- Emergency Consultation Services
- Risk Management Services
- Who We Are
- Our People
- What We Do
- Why We Are Different
- What’s New
- Where We Are
By: Allen Sattler
Business email compromise (“BEC”) claims consist of incidents where cyber criminals access or use a company’s email system to commit a crime, usually for financial gain and often including the use of trickery to convince an employee to wire transfer corporate funds to the criminal’s account. According to statistics reported by the FBI, BEC claims are on the rise, especially in the last three years. In 2016, there was a 2,370% increase in email account compromise attacks, involving losses of nearly $346 million, and the frequency of BEC claims continues to rise.
Several insurers offer coverage for BEC claims, including for losses sustained as the result of fraudulent wire transfer. In American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of Am., 5:16-cv-12108 (6th Cir 2018), the Sixth Circuit became the latest federal appeals court to interpret an insurance policy that included coverage for fraudulent wire transfers. In a decision dated July 13, 2018, the Sixth Circuit ruled that the crime policy provides coverage for the loss incurred by the insured.
American Tooling Center (“ATC”), a Michigan manufacturer in the automobile industry, hired a Chinese company to manufacture stamp dies. To receive payment for its work, the Chinese company would send invoices to ATC, and ATC would route payment to its vendor via wire transfer. In 2015, a person outside the company intercepted an email from ATC to its vendor. That person impersonated an employee of the vendor and told ATC that because of an audit, ATC should wire transfer payment on its outstanding invoices to a different bank account. ATC complied with the instructions and wired over $800,000 to the thief’s bank account. The thief was never identified, and the money was not recovered.
ATC made a claim to its insurer pursuant to a “Computer Fraud” provision of its crime policy to recover the money lost. The insurer denied coverage, arguing that ATC did not suffer a loss until it eventually paid the outstanding invoices to the Chinese vendors, and that ATC therefore did not suffer a “direct loss” as required by the policy wording. The insurer also argued that the acts by ATC in changing the bank account information without verification constituted intervening acts that break the chain of causation. The Sixth Circuit disagreed, holding that ATC immediately lost the money when it wired the money to the thief, and that the thief’s instructions to ATC directly caused the loss. The Court also rejected an argument by the insurer that the policy required that the thief first gain access to ATC’s computer systems prior to triggering coverage, and that here, the thief did not hack into the email system to commit the fraud. The Court ruled that the policy language was not so limited.
The insurer sought reconsideration of the ruling, which the Sixth Circuit recently denied.
If you have any questions or would like more information, please contact Allen Sattler at [email protected].