On April 16, 2018, Beazley Group issued a report highlighting increased attacks on Microsoft’s cloud-based business products and services. The report stated that successful attacks typically are achieved by tricking employees into opening spoofed emails with malicious links or fraudulent instructions to credential harvest. These attacks allow hackers entry into the insured’s system, where they can search for personal information and bank records to initiate wire transfers or redirect payments to hacker-controlled bank accounts.
As serendipity would have it, the next day, the United States Court of Appeals for the Ninth Circuit affirmed a Washington federal court decision holding that a crime policy providing coverage for computer fraud did not cover financial loss for mis-wired payments resulting from a phishing scam. The case, Aqua Star United States Corporation v. Travelers Casualty and Surety Company of America, 2016 U.S. Dist. LEXIS 88985 (D. Wash. July 8, 2016), aff’d, 2018 U.S. App. LEXIS 9660 (9th Cir. Apr. 17, 2018), joins a growing collection of decisions denying computer fraud coverage for phishing scams and business email compromises.
In that case, the insured, Aqua Star, was a seafood importer conducting business with Zhanjiang Longwei Aquatic Products Industry Company Ltd. (Longwei), a vendor from which Aqua Star purchased frozen shrimp. In the summer of 2013, Longwei’s computer system was hacked. The hacker monitored email exchanges between Aqua Star and Longwei before sending fraudulent “spoofed” emails to Aqua Star, requesting the insured to change Longwei’s bank account information for future wire transfers. Aqua Star, 2016 U.S. Dist. LEXIS 88985 at *1-2. Aqua Star employees made the changes as directed. Ultimately, over $700,000 was mis-wired to the hacker’s account. Id.
Aqua Star sought coverage under a crime policy issued by Travelers. Id. at *2. The policy had Computer Fraud coverage, the insuring agreement for which stated: “The Company [Travelers] will pay the Insured for the Insured’s direct loss of, or direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud.” Id. It also had an authorized persons exclusion, referred to by the court as “Exclusion G,” which provided that coverage:
… will not apply to loss resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System …
Id. at *5.
The trial court held that the exclusion prohibited coverage because an Aqua Star employee, authorized to enter data into the insured’s computer system, had been the person to change the wiring information pursuant to the fraudulent email. The trial court concluded:
… the entry of Electronic Data into Aqua Star’s Computer System was an intermediate step in the chain of events that led Aqua Star to transfer funds to the hacker’s bank accounts. Because an indirect cause of the loss was the entry of Electronic Data into Aqua Star’s Computer System by someone with authority to enter the system, Exclusion G applies.
Id. at *7-8. Aqua Star argued that the exclusion was intended only to prohibit coverage where a fraud is perpetrated by an authorized user of an insured’s computer system, such as a rogue employee. The trial court disagreed, holding that “the clear language of the policy does not limit the exclusion to fraud perpetrated by an authorized user.” Id. at *9.
On appeal, the Ninth Circuit affirmed in a short and summary opinion. The Court stated that “Exclusion G unambiguously provides that the policy ‘will not apply to loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System . . . .’” 2018 U.S. App. LEXIS 9660 at *2. Applying the exclusion to the underlying facts, the Ninth Circuit held that the exclusion applied:
Aqua Star’s losses resulted from employees authorized to enter its computer system changing wiring information and sending four payments to a fraudster’s account. These employees “ha[d] the authority to enter” Aqua Star’s system when they “input” Electronic Data, on Aqua Star computers, to change the wiring information and authorize the four wires. Their conduct fits squarely within the Exclusion.
Id. Notably, the court further stated that “[w]hile other contractual exclusions may also bar coverage in this case, we need not go any further.” Id
What This Case Means
Last May, the FBI reported that losses from phishing fraud cost amounted to $1.6 billion in the U.S. since 2013 and $5.3 billion globally. Some cybersecurity insurance policies provide coverage for phishing scams. However, more and more courts are holding that crime policies and business owner policies that provide coverage for Computer Fraud do not.