Despite the sophistication in fraudulent schemes, insurers are keeping up with hackers and recognizing the varied approach to the scamming word…and courts are also taking notice.
In Mississippi Silicon Holdings, LLC v. AXIS Ins. Co., the United States District Court for the Northern District of Mississippi found no coverage for an insured who was duped into transferring $1,025,881.13 to a Bulgarian-American Credit Bank believing it was the account of one of its suppliers. 2020 WL 869974 (N.D. Miss. Feb. 21, 2020). The case involved Mississippi Silicon Holdings, LLC (“MSH”), a manufacturing company that makes silicon metal in Burnsville, Mississippi. Around October 2017, John Lalley (“Lalley”), MSH’s Vice President of Finance and Chief Financial Officer received an email from an “Olga Rozina” requesting MSH wire its future payments to a bank account at Bulgarian-American Credit Bank. The email advised MSH should send payments to the new account due to issues the supplier was having with its account. A couple of days later, Lalley initiated MSH’s three-step verification process for transfers in excess of $100,000 and transferred a partial payment of $250,030 to the Bulgarian-American Credit Bank account identified in the email.
Around November 2017, Lalley received another email from “Olga Rozina” requesting the status of two invoices that were due. Using the same three-step verification process, MSH transferred $775,851.13 to the Bulgarian-American Credit Bank account. Then around December 2017, an employee of the supplier called Lalley advising that it had not received any payment from MSH for its outstanding invoices and requested an update. After explaining the payment was made using the instructions from “Olga Rozina’s” email, the employee denied that Olga Rozina or any employee had sent such an email. Concluding the company was victim of fraud, MSH notified its insurer Axis Insurance Company (“Axis”) of the loss. MSH also hired a company to conduct a forensic review of the incident who determined that bad actors breach the MSH computer system allowing them to monitor and redirect email conversations going to and from MSH.
MSH had in place a Privatus Planetarium Insurance Policy aka Cybersecurity and Breach Response Coverage which covered claims for Social Engineering Fraud, Computer Transfer Fraud and Funds Transfer Fraud. Axis determined that the claim was covered under the Social Engineering Fraud provision of the policy, which provided, in part, as follows:
The Insurer will pay for loss of Money or Securities resulting directly from the transfer, payment, or delivery of Money or Securities from the Premises or a Transfer Account to a person, place, or account beyond the Insured Entity’s control by:
- An Employee acting in good faith reliance upon a telephone, written, or electronic instruction that purported to be a Transfer Instruction but, in fact, was not issued by a Client, Employee or Vendor; or
- Financial Institution as instructed by an Employee acting in good faith reliance upon a telephone, written, or electronic instruction that purported to be a Transfer Instruction but, in fact, was not issued by a Client, Employee or Vendor.
Axis mailed MSH a check for the $100,000 policy limit after a finding of coverage. However, MSH argued that the claim entitled it to coverage under the Computer Transfer Fraud provision of the policy and/or the Funds Transfer Fraud provision, both with policy limits of $1,000,000.
The Computer Transfer Fraud provision provides, in part, as follows:
The Insurer will pay for loss of or loss from damage to Covered Property resulting directly from Computer Transfer Fraud that causes the transfer, payment, or delivery of Covered Property from the Premises or Transfer Account to a person, place, or account beyond the Insured Entity’s control, without the Insured Entity’s knowledge or consent.
Additionally, the Funds Transfer Fraud provision provides, in part, as follows:
The insurer will pay for loss of Money or Securities resulting directly from the transfer of Money or Securities from a Transfer Account to a person, place, or account beyond the Insured Entity’s control, by a Financial Institution that relied upon a written, electronic, telegraphic, cable, or teletype instruction that purported to be a Transfer Instruction but, in fact, was issued without the Insured Entity’s knowledge or consent.
Further, the policy defined “Computer Transfer Fraud” as “the fraudulent entry of Information into or the fraudulent alteration of any Information within a Computer System”.
Under the Computer Transfer Fraud coverage, the parties disagreed on the interpretation of 1) whether the hacking must directly cause the loss in order to trigger coverage and 2) what it means for the loss to occur “without the Insured Entity’s knowledge or consent”. In response to the first issue, Axis took the position that “because the fraudulent email did not itself manipulate MSH’s computer system, but instead simply requested that MSH take affirmative action, a ‘Computer Transfer Fraud’ did not directly cause the transfers.” In other words, the three step-verification process broke the causal connection between the fraudulent email and the loss, rendering the coverage inapplicable. MSH, however, urged the court to apply a proximate cause standard and find that the fraudulent email which caused Lalley to act was sufficient to trigger coverage.
The court noted that while Olga Rozina’s emails set in motion a series of events that led to the loss, the emails did not themselves manipulate MSH’s system and automatically transfer the funds. Instead, the emails requested MSH engage in affirmative conduct to initiate the transfer to the Bulgarian-American Bank account. As a result, the court concluded that the loss did not result directly from the Computer Transfer Fraud.
With regard to the question of whether the loss occurred “without the Insured Entity’s knowledge or consent”, MSH argues that coverage is not precluded merely because the insured was aware of the transfer, but that the “knowledge or consent” requirement be read to require the insured have actual knowledge of material facts like the transferee’s true identity or consent to the transfer in light of the true facts and circumstances. However, the court rejected this argument finding that MSH’s interpretation calls for a heightened requirement to be read into an otherwise unambiguous provision. The court found that since at least three MSH employees had knowledge of and specifically authorized the transfers, the Computer Transfer Fraud coverage was inapplicable.
The court also found the Funds Transfer Fraud coverage did not apply to MSH’s claim because it too included a “knowledge or consent” requirement similar to the Computer Transfer Fraud coverage which was not satisfied.
Prompted by MSH’s argument that the provisions in the policy are redundant and therefore should be rejected, the court clarified the types of claims covered under each provision and stated:
The Computer Transfer Fraud provision covers a loss that occurs when funds are transferred, paid, or delivered to a person, place, or account beyond the insured’s control without the insured’s knowledge or consent. While the coverage afforded under the Funds Transfer Fraud provision is similar, that provision requires that the loss involve a financial institution’s reliance on an instruction by the insured which was actually issued without the insured’s knowledge or consent. The Computer Transfer Fraud provision would apply when the insured’s system is manipulated without the insured’s knowledge and effectuates a transfer, while the Funds Transfer Fraud provision is only applicable when the financial institution relies upon an instruction from the insured which was ultimately not provided by the insured.