Computer System Fraud and Funds Transfer Fraud Coverages Extended to "Spoofing"


By: Richard E. Wirick
Computer theft insurance takes many forms. Under traditional commercial criminal theft products, coverage only applies if there is a “fraudulent (a) entry into…a Computer; [and] (b) a change to Data elements or program logic of a Computer System.”
Let’s take two examples of claims, one covered and one proving problematic. In the first scenario, a third party hacker hacks into an insured’s computer system, causing it to transfer the funds from the insured’s account into the hacker’s bank account. In the second scenario, a hacker “spoofs” the same result. That is, he emails the insured, fraudulently misrepresenting that he is one of the insured’s clients, and urges the insured to make a transfer to an offshore lender. Note that “spoofing” works because it tricks the insured’s email server into recognizing the fraudulent email as one that originated from the insured client or an agent of the insured’s client.
While coverage has often been found for scenario one, recognizing that the hacker had in fact gained access to and hence “used the [insured’s] computer to…fraudulently cause a transfer from inside [the insured’s premises] to an… outside person,” the second scenario has proven more difficult for policyholders to argue for coverage because it is typically not recognized as the “use of a computer” to “cause a transfer” of money from within an insured’s premises to an outside destination. “To interpret the computer -fraud provision as reaching any fraudulent scheme in which [a computer] communication was part of the process would convert [that] provision into one for general fraud.” Apache Corp. v. Great American Ins. Co., 662 F. App’x. 252, 258 (5th Cir. 2016); see also Taylor & Lieberman v. Fed. Ins. Co., 681 F. App’x 627, 629 (9th Cir. 2017).
Recently, the U.S. District Court for the Southern District of New York issued an opinion that will be argued by policyholders seeking coverage for scenario two. Medidata Sols., Inc. v. Fed. Ins. Co. No. CV-00907, 2017 U.S. Dist. LEXIS 122210 (S.D.N.Y. July 21, 2017). Medidata’s accounting department received a phony email, purportedly from the company’s president, stating that an attorney would be contacting them.  Although the email contained the president’s correct email address on the “from” line (and his picture), it was a “spoof.”  After a phone call and a second email by the hacker to accounting and high level executives, Medidata wired $4.7 million to an offshore bank, and into the hacker’s hands.
The insurer argued no coverage under the Computer Fraud Coverage in the “Crime Coverage Section” of an “Executive Protection” policy because there was no “fraudulent entry of Data into [a] computer system,” because the information instructing the transfer went to an “inbox…open to…any member of the public.” The Medidata court disagreed. It held that the president’s address in the “from” line constituted “data”, entered by the hacker, posing as the company’s president. This satisfied the requirements that the third party “entered the insured’s computer system and “used” it to effectuate a fraudulent transfer.”
On the Funds Transfer Fraud Coverage of the “Crime Coverage Section”  the issue was whether the transfer was “without Medidata’s knowledge or consent.”  The Court held that the fact that the accounts payable employee willingly pressed the “send” icon does not transform the bank wire into a valid transaction. Since the validity of the wire transfer depended upon several high level employees’ knowledge and consent which was only obtained by “larceny by trick.”
The decision can be expected to be appealed by the insurer.   The Medidata decision extension of the concept of “use” or “violation” in computer fraud coverage parts to the ever-increasing practice of “spoofing” is a novel interpretation of the coverage that was at issue and an area that we anticipate will continue to be reviewed by the courts.   
If you have any questions or would like more information, please contact Rick Wirick at, or John Moura at