definition, most appear to be consistent with the dictionary definition of “crime conducted via the Internet or some other computer network.”2 Cybercrime can take many forms and can be accomplished through many different schemes. Cybercrime includes theft, fraud, misdirection of communication, identity theft, intellectual property theft, corporate espionage, system sabotage, data destruction, money laundering, and terrorism.3 Some of the main categories of threats from cybercrime include computer system intrusion for monetary or

1 Robert S. Mueller, III, Director, Federal Bureau of Investigation, RSA Cyber Security Conference in San Francisco (Mar. 1, 2012), http://www.fbi.gov/ news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies. 2 See Cybercrime Definition, OXFORD DICTIONARIES, http://www. oxforddictionaries.com/definition/english/ cybercrime. 3 DELOITTE CENTER FOR SECURITY & PRIVACY SOLUTIONS, CYBER CRIME: A CLEAR AND PRESENT DANGER, COMBATING THE FASTEST GROWING CYBER SECURITY THREAT 15 (2010) [hereinafter DELOITTE CENTER], available at http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/ Documents/ AERS/ us_aers_Deloitte%20 Cyber%20Crime%20POV%20Jan252010.pdf.

2

other benefit, manipulation of information or networks, data destruction, misuse of processing power, counterfeit items, or interception for espionage.4 Most often, these types of schemes are carried out by someone without authorized access to a computer system. For purposes of this analysis, our focus is on losses resulting directly from hacking and Social Engineering, so the article will pay particular attention to those two risks.

A. Hacking

Hacking has been defined as “attempts to intentionally access or harm information assets without (or in excess of) authorization by thwarting logical security mechanisms.”5 Traditionally, hacking involves stealing commercially valuable data that can be sold or used for financial gain.6 Hacking can also be used to distort the functionality of a computer system, and to cause transactions to occur that were not a part of the initial programming or instructions.

For purposes of our analysis on coverage, the fidelity claim professional is typically focused on a hack that causes the transfer of Money from the insured’s possession that of another third party, without the insured’s knowledge and consent, and without action of any kind by the insured.

B. Social Engineering

Social Engineering is generally defined as the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.7 Another general description is the act of tricking someone into divulging information or taking action, usually through technology. The idea behind Social Engineering is to take advantage of a potential victim’s natural tendencies and emotional reactions. The concept is to play on the desire of the individual to be helpful, and to be good that their job, in order to convince them to act, without any real investigation or precautionary measures that might discover the fraud involved.

If you don’t think you are familiar with wide-spread Social Engineering claims, take a look at recent press.8 As one expert interviewed by Forbes put it: “Social Engineering in general isn’t about how smart technically you are.”9 “It’s about what connects you to others, what makes you curious and angry and what might make you act without thinking.”10 In short, social-engineering schemes prey on natural human desires: curiosity, fear, and the desire to please others and be compliant, helpful employees. Taking advantage of people’s best qualities is what makes these schemes so dangerous, and so hard to avoid entirely. 4 INTERNATIONAL CYBER SECURITY PROTECTION ALLIANCE, PROJECT 2020: SCENARIOS FOR THE FUTURE OF CYBERCRIME – WHITE PAPER FOR DECISION MAKERS 6 (2013), available at http://2020.trendmicro.com/ Project2020.pdf. 5 Lance Bonner, Note: Cyber Risk: How the 2011 Sony Data Breach and the Need for Cyber Risk Insurance Policies Should Direct the Federal Response to Rising Data Breaches, 40 WASH. U. J.L. & POL’Y 257, 264 (2012) (quoting VERIZON RISK TEAM, 2011 DATA BREACH INVESTIGATION REPORT (2011), available at http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf). 6 Id. 7 See Social Engineering Definition, OXFORD DICTIONARIES, http://www. oxforddictionaries.com/definition/ english/ social engineering. 8 Laura Shin, FORBES, “Be Prepared: The Top 'Social Engineering' Scams Of 2017,” available at https://www.forbes.com/sites/laurashin/2017/01/04/be-prepared-the-top-social-engineering-scams-of-2017/#2fba89387fec. 9 Id. 10 Id.

3

For purposes of our analysis on coverage, the fidelity claim professional is typically focused on a fact pattern that involves an employee of the insured receiving an email that changes the wiring instructions for a payment due, by way of example. The keys to the analysis will involve the fact that the employee was an unwitting participant in the scheme, and the employee was the person who actually caused the money to be transferred from the account of the insured to a third party (in reliance on a communication received – usually by email).

C. Scope of the Problem – By the Numbers

Social Engineering and hacking are two great risks facing companies today. In 2017, sixty percent of businesses were victims of social-engineering scams.11 A CNBC article written in April of 2017 noted that hackers had breached half of all small businesses in the United States.12

III. The Insured’s Risks and Insurance Needs

A. A Focus on First-Party Losses

First-party losses from cybercrime are those an owner sustains when cybercrime damages, destroys, or deprives the insured of the use of insured property.13 In the context of the Financial Institution Bond and the Commercial Crime Policy, the risk addressed is specifically the loss of Money or Property, as those terms are defined.

First-party losses can be caused by security breaches from various types of recurring schemes and hazards such as Trojan horses, malware, hacking, fraud—including computer fraud and funds transfer fraud; and e-commerce extortion.14

First-party risks can include the cost of replacing data that is lost through corruption of the system, loss of stolen property,15 the cost of replacing systems that become inoperable, and the labor expenses from re-entering data.16 Additionally, an insured faces first-party risks of defenses expenses, fines, or penalties from state and federal statutes and regulations that require companies to report breaches.17 Finally, there may be risks of lost income, consequential damages, and crisis management costs.18

The first-party risk of loss of electronic data, software, and hardware is one that encompasses a myriad of losses. First, if data is lost or corrupted, the insured will incur costs of re-creating the underlying data, entering the data into a database, and reviewing the data for accuracy. Attempting to address all of these labor-intensive tasks requires the insured to address the 11 Roi Perez, SC Media, “60% of enterprises were victims of social engineering attacks in 2016,” available at https://www.scmagazineuk.com/60-of-enterprises-were-victims-of-social-engineering-attacks-in-2016/article/576060/. 12 Andrew Zaleski, CNBC, “Congress addresses cyberwar on small business: 14 million hacked over last 12 months,” (Apr. 5, 2017), available at http://www.cnbc.com/2017/04/05/congress-addresses-cyberwar-on-small-business-14-million-hacked.html. 13 Jack Montgomery, Cybercrime Losses and Insurance for Property Damage and Third-Party Claims, 27 MAIN BAR J. 158, 158 (Summer 2012). 14 Id. at 159. 15 Id. 16 Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16, 19 (Tex. App.—Tyler 2003, pet. denied). 17 Elizabeth D. De Armond, A Dearth of Remedies, 113 PENN ST. L. REV. 4, 13, 16-17 (Summer 2008); Sara A. Needles, Comment: The Data Game: Learning to Love the State-Based Approach to Data Breach Notification Law, 88 N.C.L. REV. 267 (Dec. 2009). 18 Montgomery, supra note 13, at 159.

4

question of whether to hire additional employees or independent contractors to handle these tasks. For example, one insured was in the process of updating its computer database when human error caused the database system to crash, which led the insured to hire consultants to restore the data and incur expenses in manually entering the data. If the software of a company is damaged from cybercrime, the losses could include costs of a new copy of the software, costs of new software license and reinstallation, or, if the company has its own specially modified software, costs could include recreating the underlying code and reconfiguring the settings. Some businesses create dynamic systems built on users’ submissions and past transactions, which may make it difficult, if not impossible, to gather sufficient new information once the original data is lost.

The above losses of electronic data, software, and hardware then may lead to loss of use and business interruption on a pretty significant scale. In Hewlett-Packard Co. v. Factory Mutual Insurance Co., HP retained a forensic account to detail the losses HP suffered from business interruption loss when an employee sabotaged the program for marketing a newly developed computer server.19 HP then submitted to its insurer a claim under its all-risks policy for $167.8 million, which it later revised down to $131.6 million.20

Once a company has restored its data and systems and continues its business operations, the insured faces continuing risks from data security breaches and privacy injury. The company may be required to hire investigators to determine the perpetrator, whether it was an employee or outside hacker.21 The company may also be required to remedy the flaws in its security systems, and, under many state laws, notify individuals whose information has been compromised.22 Finally, the company may be required to provide credit monitoring services or compensation to banks for fraudulent charges.23 For example, after many of Target’s customers’ payment card information was stolen in December 2013, Target offered its customers a year of free credit monitoring, which included identity theft insurance, a copy of the customer’s credit report, and daily credit monitoring.24

Finally, separate and apart from all of these potentially complex first-party losses, the insured may sustain a loss of its own money, as a result of cybercrime activity. Whether through hacking or Social Engineering, one direct adverse result to an insured may be that its money was transferred out of its control and to a third party that was not entitled to that money.

B. Scope of Insurance Products Available – General Cyber Coverage

In today’s insurance market, there are numerous products available to address the risk of first-party loss. More and more, insurers are beginning to offer specialized insurance policies specifically designed to protect against loss from cybercrime, and those types of policies have been referred to as the “new frontier” of the twenty-first century insurance market.

19 Hewlett-Packard Co. v. Factory Mut. Ins. Co., 04 Civ 2791 (TPG)(DCF), 2007 U.S.Dist. LEXIS 24146, at *19 (S.D.N.Y. Mar. 30, 2007). 20 Id. at *19. 21 Id. 22 Id. 23 Id. 24 Credit Monitoring FAQ, TARGET, https://corporate.target.com/ about/payment-card-issue/credit-monitoring-FAQ.aspx. Another recent victim of cybercrime, Michaels Craft Stores, has also offered a year’s worth of free identity protection and credit monitoring services to affected customers. Cheryl K. Chumley, Michaels Craft Chain Confirms Hackers Hit 3M Customers, WASHINGTONTIMES.COM (Apr. 18, 2014), http://p.washingtontimes.com/news/2014/apr/18/michaels-arts-and-crafts-giant-says-hackers-hit-3m/print/.

5

Insurers began offering “cyber” coverage in the 1990s, but in recent years, cyber-liability specific products have rapidly evolved in terms of scope, availability, and pricing.25 In recent years, insurers have produced dozens of new cyber insurance products each and every year.26 These policies provide coverage for risks not covered or specifically excluded by various types of traditional policies.27 Showing that they are intended to be unique coverages, and not overlapping in scope, the cyber risk policies often exclude coverage likely to be found in a CGL policy, like advertising injury.28 Examples of current products include the Network Risk, Cyber-Liability, Privacy and Security or Media Liability insurance policies and the ISO’s “Information Security Protection Policy” (formerly known as “Internet Liability and Network Protection Policy”). The first-party provisions or policies cover loss of data or network interruption, while the third-party provisions or policies provide coverage for liability to third parties arising from the loss or theft of data.29 The policies may be sold as stand-alone policies, “modules” or coverage sections in “package” policies, or endorsements in more traditional liability policies.

These newer insurance products focus on coverage for security of data, programs, and proprietary information, and for computer-based transgressions, including viruses, cyber-attacks, fraud, destruction, corruption, or extortion from threatened computer crime. These policies may cover crisis management expenses, such as expenses for hiring a public relations or law firm to repair the insured’s reputation.30 Many policies provide “breach of notice” costs, including mailing, phone bank, and credit-monitoring costs.31 Additionally, third-party policies may include defense and indemnity coverage for regulatory liability, including claims for civil, administrative, or regulatory proceedings, fines, and penalties.32 These policies and the risks they cover are still relatively new, and therefore this is little or no claims history and data to analyze, and little experience to use in order to know what information to gather from the insured in order to determine appropriate coverage.

The computer transgression policies extend to cover losses from an unauthorized intrusion, illegitimate or unauthorized use, viruses and other attacks on the system or Internet.33 Computer crime may include intentional destruction or corruption of data and computer system of insured or of insured’s client, destruction of data or programs by a hacker, destruction of data or programs by a virus, and also extortion by means of a threat to cause injury to the computer system.34 Some policies may even provide coverage for cyber extortion, including

25 Roberta D. Anderson, Viruses, Trojans, and Spyware, Oh My! The Yellow Brick Road to Coverage in the Land of Internet Oz, 49 Tort & Ins. L.J. 529, 592 (Winter 21014) [hereinafter Anderson, Viruses]. 26 Dan Schroeder, Cyber Insurance: Just One Component of Risk Management, WALL ST. J. (Mar. 27, 2014), http://blogs.wsj.com/cio/2014/03/27/cyber-insurance-just-one-component-of-risk-management/. 27 Paul E.B. Glad et al., Types of Liability Coverage, 3 New Appleman Law of Liability Insurance § 16.02 (2014); Montgomery, supra note 13, at 162-63; Lawrence J. Trautman & Kara Altenbaumer-Price, The Board’s Responsibility for Information Technology Governance, 28 J. MARSHALL J. COMPUTER & INFO. L. 313, 337 (Spring 2011). 28 Glad et al., supra note 27, § 16.02. 29 Glad et al., supra note 27, § 16.02; Trautman et al., supra note 27, at 337-38. 30 Anderson, Viruses, supra note 25, at 593; Glad et al., supra note 27, § 16.02; Trautman et al., supra note 27, at 337. 31 Panos T. Topalis & H. Wesley Sunu, Cyber Liability Insurance, to Offer or Not to Offer, That is the Question, 42 THE BRIEF 36, 37 (Winter 2013). 32 Anderson, Viruses, supra note 25, at 602. 33 Scott Godes, Cybersecurity Risks and Insurance Coverage, 3 New Appleman Law of Liability Insurance § 18.03 (2013). 34 Id.

6

the cost of investigating and responding to the threat, as well as the cost of actually paying the extortionist’s demands.35

While the coverage available is attractive, especially given the current risks and costs associated with cybercrime, there are some important considerations when purchasing cyber-liability-specific products. For example, the above description of categories of policies applies to a broad array of products available on the market.36 Further, the competitive market and the fact that these policies are highly negotiable mean that the terms may vary not only by insurer or industry but by each insured.37 That lack of standardization would make coverage difficult to litigate and potentially leave an insured without coverage or defense.38 Accordingly, the research and analysis required by an individual potential insured is currently substantial.

C. Financial Institution Bonds

Financial institution bonds insure financial institutions against employee dishonesty and provide coverage for certain other specified risks.39 The standard form has been revised numerous times since its first issuance, but the most recent revisions include the following insuring agreements: fidelity, on premises, in transit, forgery or alteration, securities, counterfeit money, and fraudulent mortgages.40 Many additional coverages are now available by endorsement, as discussed below.

The standard financial institution bond (“FIB”) provides first-party coverage for an insured’s direct loss of its own property, or that of others it holds or for which it is legally liable.41 The FIB standard form does not provide any specific coverage for risks of cybercrime. In fact, in a letter to the Alabama Department of Insurance dated December 24, 2003, the Surety Association of America (now the Surety & Fidelity Association of America, “SFAA”) explained that “[e]lectronic transactions present exposures that are not readily compatible with the terms and conditions of” the current form of the financial institution bond.42 The letter advised banks seeking coverage for losses from electronic transactions that they could obtain such coverage by rider.43

Available by rider to the financial institution bond is Insuring Agreement H, which provides coverage for fraudulent transfer instructions sent via e-mail.44 Coverage for computer systems fraud and extortion are also available by rider for the financial institution bond.45 The Computer Systems Rider provides coverage for loss resulting directly from a fraudulent entry

35 Glad et al., supra note 27, § 16.02. 36 Anderson, Viruses, supra note 25, at 594. 37 Id. at 594. 38 See id. at 608. 39 Robert J. Duke, A Brief History of the Financial Institution Bond, in FINANCIAL INSTITUTION BONDS 1 (Duncan L. Clore ed., 3d ed. 2008). 40 Financial Institution Bond, Standard Form No. 24 (Revised to April 1, 2004), reprinted in ANNOTATED FINANCIAL INSTITUTION BONDS 771 (Michael Keeley ed., 3d ed. 2013) [hereinafter 2004 FIB]. 41 Michael Keeley & Justin Melkus, Introduction to Fidelity Insurance, 10 New Appleman Law of Lability Insurance § 111.01 (Michael Keeley et al. eds., 2014). 42 Letter from Robert J. Duke, Director-Underwriting, The Surety Association of America, to Honorable David Parsons, Commissioner of Insurance: Alabama Department of Insurance (Dec. 24, 2003), reprinted in FINANCIAL INSTITUTION BONDS 975 (Duncan L. Clore, ed., 3d ed. 2008). 43 Id. 44 Form & Rider Filing Letter, reprinted in FINANCIAL INSTITUTION BONDS 980 (Duncan L. Clore, ed., 3d ed. 2008). 45 Keeley & Melkus, supra note 41, § 111.01.

7

or fraudulent change of “Electronic Data or Computer Program” into or within any “Computer System” of the Insured as those terms are defined in the rider.46 The fraudulent entry or change must cause one of the following: the transfer, payment, or delivery of “Property;” an account of the Insured or the Insured’s customer to be added, deleted, debited, or credited; or an unauthorized account or fictitious account to be debited or credited.47

D. Commercial Crime Policies

Commercial crime insurance policies are a type of fidelity insurance offered to non-financial commercial and governmental entities, where fidelity insurance provides coverage for losses sustained as a direct result of an insured’s employees’ dishonesty.48 There have been multiple forms promulgated by the SFAA and the ISO. Generally, commercial crime policies provide coverage for losses the insured sustains as a direct result of the following:

1) Employee dishonesty or theft;

2) Forgery or alteration of written instruments;

3) Loss and damage resulting directly from “theft,” disappearance or destruction of “money” or “securities” from inside the premises of the insured;

4) Loss resulting from an actual or attempted robbery or safe burglary inside the premises;

5) Loss occurring outside the premises of the insured;

6) Loss of “money,” “securities,” and “other property” resulting directly from the use of any computer to transfer such items from that insured’s premises to a person or place outside those premises;

7) Loss of “funds” resulting directly from a “fraudulent transaction” directing a financial institution to transfer such funds from the insured’s “transfer account;”

8) Loss directly resulting from the insured having accepted counterfeit currency or money orders in good faith and in exchange for merchandise, money, or services.49

Standard form commercial crime policies are issued by the SFAA and ISO. Many additional coverages are also available by endorsement, including cyber coverage.

The SFAA’s Insuring Agreement 5 provides coverage for certain types of computer fraud against the Insured.50 The Computer Fraud agreement provides for “loss of or damage to

46 Robert J. Duke, A Concise History of the Financial Institution Bond, Standard Form No. 24, in ANNOTATED FINANCIAL INSTITUTION BOND 533, 562-63 (Michael Keeley ed., 3d ed. 2013); Arthur N. Lambert et al., Description of Current Language of Rider, 10 NEW APPLEMAN LAW OF LIABILITY INSURANCE § 119.02 (2014) [hereinafter Lambert et al., Current Language]. 47 Lambert et al., Current Language, supra note 46. 48 Michael Keeley & Justin Melkus, Introduction to Fidelity Insurance, 10 NEW APPLEMAN LAW OF LIABILITY INSURANCE § 111.01 (Michael Keeley et al. eds., 2014). 49 Id.

8

‘money’, ‘securities’, and ‘other property’ resulting directly from the use of any computer to fraudulent cause a transfer of that property from inside the ‘premises’ or ‘banking premises’ to a person (other than a ‘messenger’) outside those ‘premises’; or ‘to a place outside those ‘premises’.”51

The 2013 revision of the ISO policy combines Computer Fraud and Funds Transfer Fraud coverages into one Insuring Agreement that covers loss resulting directly from a fraudulent entry of “electronic data” or “computer program” into, or change of “electronic data” or “computer program” within, any “computer system” owned, leased or operated by the Insured, provided the fraudulent entry or fraudulent change causes “money,” “securities” or “other property” to be transferred, paid or delivered, or the Insured’s account at a “financial institution” to be debited or deleted. The new insuring agreement emphasizes that loss resulting from the incidental use of a computer, for example to generate false documents, is not intended to be covered.52

E. New Generation Insurance Agreements

In addition to the Computer Fraud Insuring Agreement available under the FIB standard form, there are insuring agreements available for data processing service operations, voice initiated transfer fraud, “telefacsimile transfer fraud,” destruction of data or programs by hacker, destruction of data or programs by virus, and voice computer systems fraud.53 Similarly, there are several endorsements available under the commercial crime policy, including data processing service operations, computer hacker insuring agreement, fraudulent instructions insuring agreement, destruction of data or programs by hacker, destruction of data or programs by virus, employee sabotage/destruction of data or computer programs, and business income loss and dependent business income coverage.

Below are examples of first-party insuring agreements from a sample “cyber-risk” policy:

• The Company will pay the Insured Organization for Crisis Management Event Expenses incurred by the Insured Organization within 12 months of, and as a result of, any Network and Information Security Wrongful Act or Communications and Media Wrongful Act taking place prior to the expiration of the Policy Period and reported to the Company during the Policy Period or, if exercised, during the Extended Reporting Period or Run-Off Extended Reporting Period.

• The Company will pay the Insured Organization for Security Breach Notification Expenses incurred by the Insured Organization within 12 months of, and as a result of, any Network and Information Security Wrongful Act taking place prior to the expiration of the Policy Period and reported to the Company during the Policy Period or, if exercised, during the Extended Reporting Period or Run-Off Extended Reporting Period.

50 Id. at 8-9. 51 Michael R. Davisson, The Other Insuring Agreements of Commercial Crime Policies, in COMMERCIAL CRIME POLICY 285, 309 (Randall I. Marmor & John J. Tomaine eds., 2d ed 2005); Crime Protection Policy, Standard Form No. SP0001 (Revised to 03 00), reprinted in COMMERCIAL CRIME POLICY 677 (Randall I. Marmor & John J. Tomaine, eds., 2d ed. 2005). 52 2012 Crime and Fidelity Multistate Forms Revision Advisory Notice to Policyholders, CR P 005 08 13. 53 Lambert et al., Riders, supra note 46, at 566, 567.

9

• The Company will pay the Insured Organization for Restoration Expenses incurred by the Insured Organization which are directly caused by a Computer Violation taking place prior to the expiration of the Policy Period and Discovered during the Policy Period or the Automatic Extended Period to Discover Loss.

• The Company will pay the Insured Organization for Computer Fraud Loss incurred by the Insured Organization prior to the expiration of the Policy Period which is directly caused by Computer Fraud Discovered during the Policy Period or the Automatic Extended Period to Discover Loss.

• The Company will pay the Insured Organization for Funds Transfer Fraud Loss incurred by the Insured Organization prior to the expiration of the Policy Period which is directly caused by Funds Transfer Fraud Discovered during the Policy Period or the Automatic Extended Period to Discover Loss.

• The Company will pay the Insured Organization for E-Commerce Extortion Expenses resulting from E-Commerce Extortion taking place anywhere in the world during the Policy Period or the Automatic Extended Period to Discover Loss.

• The Company will pay the Insured Organization for Business Interruption Loss incurred by the Insured Organization which is directly caused by a Computer System Disruption taking place during the Policy Period and Discovered during the Policy Period or the Automatic Extended Period to Discover Loss.

These may be added, by endorsement, to various types of insurance policies.

Finally, there is coverage for the latest hot source of loss: Social Engineering. Social Engineering coverage is primarily available through manuscripted policies from individual companies. The following present examplars of language that has been developed by various companies, and that is in current use in varying forms:

Example 1

The Company shall pay for loss resulting from an Insured having transferred, paid or delivered any Money or Securities as the direct result of Social Engineering Fraud committed by a person purporting to be a Vendor, Client or an Employee who was authorized by the Insured to instruct other Employees to transfer Money or Securities.

Social Engineering Fraud means the intentional misleading of an Employee, through misrepresentation of a material fact which is relied upon by an Employee, believing it be genuine.

10

Example 2

The Insurer shall pay for loss of Money or Securities sustained by an Insured resulting directly from Social Engineering Fraud.

Social Engineering Fraud means the transfer, payment or delivery of an Insured’s Money or Securities from the Premises or Transfer Account by (1) an Employee acting in good faith reliance upon a telephone or written instruction that purported and reasonably appeared to have been issued by a Vendor, Client, or Employee authorized by the Insured to approve and direct such payment . . . But in fact was issued by a Third Party no so authorized.

Example 3

The Insurer will pay for loss of Money or Securities resulting directly from the transfer, payment, or delivery of Money or Securities from the Premises or a Transfer Account to a person, place, or account beyond the Insured’s control by: (a) an Employee acting in good faith reliance upon a telephone, written, or electronic instruction that purported to be a Transfer Instruction but, in fact, was not issued by a Client, Employee or Vendor; or (b) a Financial Institution as instructed by such Employee acting in good faith reliance.

The language in the various endorsements continues to develop as the coverage matures, so there may be as many forms of coverage language as companies writing it, at this point in time.

IV. Computer Fraud v. Social Engineering: The Overview

As evidenced in the discussion of standard forms of coverage, Computer Fraud insurance agreements are not new. They have been around for more than two decades, by endorsement.

Computer Fraud insuring agreements are designed to cover only true hacking. Hacking, of course, brings to mind computer geniuses who can break into protected systems via high-tech skills, built and refined after years and years of experience and education. In true Computer Fraud, the insured’s employees had no idea that cybercrime was ongoing, and they play no role whatsoever in the conduct of the scheme.

By contrast, Social Engineering insuring agreements are designed to cover employee mistakes, resulting from trickery that may or may not happen to involve a computer for communication. While the name assigned to this fraud may appear new-age, it is in fact a pretty mundane scheme that requires the computer savvy of an elementary school student. Social Engineering, in fact, does not necessarily have to have anything to do with computers, since it can also be carried out by a phone call. It is just most often perpetrated by email, the easy and anonymous form of communication that workers race through, sometimes without paying nearly enough attention. It is a broad term that describes any scheme in which one person tricks another (often an employee) into transferring money to them, often by

11

impersonating a customer, client, or vendor of the person’s employer. In Social Engineering, the unwitting employee is critical to the conduct of the scheme.

Today, many Social Engineering scams consist of a person calling or emailing an innocent employee, pretending to be their boss (usually someone so high-ranking that the employee has never met him or her), and asking that employee to transfer money to make a purchase on behalf of the company. Sometimes the fraudster pretends to be a representative of a long-time vendor of the person’s employer, and asks for a change in account information on file for that vendor. This means that the next invoice the vendor submits is paid into the fraudster’s account rather than the actual vendor’s. Such schemes can be carried out in person, over the phone, through letter correspondence, and—of course in today’s business environment—through e-mails. These scams were around long before e-mail and certainly do not depend on it, but because e-mail is such a convenient (and actually anonymous) way of communicating, more and more Social Engineering scams involve at least one fraudulent e-mail.

Why has the industry seen such an overlap for these types of claims? One reason may be that most insured entities did not have Social Engineering coverage until very recently, if at all. Before there was such an endorsement on their policies, they simply referred to the only type of computer-related coverage they did have: Computer Fraud. A second reason may be that insureds and courts alike are not yet highly educated on the specifics of the coverages, and do not understand the technical differences of the coverages.

Regardless of the reason, it is a fact that many recent court cases involve factual situations where an insured presented and sought to recover their Social Engineering loss under a Computer Fraud insuring agreement, and confusion for all who were involved ensued.

At the beginning of this steady stream of cases, most courts that analyzed the coverage disputes agreed that Computer Fraud policies do not cover Social Engineering losses. However, there was a marked turn in that pattern by 2018, which is a genesis for the discussion of this paper, and for a better understanding of why the two types of claims should not overlap, from a coverage standpoint.

V. Fidelity Insurance Coverage for Hacking

Many insurance companies now offer coverage for the risk presented by hacking, either through standard form language or through manuscripted policies. An example of a typical hacking policy provides:

We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: a. to a person (other than a messenger) outside those premises; or b. to a place outside those premises.

The intent behind this language is to cover only a true hacking loss. It is not designed to cover a loss that results from the type of Social Engineering scams discussed above, in which the direct cause of the insured’s loss is not the use of the computer but the voluntary actions taken by a duped employee. There are two elements of this language that demonstrate that the insurer means for this policy to cover only a true hacking. First, the policy carefully places the word “fraudulently” before the verb “cause.” Second, the Computer Fraud insuring agreement limits coverage to loss “resulting directly from” a fraudulently caused transfer. The word “direct”

12

means immediate, indicating that there should be no intervening actions between the use of the computer and the transfer of property. But Social Engineering scams do, of course, require such intervening steps: the actions of the duped human. Hacking, however, is immediate and requires no human action.

A. The Words and Details Matter

As noted above, the placement of the word “fraudulently” in the quoted language is important. The Central District of California understood this important detail and explained it well.54 In Pestmaster, the insured hired a third-party payroll company to handle preparation of its payroll, pay its payroll taxes, and deliver payroll checks. Pestmaster authorized the payroll company to take the funds necessary to complete these tasks directly out of Pestmaster’s bank account. One day, the IRS made a surprise visit to Pestmaster’s office. The IRS informed Pestmaster that it owed nearly $400,000 in payroll taxes. Pestmaster had been tricked by the payroll company. It had been pocketing all funds it was purportedly taking to satisfy Pestmaster’s payroll taxes. It sought coverage for its loss under a Computer Fraud insuring agreement that covered the “use of any computer to fraudulently cause a transfer.” The insured argued that the ACH transfers were covered because they were the result of “any use of a computer to cause a fraudulent transfer” of funds, given that the payroll company had made the transfer of funds using a computer.55 The court disagreed, holding that coverage was limited to circumstances in which “someone ‘hacks’ or obtains unauthorized access or entry to a computer in order to make an unauthorized transfer or otherwise uses a computer to fraudulently cause a transfer of funds.”56 Because the insured had authorized the vendor to make the ACH transfers, no hacking had been necessary.57 Accordingly, the court held that the vendor did not “use any computer to fraudulently cause” the transfers.58 In reaching this conclusion, the court focused heavily on the placement of the adverb “fraudulently” before the verb “cause”59 The court stated:

[T]here is an important distinction between “fraudulently causing a transfer,” [and] “causing a fraudulent transfer.” The case of Universal American Corp. … also recognized this distinction. It held that there was no computer fraud coverage when an authorized person entered fraudulent data into a computer system. The Court explained that the computer fraud coverage only applied to the “unauthorized entry into the system, i.e., by an unauthorized user, such as a hacker, for unauthorized data, e.g., a computer virus.” . . . The Court noted that “[n]othing in this clause indicates that coverage was intended where an authorized user utilized the system as intended, i.e., to submit claims [the insured was a health insurer], but where the claims themselves were fraudulent.” . . . The Court also stated: “Plaintiff’s interpretation of the policy [as covering fraudulent entries by an authorized user] would expand coverage to any fraudulent underlying claim that was entered into its computer system by any user, even by an authorized user. This interpretation is not supported by the language of the Rider” . . . Id. at *6 (brackets in original) (quoting Univ. Am. Corp. v. Nat’l Union

54 Pestmaster Servs. v. Travelers Cas. & Sur. Co. of Am., No. CV 13-5039, 2014 U.S. Dist. LEXIS 108416 (C.D. Cal. July 17, 2014). 55 Pestmaster, Id. at *19. 56 Id. 57 Id. at *19-20. 58 Id. 59 Id.

13

Fire Ins. Co. of Pittsburgh, Pa., 959 N.Y.S.2d 849, 853 (N.Y. Sup. Ct. Jan. 7, 2013), aff’d, 37 N.E.3d 78 (N.Y. 2015)).60

Put simply, if the insuring agreement referred to “fraudulent transfers,” the language would have a much different meaning. By contract, it referred to fraudulently causing a transfer through the use of a computer. As a result, not just any fraudulent transfer that results indirectly from the use of a computer cab suffice to establish that coverage attaches. The fraudulent use of the computer must directly cause the transfer. As a result, coverage is available only if the fraudster used a computer in a fraudulent or unauthorized manner. It is not enough that there was an authorized transfer that was brought about by a fraudulent request.61

The Universal American case mentioned and discussed in Pestmaster involved a health insurance company that suffered a loss as a result of fraudulent claims for healthcare services that were never actually performed.62 The perpetrators of the scheme submitted the claims for “reimbursement” through the company’s electronic system. When the insured discovered what had happened, it sought coverage under the portion of its bond that covered loss resulting from computer systems fraud. The bond provided coverage only if there had been a fraudulent entry of electronic data into the insured’s computer system. The court held that no coverage could apply under that insuring agreement because the perpetrators of the scheme were authorized to have access to the insured’s computer system.63 They merely abused that authorization to enter incorrect data. The court recognized the difference between fraudulent entry of data and entry of fraudulent data. In other words, it covered losses resulting directly from fraudulent access, not to losses from the content submitted by authorized users. “Nothing in this clause indicates that coverage was intended where an authorized user utilized the system as intended, i.e., to submit claims, but where the claims themselves were fraudulent.”64

The placement and meaning of the word “directly” in the coverage language is also important. It denotes the intent to cover only hacking—not Social Engineering. Cases interpreting similar Computer Fraud insuring agreements have been clear that the phrase “resulting directly from” requires an immediate nexus between the use of a computer and the insured’s loss.65 In each of these cases, the insureds received a request—via some sort of electronic means—that they independently decided to carry out, but the communication to the employee ultimately proved fraudulent. The courts in each case properly concluded that the actions closer in time to the loss, which consisted of the insured’s own voluntary actions in responding to the request, were the direct cause of the loss.

B. Alleged Computer Fraud: The Courts that Got It Right

A number of recent cases actually involved Social Engineering facts, but the insureds nevertheless decided to submit claims under a Computer Fraud insuring agreement. It has been up to the courts to sort out these disputes, always in the context of policies that did not 60 Id. at 20. 61 Pestmaster, 2014 U.S. Dist. LEXIS, at *20-21; see also Univ. Am. Corp., 959 N.Y.S. at 864. 62 Universal Am., 959 N.Y.S.2d at 851. 63 Id. 64 Id. at 853. 65 Pestmaster, 2014 U.S. Dist. LEXIS 108416; Great Am. Ins. Co. v. AFS/IBEX Fin. Servs., No. 3:07-CV-924-O, 2008 U.S. Dist. LEXIS 55532, at *44-45 (N.D. Tex. July 21, 2008), aff’d on other grounds, 612 F.3d 800 (5th Cir. 2010); Brightpoint, Inc. v. Zurich Am. Ins. Co., No. 1:04-CV-2085, 2006 U.S. Dist. LEXIS 26018 (S.D. Ind. Mar. 10, 2006); Kraft Chemical Company, Inc. v. Federal Insurance Co.. Case No. 13 M2 002568, 2016 Ill. Cir. LEXIS 1 (Ill. Cir. Ct. January 5, 2016).

14

include a separate Social Engineering insuring agreement. A number of these courts focused on the real issues, and got the analysis right. Kraft Chemical is particularly illustrative in this category.66 There, a fraudster sent an e-mail to the insured misrepresenting the account information for a client of the insured. The insured then wired funds out to the new account without verifying the new banking information.67 The insured sought to recover its loss under a Computer Fraud insuring agreement that covered loss resulting directly from the unauthorized entry into or deletion of data from a computer system.68 The court held that the insured had not shown a “direct nexus” between the e-mail and the loss. The court held that, “while Plaintiff’s claim is premised on the receipt of fraudulent emails, the emails did not cause the transfer of funds; rather, the transfer was knowingly effectuated by Plaintiff’s employees.”69 Under these facts, the court concluded that the e-mail did not “directly” cause the loss because the insured voluntarily took too many steps after receiving it.

AFS/IBEX Financial Services is another relevant case in this context.70 The insured in that case, AFS/IBEX, was a premium-financing company that issued loans to insureds that could not afford to pay insurance premiums up front. AFS/IBEX had a relationship with an insurance agency that would send financing applications to AFS/IBEX for customers who could not afford the premiums upfront. A dishonest employee at the agency sent fictitious applications and pocketed the loan proceeds for himself.71 AFS/IBEX obviously never received payments from the fake customers, and it sought to recover its loss under a Computer Fraud insuring agreement. After Great American moved for summary judgment, the insured abandoned the argument that its loss was covered by the Computer Fraud insuring agreement. As a result, the opinion does not explore the facts on just how much the insurance agency used a computer to carry out its scheme. Briefing submitted in the case makes clear that the dishonest employee created the fraudulent applications for premium financing on a computer and submitted them electronically using a fax machine. With that in mind, the facts are similar to those in Pestmaster: the wrongdoer electronically created and submitted a fraudulent document to the insured, which the insured relied upon and acted on voluntarily. The court held that the loss did not result directly from the use of a computer; instead “the loss was caused by checks [which] Mr. McMahon Jr. [the dishonest employee of the insurance agency] duped Defendant into issuing, endorsed, and deposited.”72 In other words, it was the steps taken after the insured received the fraudulent applications for premium-financing (issuing the checks, which were later endorsed and deposited by a wrongdoer), that were the direct cause of the loss. The creation and submission of the false applications were too removed from the immediate cause of the loss to be called the “direct” cause.

66 2016 Ill. Cir. LEXIS 1. 67 Id. at *2-4. 68 Id. at *8. The precise language provided that the insurer covered “direct loss of Money, Securities or Property sustained by an Insured resulting from Computer Fraud.” Computer Fraud means an “unlawful taking of Money, Securities or Property resulting from a Computer Violation,” which is “an unauthorized (A) entry into or deletion of Data from a Computer System; (B) change of Data elements or program logic of a Computer System . . .; or (C) introduction of instructions, programmatic or otherwise, which propagate themselves through a Computer System.” 69 Id. at *23. 70 2008 U.S. Dist. LEXIS 55532. 71 Id. at *3-7. 72 Id. at *44.

15

Another case that reached a proper result, including while focusing on the meaning of “directly” in the context of Computer Fraud, is Aqua Star (USA) Corp. v. Travelers Casualty & Surety Company of America.73 The insured in that case was Aqua Star, a seafood importer. It purchased frozen shrimp from a vendor known as Longwei. In the summer of 2013, Longwei's computer system was hacked. The hacker apparently monitored e-mail exchanges between an Aqua Star employee and a Longwei employee before intercepting those email exchanges and sending fraudulent e-mails using "spoofed" e-mail domains that appeared similar to the employees' actual e-mails. In these fraudulent e-mails, the hacker directed the Aqua Star employee to change the bank account information for Longwei for future wire transfers. Aqua Star employees made the changes as directed and were ultimately defrauded of $713,890 by the hacker.

The question before the court was whether Aqua Star’s losses were covered by a crime policy issued by Travelers. The policy, in a Computer Fraud insuring agreement, covered “direct loss of, or direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud." Travelers denied coverage, relying on an exclusion that excluded loss resulting directly or indirectly from the input of electronic data by a person having authority to enter data into the insured’s computer system. The court agreed with Travelers that the exclusion applied. It found that an employee of the insured voluntarily entered data into a spreadsheet on the insured’s computer system. The data entered into that spreadsheet was the data used to bring about the wire transfers. The court held that the entry of data into the spreadsheet was an intervening act by someone with authority. The court granted summary judgment in favor of the insurer with respect to the breach of contract claim and a claim of bad faith.

These cases illustrate that, when the term “directly” is properly understood and applied, it becomes clear that the only type of coverage provided by an insuring agreement that covers loss resulting directly from the use of a computer is coverage for hacking: the use of one computer to access another and deplete the insured’s funds by exploiting the access to the data on the insured’s computer. These transactions are computer-to-computer transactions, and no human on the insured’s side of the crime is involved at all. Any fraud that stems from tricking a human at the insured’s office into voluntarily taking steps that cause the loss is simply not covered by the Computer Fraud terms, regardless of what medium the fraudster uses to convey his deceitful message.

C. The Courts that Went Off the Rails: The Second Circuit and Sixth Circuit

During late 2017 and 2018, there were two cases that progressed up to the Second Circuit Court of Appeals and the Sixth Circuit Court of Appeals that both went off the rails in terms of careful attention to the meaning of the Computer Fraud insuring agreement. Both concerned the key question of whether a Computer Fraud insuring agreement covers a Social Engineering fact pattern and resulting loss.

1. Second Circuit

In Medidata Solutions, Inc. v. Federal Insurance Company, 74 a New York court addressed a Social Engineering claim under Computer Fraud terms. The fraud in Medidata involved an

73 2016 U.S. Dist. LEXIS 88985 (W.D. Wash. July 8, 2016) 74 268 F. Supp. 3d 471 (S.D.N.Y. 2017).

16

unsolicited e-mail to one of the insured’s employees that purported to be from Medidata’s president, advising that a lawyer would be calling about an acquisition. The purported lawyer called the employee and requested that Medidata perform a wire transfer in connection with the supposed transaction. The employee informed the fraudster that she needed an e-mail from Medidata’s president. She and other employees then received an e-mail that purported to be from the president instructing them to go through with the wire transfer. The fraudster was able to manipulate Medidata’s e-mail system to cause the e-mail to appear to come from Medidata employees, and apparently there was some manipulation of the email or the appearance of the email, such that the Google e-mail system presented it with the photo that accompanied e-mails from Medidata employees. The employee proceeded to arrange the wire transfer, and two account managers reviewed and approved the wire transfer without speaking to Medidata’s president to confirm his authorization. Ultimately, $4.7 million was transferred to the fraudster’s bank account. The following month, the purported lawyer contacted the employee again to arrange another wire transfer. The employee followed the same procedure, but this time one of the account managers noted that the “reply to” address in the e-mail was suspicious. The suspicion led to an investigation, which uncovered the fraud, and the second wire did not go out.

Because there was no Social Engineering coverage in its policy, Medidata sought coverage under its Computer Fraud insuring agreement. The specific policy terms provided coverage for “direct loss of Money” resulting from “Computer Fraud.” “Computer Fraud” was defined as “the unlawful taking or the fraudulently induced transfer of Money…resulting from a Computer Violation.” A “Computer Violation” was defined as “the fraudulent: (a) entry of Data into…a Computer System; [and] (b) change to Data elements or program logic of a Computer System, which is kept in machine readable format…” “Data” included any “representation or information.” “Computer System” was “a computer and all input, output, processing, storage, off-line media library and communication facilities which are connected to such computer” used by Medidata.

In the context of those specific terms, a New York court held that the e-mail spoofing was the type of “deceitful and dishonest access” to a computer system that Computer Fraud insurance was intended to cover. The court rejected the insurer’s argument that the fraudster did not enter any computer system of Medidata because the e-mail system was run by Google, and the court ignored precedent cited to it that required that the loss to the insured result directly or immediately from the use of a computer.

The Second Circuit Court of Appeals affirmed the decision, with virtually no discussion. 75 The court concluded: “While Medidata concedes that no hacking occurred, the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata's email system.”76 The court was also persuaded that, under applicable New York law, the term “direct” really means “proximate cause.”77

Medidata reached a disappointed result, but it is important to note that, on its own, it does not necessarily undermine the large body of case law that carefully address the more typical form of the Computer Fraud language, and concluded that the typical Computer Fraud insuring agreement does not apply to a social-engineering scam. Medidata involves language that

75 729 F. App’x 117 (2nd Cir. 2018). 76 Id. at 118. 77 Id. at 119.

17

differs significantly from the average Computer Fraud insuring agreement: it does not state that the loss must result directly from the use of a computer to fraudulently cause a transfer. Moreover, unlike the typical Social Engineering facts, the fraudsters in Medidata did implement some level of computer savvy to spoof the e-mail address, to make the fraud seem believable, which is more than the typical scammer does.

The unique aspects of the language in the Medidata case were not lost on the Michigan court that was also considering a similar question at that time. The court in American Tooling Center, Inc. v. Travelers Casualty & Surety Company of America78 also distinguished the Medidata holding and reasoning. In that Michigan case, the insured received an e-mail from an entity purporting to be its vendor, asking the insured to change the bank account information for purposes of all future invoices. The insured fell for the fraud, and ended up transferring $800,000 to the new account without taking any steps to verify the request.79 The insured sought to recover its loss under a Computer Fraud insuring agreement that covered loss resulting from the use of any computer to fraudulently cause a transfer. The court aptly concluded: “There was no infiltration or ‘hacking’ of [the insured’s] computer system. The emails themselves did not directly cause the transfer of funds; rather, [the insured] authorized the transfer based upon the information received in the emails.”80

In addition, and as a part of its quite good analysis and discussion, the court cited the recent Fifth Circuit case of Apache Corp. v. Great American Insurance Co., 81 as well as a handful of other recent opinions on Computer Fraud. Also helpful, the court noted that Owens, Schine & Nicola, P.C. v. Travelers Cas. & Sur. Co.,82 was not persuasive as it was a vacated opinion, and it was in any event distinguishable because the Sixth Circuit followed a narrower definition of “direct” than Connecticut did.

The trial court’s analysis in the American Tooling decision was extremely well crafted, and got the point right. Unfortunately, the Sixth Circuit reversed the decision, for all the wrong reasons.

2. Sixth Circuit

Initially decided correctly by the Eastern District of Michigan, American Tooling was overturned by the Sixth Circuit in American Tooling Center, Inc. v. Travelers Casualty & Surety Co. of America83 in a concerning fashion. With facts of a typical Social Engineering fraud, the insured sought to recover its loss under a Computer Fraud insuring agreement that covered loss resulting from the use of any computer to fraudulently cause a transfer. The Sixth Circuit disagreed with the trial court on every ground that it could disagree.84 The court was not impressed with the insurer’s argument that there was no loss until the insured made the decision to pay the actual vendor. The court held instead that the insured “immediately lost its money when it transferred the approximately $834,000 to the impersonator; there was no

78 No. 16-12108, 2017 U.S. Dist. LEXIS 120473 (E.D. Mich. Aug. 1, 2017). 79 Id. at *2-3. 80 Id. at *7. 81 662 Fed. Appx. 252 (5th Cir. 2016). 82 2010 Conn. Super. LEXIS 2386, 2010 WL 4226958 (Conn. Super. Sept. 20, 2010). 83 895 F.3d 455 (6th Cir. 2018). 84Id. at 460-65.

18

intervening event.”85 That point seemed to set the court on a hostile path to disagreeing with the trial court on every other issue in the case.

For example, the Sixth Circuit next considered whether the Computer Fraud insuring agreement was meant to cover only hacking. Construing the policy in favor of the insured, the court held that the policy was not clear enough on this point, and that if Travelers had intended the coverage to be limited to hacking, it should have made it clearer. The court did not follow any of the well-developed case law construing Computer Fraud. The court then analyzed several exclusions intended to limit the Computer Fraud insuring agreement to hacking, and rejected their application wholesale as well.86 In each instance the court found the exclusions ambiguous and construed them against the insurer, concluding that they could not bar coverage. The opinion is clearly a results-oriented discussion by a court bound and determined to reach a certain outcome. Reading the case is actually surprising in many respects, because the language is extremely strident, and reflects the Court’s almost disdain for the lower court opinion. Because the Computer Fraud language is the more typical language, and because the lower court’s decision was so clear and so on point, this decision is a very disappointed turn in the cases.

VI. Fidelity Insurance for Social Engineering

The central thesis for this article is that Social Engineering and Hacking are two real, but certainly distinct risks—as different as two risks can possibly be. The accompanying thesis is that insureds need coverage for both. Insurers are beginning to respond to the need for Social Engineering risks, and the market is expanding this arena. The Surety and Fidelity Association of America has introduced policies that cover losses resulting from the type of schemes in which an employee is somehow tricked into transmitting funds to a fraudster or taking steps that will ultimately permit such a transfer. Many carriers are offering this type of coverage, on their own manuscripted policy language, as well.

A. So Now, We Insure Negligence

The addition of the Social Engineering coverage is not really surprising, considering that it is a real and present danger for the business community. However, in many ways, it represents a true departure in the area of fidelity and crime coverage. What it really does is pick up employee negligence (as contrasted with intentional or criminal employee conduct) as a subject of coverage. So far, one hallmark of the Social Engineering coverage is a separate and lower policy limit, as compared to that offered for Computer Fraud. This may be due to the fact that underwriting for Social Engineering risk seems a difficult task. Social Engineering schemes take advantage of an ever-present weak link in business: human beings. Employees, when “played” just right, are easily duped into providing criminals with exactly what they want. Insurance broker Willis has described the risk as follows:

85 Id. at 460. 86 Id. at 463-65.

19

Fraudsters send communications to an employee (most often via email, telephone or a combination of the two), which are doctored to appear as if they are sent by a senior officer of the company or by one of its customers or vendors. Instructing the employee to wire funds to a particular bank account, the communication stresses the need for absolute secrecy, perhaps citing the fact that the fund transfer is related to a pending IPO or other confidential transaction that requires normal authentication procedures be bypassed, while also citing urgency. Some schemes are highly complex and can actually result in the undetected rerouting of phone calls or email domain changes.

For those instructions purportedly coming from a vendor or customer, the schemes can be embroidered by informing the employee that they have changed banks and require the company to provide new wire instructions for all future payments.87

Insurers, of course, must underwrite coverage for Social Engineering in a different way than they underwrite coverage for hacking. Rather than examining the type of anti-hacking software and password protocols the insured has in place, insurers look at issues such as whether insureds have procedures in place requiring employees to obtain approval for bank-account changes, whether the insured has a “call-back” procedure in place requiring employees to use a prearranged telephone number to verify requests for account information, or whether approval by senior management is required for transfers over a certain amount. Many policies are now incorporating a call-back or verification procedure in order for coverage to apply.

B. Prevention Methods and Good Employee Training

Although social-engineering losses are inherently difficult to prevent because they prey on deeply embedded natural human tendencies, there are steps that businesses can take to protect themselves from these types of losses.88 Many businesses are taking a proactive approach to employee training, and some insurers are inquiring into the level of training offered. Even apart from training and awareness, there are some actual sound business policies that can assist in cutting down on Social Engineering losses. First, it is always good practice to have multiple people sign off on all transfers of funds. Second, there are never too many ways to remind employees to be on high alert for a request to change account information to which future payments will be made. It is good practice to have phone numbers on file for trusted persons who can confirm any such account changes, or who are required in the event such a major change is requested. Third, good business hygiene requires an insured to maintain written policies requiring different forms of verification. If a request is received by phone call, employees should hang up and call back a designated number (not the one from which the new call was received) and keep track of changes to those designation numbers so that a rapid succession of changing the contact number (fraudulently) followed by requesting an account change or wire transfer will cause some questions to be raised. Fourth, good employee training should include tips that employees should limit the types of business information they post on social media. Criminals often mine these sources for information that

87 Willis Finex North America, Fraud Advisory: Social Engineering and How to Protect Yourself 1 (Nov. 2014) (http://www.willis.com/documents/publications/industries/Financial_institutions/20141118_50680_ALERT_Social_Engineering_11_14.pdf). 88 See, e.g., Hillary Tuttle, “6 Tips to Reduce the Risk of Social Engineering Fraud” (Feb. 1, 2016) available at http://www.rmmagazine.com/2016/02/01/6-tips-to-reduce-the-risk-of-social-engineering-fraud/.

20

they can use to create a more targeted and realistic message. In particular, posting a very detailed vacation notice may allow criminals an opportunity to take advantage of an employee by pretending to be that employee while he or she is away. Fifth, companies should be educating employees about phishing scams by showing them numerous examples and issuing warnings about the latest types of scams. Finally, companies should consider creating a centralized e-mail address to which employees can forward suspicious messages for a technology group to review.

C. Don’t Forget the Common Sense

As a final thought, although an employee may not be able to rely solely on common sense, it can go a long way. Many Social Engineering scams have signs of fraud that even a lay person can detect, and can be easy to spot, if the employee just pays a bit of attention. Social Engineering may involve emails with serious misspellings or broken English. Anything that comes in the middle of the night or just seems strange begs for more attention. A request that comes out of the blue, and is completely inconsistent with the practices of an actual known vendor should raise questions. For example, in a New York state court,89 the victim of a Social Engineering scheme is suing a third-party administrator who was duped into wiring out the victim’s funds. The fraudster was purporting to be the victim and directing the administrator to wire funds. In reality, the victim had not requested the transfers. According to the victimized company, the third-party administrator should have been on high alert when it received these fake requests because they were completely outside of the norm compared to anything the victim had ever asked the administrator to do before. He or she who has the last opportunity to avoid the bad consequence should do what he or she can. Asking an extra question won’t take much time, but may save a lot of money.

VII. The Reason for a Call to Action: Expanding Computer Fraud to Everything Arising Out of Use of a Computer Results in the Unsustainable “All Fraud” Policy

When an insurer is asked to cover a Social Engineering loss under a Computer Fraud policy, it is asked to pay for a risk that it never analyzed or underwrote. The insurer in that scenario did not calculate its premium, limits, or deductible based on Social Engineering coverage. It did not intend to cover Social Engineering. If the floodgates are opened, and Computer Fraud is analyzed as a panacea for all cyber wrongs, there is a real and adverse outcome that no one intended. A true analysis of the direct cause of loss in Computer Fraud versus Social Engineering results in one inevitable conclusion: those two paths do not cross. A loss directly caused by Computer Fraud results when no employee of the insured is involved in the actual transfer of Money. A loss directly caused by Social Engineering can occur only when the insured’s employee purposefully gives away the Money, albeit as a result of being tricked to do so. Making a true intellectual analysis of the coverage language, and applying the terms to real facts, is a critical task, and the onus is on the industry to continue to educate all the relevant players on these points.

89 Tillage Commodities Fund, L.P. v. SS&C Technologies, Inc., Index No. 654765/2016, pending before the Honorable Justice Barry Ostrager in the Supreme Court of the State of New York, County of New York.

21

Why is this educational process so important at this juncture? Failing to drive the scholarship and the court decisions to the true rules may mean that courts create an entire body of law that misconstrues both the language and the intent of the cybercrime insuring agreements, resulting in what can only be fairly described as an “All Fraud” policy. If the courts expand the coverage provided by Computer Fraud insuring agreements to reach any fraud that tangentially involves the use of a computer (for example, the type of Social Engineering losses discussed here), they will convert that coverage to cover all electronic fraud. Although the industry could theoretically write an insurance policy protecting against any loss caused by fraud involving a computer, that is not what exists now. Prevention of all fraud that relates in any way to a computer would seem to be impossible because of the realities of today’s business world. The use of computers is omnipresent, and virtually all written and verbal communications involve one. Thus, to hold that “Computer Fraud” means any fraud that uses a computer, even in some minor way such as e-mailing a false statement, turns “Computer Fraud” coverage into “All Fraud” coverage, certainly not the original intent of the insuring agreement.

Some courts have communicated just that critical message. In July 2016, the Ninth Circuit affirmed the district court’s award of summary judgment to Travelers in Pestmaster.90 The court’s opinion was quite short, but it made clear that it agreed with the district court’s conclusion that the phrase “fraudulently cause a transfer” required an unauthorized transfer of funds. The court also agreed with Travelers’ argument that computers are ubiquitous, and as a result, interpreting Computer Fraud to cover loss caused by any scheme involving a computer “would convert this Crime Policy into a ‘General Fraud’ Policy.”91 This, the court held, was not the intent. Although the court did note that Travelers could have drafted its language more narrowly, it nonetheless held that it did not mean to cover all fraud.

A similarly useful approach appears in the Fifth Circuit decision in Apache Corp. v. Great American Insurance Co.92 In that case, an insured’s employee received a phone call from a person identifying herself as a representative of one of the insured’s vendors, instructing the employee to change the bank-account information for its payments to the vendor. After the employee explained that any such requests had to be in writing, the insured’s account-payable department received an e-mail advising the insured to change the vendor’s bank-account information. Attached to the e-mail was a letter on the vendor’s letterhead, providing both the old bank-account information and the new bank-account number with instructions. An employee of the insured’s called the number on the vendor’s letterhead to confirm the change. After receiving confirmation, a different employee approved and implemented the change. Within one month, the actual vendor contacted the insured to inform it that the vendor had not received the $7 million that the insured had transferred to the fraudulent account. After recovering approximately $4.6 million, the insured submitted a claim to its insurer, asserting coverage under the Computer Fraud provision for $2.4 million. The insurer denied the coverage, arguing the loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds. The insured filed suit and both parties subsequently moved for summary judgment. The district court granted the insured’s motion, ruling “the intervening steps of the [post e-mail] confirmation phone call and supervisory approval do not 90 Pestmaster Servs. v. Travelers Cas. & Sur. Co. of Am., 656 F. App'x 332 (9th Cir. 2016). 91 Id. at 333. 92 662 F. App’x 252 (5th Cir. Oct. 18, 2016).

22

rise to the level of negating the e-mail as being a ‘substantial factor’” and the policy would be rendered “pointless” if the policy only covered losses due to computer hacking.93 On appeal, the insurer argued that the loss was not covered because the e-mail did not cause a transfer and that coverage is limited to hacking and other incidents of unauthorized computer use. The Fifth Circuit agreed, vacating the judgment and ruling in favor of the insurer, reasoning that although the e-mail was part of the scheme, it was merely incidental to the occurrence of the authorized transfer of money.94 It held:

The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster II, convert the computer-fraud provision to one for general fraud. See 656 Fed. Appx. 332, 2016 U.S. App. LEXIS 13829, 2016 WL 4056068, at *1. We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between "computer" and "telephone" was already blurred. In short, few—if any—fraudulent schemes would not involve some form of computer-facilitated communication.95

These courts present additional examples of courts that get the real point. There is a difference between Social Engineering that tangentially involves the use of a computer and real hacking.

Apache also reached the right result for another reason. The district court had held that the “resulting directly from” test was satisfied if the use of a computer was a “substantial factor” in the loss.96 Even if the lower court’s reliance on the “substantial factor” test was not error, which it certainly was given that the court should have correctly interpreted “directly” to mean “immediately,” there still should have been no coverage for Apache’s loss. According to the district court, the determinative question was whether the use of a computer was a substantial factor in the loss. Use of a computer in that case was merely an incidental part of the scheme that caused Apache’s loss.97 It was in no way necessary to the fraudster’s scheme. Instead, the fraudster had many choices when deciding how to communicate his request for a change in account information: an in-person request, a phone call (which he tried), a letter sent by regular mail, a letter sent by fax machine, a letter sent by e-mail, and an ordinary e-mail, among many others. That the fraudster chose the computer as his communicative tool does not make the computer a “substantial factor” in bringing about the insured’s loss. It was nothing more than the medium by which a message was conveyed. The use of a computer is not a “substantial factor” in a job candidate’s hiring when the news that he has been hired is delivered to him by e-mail. The use of a computer is not a “substantial factor” in court rulings that are delivered to parties’ inboxes by the Electronic Case Management’s notification system. In short, it does not matter how a message is conveyed. When a computer is merely the medium chosen to convey a message, it defies common sense to say that the computer is a “substantial factor” in causing the ultimate effect of that message.

93 Id. at 254. 94 Id. at 258. 95 Id. 96 Id. at 254. 97 See Pestmaster, 2014 U.S. Dist. LEXIS 108416, at *21 (use of computer “merely incidental to” loss).

23

One point that cannot be denied in today’s business world is that computers will be a “substantial factor” in a vast number of scenarios that insurers never meant to cover.98 In Brightpoint, the court held that the sending of a fake purchase order via a computer did not cause the ultimate transfer to the fraudster but simply “alerted the company to the fact that” someone “wished to place an order.”99 The court noted that, taken to extremes, coverage could apply if a fraudster sent an e-mail indicating he was coming to the insured’s offices to buy a product, and he then showed up in person to complete the transaction with counterfeit money.100 The court found it “obvious” that coverage was not meant to apply in that “contrived example” because “intervening events or circumstances became the direct, proximate, predominate and immediate cause of” the insured’s loss.101 As Brightpoint recognizes, if the sending of a fraudulent message by computer constitutes using a computer to directly cause an insured a loss, then nearly all fraud will be covered, which as discussed above, insurers simply cannot underwrite or afford to offer. VIII. Conclusion

The paths of Hacking and Social Engineering do not cross in terms of coverage. The risk insured against is different. The facts are different. The direct cause of loss is different. All these distinctions matter. Computer Fraud coverage was not designed to cover every type of electronic crime. Computer Fraud insuring agreements were not designed to cover Social Engineering losses, as is evident by the fact that insurance companies are now coming out with policies that very separately and distinctly do apply to Social Engineering. Social Engineering insuring agreements look much different than Computer Fraud policies. The underwriting for the Social Engineering coverage is different.

In light of today’s risks, business owners should seriously consider a policy that will protect them from both hacking losses and Social Engineering losses. The presence of these two distinct coverages in a single policy may help to advance the scholarship regarding their distinct interpretation. After all, if they exist side by side, how can they be intended to cover the same risk? Finally, an addition to the policies that specifies that if a loss is covered under Social Engineering, it cannot be covered under Computer Fraud, may help to finally put the issue to risk.

98 See Brightpoint, 2006 U.S. Dist. LEXIS 26018. 99 Id. at *19. 100 Id. at *21. 101 Id. at *22.