ABA Litigation Section, Insurance Coverage Litigation Committee
Fake President Fraud — What Is It, and Is It Covered?
Tucson, Arizona — March 4, 2017
“FAKE PRESIDENT FRAUD” – IS IT COVERED?
John Buchanan & Brian E. Foster 1
A Costly 21st Century Risk
This paper collects and summarizes the case law addressing insurance coverage for “fake
president fraud,” more formally known as “business email compromise” or “social engineering
fraud.” A companion paper discusses this risk and its many permutations in more detail. 2 We
focus here on its insurance implications.
First, a word about terminology. Many favor “fake president fraud” 3 because it so
vividly describes an increasingly common scenario in the corporate workplace: a fraudster –
posing as the company president or another “C-Suite” executive – fools an employee with access
to corporate accounts into transferring funds to the fraudster’s own account. 4 But the fakers have
not confined themselves to company executives: they have also impersonated vendors, clients,
customers and attorneys. 5 Because the scam has many faces but usually relies on fraudulent
email techniques such as pretexting, phishing or spear-phishing, the FBI uses the more generic
term “business e-mail compromise” (or “BEC”), defined as a fraud “carried out by
compromising legitimate business e-mail accounts through social engineering or computer
1
John Buchanan is Senior Counsel and Brian E. Foster is an associate in the Washington, D.C. office of
Covington & Burling LLP. The authors represent policyholders exclusively in coverage litigation. The
opinions stated in this paper are those of the authors and should not be attributed either to their law firm
or to its clients. Covington associate Sarah MacDonald and former summer associate Nick Griepsma
made significant research contributions to this paper.
2
Lucy L. Thomson, “Fake President Fraud” – What Is It?, submitted for ABA Litigation Section,
Insurance Coverage Litigation Committee, Annual CLE Conference, March 1-4, 2017.
3
See, e.g., Marsh Alert, Fake President Frauds (2014), available at
http://belgium.marsh.com/Portals/95/Documents/Alert%20FPF%202pager.pdf; Deanna Cook, Lockton
Companies, “Fake President” Crimes: 6 Risk Management Tips for Social Engineering Threats (June
2015), available at http://www.lockton.com/whitepapers/Cook_Social_Engineering_Fraud_June15-lr.pdf.
4
See Federal Bureau of Investigation, Alert No. I-061416-PSA, Business E-mail Compromise: The 3.1
Billion Dollar Scam (June 14, 2016), available at https://www.ic3.gov/media/2016/160614.aspx.
5
See id.
intrusion techniques to conduct unauthorized transfers of funds.” 6 The term “social
engineering” in turn refers to a scenario whereby “an attacker uses human interaction (social
skills) to obtain or compromise information about an organization or its computer systems.” 7 All
these terms – fake president fraud, social engineering fraud and business email compromise –
will appear in this paper as the context requires.
Whatever label we apply to this new form of computer fraud, it has unquestionably
grown to costly proportions in recent years. According to information compiled from complaints
filed with the FBI, BEC scams have been reported in all fifty states and more than one hundred
countries. 8 Between October 2013 and May 2016, exposed dollar loss in the United States from
such fraudulent schemes totaled nearly a billion dollars, and over three billion worldwide. 9
With the spread of this novel fraud technique, many insured companies have looked to
their crime insurers for protection against the resulting theft losses. Often the insurers have been
reluctant to cover those losses. Coverage litigation has inevitably ensued. We summarize here
as much of that litigation as could be found from publicly reported sources.
Coverage Litigation Involving Business Email Compromise Fraud
This species of computer fraud is still relatively recent, and relatively few courts to date
have ruled on coverage disputes arising from it. The earlier coverage rulings interpreted crime
policy language that was common before this fraud phenomenon became better known in the
insurance industry. Such language broadly granted coverage for the use of any computer to
fraudulently cause a money transfer. 10 The essential interpretive question these courts were
asked to resolve was whether the presence of authorized employee actions in the causal chain of
events defeated coverage under such crime policies, which typically insured losses arising from
(or “directly from”) unauthorized acts. Courts were divided on whether the involvement of an
employee or agent who was authorized to make legitimate funds transfers defeated such
6
Id.
7
US-CERT (U.S. Computer Emergency Readiness Team, Department of Homeland Security), Security
Tip (ST04-014), Avoiding Social Engineering and Phishing Attacks (rev. Jan. 24, 2017), available at
https://www.us-cert.gov/ncas/tips/ST04-014.
8
Federal Bureau of Investigation, Alert No. I-061416-PSA, Business E-mail Compromise: The 3.1 Billion
Dollar Scam (June 14, 2016), available at https://www.ic3.gov/media/2016/160614.aspx.
9
Id.
10
See, e.g., Owens, Schine & Nicola, P.C. v. Travelers Cas. & Sur. Co. of Am., No. CV-09-5024601-S,
2011 WL 3200296 (Conn. Super. Ct. June 24, 2011), vacated, No. CV-09-5024601-S, 2012 WL
12246940 (Conn. Super. Ct. Apr. 18, 2012).
2
coverage, even when that authorized actor was induced by a fraudulent instruction to make an
illegitimate funds transfer. 11
However, one of the more recent decisions, Aqua Star (USA) Corp. v. Travelers Casualty
and Surety Co. of America, 12 reflects a shift in policy language that in turn may signal a shift in
the coverage litigation over business email compromises. In an apparent effort to avoid the
interpretive problems encountered in the earlier cases, the policy in Aqua Star contained a
special exclusion for any losses resulting directly or indirectly from authorized persons. 13 Under
this wording, the court found that the loss arising from a social engineering fraud fact pattern
was excluded from coverage, because it was the indirect result of an authorized employee’s
action. 14 Aqua Star may represent a transitional state of coverage for this form of computer
fraud as insurers adjust standard language to exclude the risk specifically, while perhaps offering
specialty endorsements to cover it – for an additional premium. 15
Decided Cases
The cases below are arranged roughly in chronological order by date of trial court
decision. Most feature fact patterns that fall within the FBI’s definition of business email
compromise fraud; but a few non-conforming cases are included as well, both to highlight the
factual distinctions and because later decisions analyze and either distinguish or rely on them in
assessing coverage for business email compromises.
Owens, Schine & Nicola, P.C. v. Travelers Cas. & Sur. Co. of Am. (Conn. Super. Ct. 2011)
Owens, Schine and Nicola, P.C. (“Owens”), a Connecticut law firm, purchased a crime
policy from Travelers. 16 In September 2008, a person purporting to be an attorney from North
Carolina contacted Owens and requested the firm’s assistance in a collection matter for a
Chinese client. The impersonator asked Owens to receive a check from the Connecticut-based
11
Compare Owens, 2011 WL 3200296, at *9-*11 (finding coverage), with Universal Am. Corp. v. Nat’l
Union Fire Ins. Co. of Pittsburgh, PA, 959 N.Y.S.2d 849, 853 (N.Y. Sup. Ct. 2013) (denying coverage),
aff’d, 37 N.E.3d 78 (N.Y. 2015).
12
See Aqua Star (USA) Corp. v. Travelers Cas. & Sur. Co. of Am., No. C14-1368RSL, 2016 WL 3655265
(W.D. Wash. July 8, 2016), appeal docketed, No. 16-35614 (9th Cir. Aug. 1, 2016).
13
See id. at *2.
14
Id. at *3 (ruling in favor of insurer).
15
See, e.g., Judy Greenwald, Financial institutions to get insurance for social engineering, Business
Insurance (Nov. 2, 2016), available at
http://www.businessinsurance.com/article/20161102/NEWS06/912310304?template=printart. According
to a recent market survey, 16 of 31 insurers offer some form of fake president fraud coverage. See
Richard S. Betterley, The Betterley Report: Cyber/Privacy Insurance Market Survey 2016, at 90-93 (June
2016).
16
Owens, 2011 WL 3200296, at *1.
3
debtor totaling $198,610; to deposit the check into Owens’ account; to deduct a fee for collecting
the payment; and to write a check to the impersonator attorney’s client for $197,110. All
correspondence with the purported North Carolina “attorney” and his Chinese client took place
over email. 17
Owens then received a check from the purported Connecticut-based debtor issued by
Wachovia bank. 18 As requested, Owens deposited the check into an escrow account and wired
the amount, less its fee, to a South Korean bank. Chase Bank later charged Owens for the entire
amount, however, because the Wachovia check was found to be fraudulent. Owens filed a claim
with its insurer under the computer fraud clause of its crime policy. 19 Travelers denied the
claim.
The crime policy defined computer fraud as the “use of any computer to fraudulently
cause a transfer of Money.” 20 Travelers argued that “in order for there to be a Computer Fraud,
the transfer must occur by way of a computer ‘hacking’ incident, such as the manipulation of
numbers or events through the use of a computer and in the instant case, no such computer
hacking incident occurred.” 21 The trial court held, however, that “even though the policy is
ambiguous as to the amount of computer usage necessary to constitute computer fraud, this
ambiguity must be resolved in favor of the plaintiff.” 22 Computers played a sufficient role in this
business email compromise to trigger the Computer Fraud coverage. The imposters
“communicated with the plaintiff by an e-mail and the fraudulent check may have been created
by the use of a computer even if the transfer of the money occurred when the plaintiff contacted
Chase Bank in person, by telephone and in writing to direct the transfer of the money to a bank
account in South Korea.” 23
Without explanation and apparently by stipulation of the parties, the court vacated the
judgment the following year. 24
Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA (N.Y. Sup. Ct. 2013)
Though Universal is not an archetypal social engineering fraud fact pattern, some courts
addressing such fact patterns have looked to it for guidance. Universal is a health insurance
17
Id.
18
Id.
19
Id.
20
Id. at *8.
21
Id.
22
Id. at *9.
23
Id.
24
Owens, Schine & Nicola, P.C. v. Travelers Cas. & Sur. Co. of Am., No. CV-09-5024601-S, 2012 WL
12246940 (Conn. Super. Ct. Apr. 18, 2012).
4
company providing Medicare plans and other insurance products. 25 Many of the insurance
claims that Universal services are auto-adjudicated through its computer system, which issues
payments without manual review. 26 In 2008, Universal suffered $18 million in losses from
fraudulent claims submitted by providers to the computer system. Universal did not enroll the
customers into new plans itself; rather, Universal authorized third-party providers to access its
system to enroll customers, which enabled the fraudsters to implement their scheme. Universal
submitted a claim to its insurer, National Union, under its computer systems fraud policy. 27
The policy provided indemnification for loss “resulting directly from a fraudulent . . .
entry of Electronic Data.” 28 Universal cited Owens, but the court distinguished that case, noting
that the Owens policy “did not use the specific term, ‘fraudulent entry of electronic data,’ that is
used here.” 29 It further noted that the Owens policy was broader than the policy at issue “in that
it did not define how much computer use was required or in what manner the computer had to be
used.” 30
The Universal court instead looked to a New Jersey decision, Morgan Stanley Dean
Witter v. Chubb Group of Insurance Cos., where the policy covered fraudulent input of
electronic data into a customer communication system. 31 That policy contained an exclusion,
however, for entries made by authorized customers or employees. Because the fraud was
perpetrated by customers inputting data, the Morgan Stanley court found that the policy
exclusion applied to defeat coverage. Had some other party, such as a hacker or imposter,
entered the data, then the policy would cover the loss. 32
The Universal court, following Morgan Stanley, held that the policy “does not extend as
far as providing coverage for fraudulent claims which were entered into the system by authorized
users.” 33 Adopting the same reasoning as Morgan Stanley, the Universal court held that
“fraudulent entry” meant unauthorized entries by unauthorized users. “Nothing in this clause
25
959 N.Y.S.2d at 850.
26
Id. at 851.
27
Id.
28
Id.
29
Id. at 852.
30
Id. at 852-53.
31
Id. at 853 (citing Morgan Stanley Dean Witter v. Chubb Group of Ins. Cos., No. UNN-L-2928-01, 2004
WL 5352285 (N.J. Super. Ct. Law Div. 2005), aff’d in part, rev’d in part, 2005 WL 3242234 (N.J. Super.
Ct. App. Div. 2005)).
32
Id.
33
Id.
5
indicates that coverage was intended where an authorized user utilized the system as intended,
i.e. to submit claims, but where the claims themselves were fraudulent.” 34
S. Cal. Counseling Ctr. v. Great Am. Ins. Co. (C.D. Cal. 2014)
This case involved a fraud scenario analogous to that in Universal and thus
distinguishable from the classic social engineering fraud fact pattern. But its emphasis on the
authority of the perpetrators is similar to that of other decisions in the field.
Southern California Counseling Center (“SCCC”) is a non-profit organization that
entered into several agreements with Ben Franklin Payroll Services (“Ben Franklin”) under
which Ben Franklin would handle SCCC’s payroll and related tax filings, payments,
withholdings, and deposits. 35 These agreements established that Ben Franklin was authorized,
among other things, to initiate ACH transactions against SCCC’s bank account to cover payroll
and tax obligations as well as to pay Ben Franklin’s invoices. SCCC also authorized Ben
Franklin to act as attorney-in-fact and to receive copies of notices and otherwise-confidential
taxpayer information from the IRS pertaining to SCCC.36 Within a few months, SCCC
discovered that Ben Franklin’s CEO had been arrested and that Ben Franklin had not paid
SCCC’s payroll taxes even though it had withdrawn money from SCCC’s accounts. 37
SCCC sought coverage under a Computer Fraud Insuring Agreement issued by Great
American, arguing that it had suffered a loss resulting from Ben Franklin’s use of a computer to
transfer money fraudulently from SCCC’s account to itself. Great American countered that the
policy did not apply to loss resulting from the dishonest acts of any authorized representative of
the policyholder, and that Ben Franklin was an authorized representative. 38
The district court agreed with Great American that under the plain language of the policy,
Ben Franklin was an authorized representative because SCCC expressly authorized Ben Franklin
to act on its behalf, including by debiting its accounts. 39 Ben Franklin’s failure to use the funds
for their intended purpose did not negate its authority to withdraw the funds in the first place.
The court rejected SCCC’s argument that its agreements with Ben Franklin were void because
they were fraudulently induced, noting that to decide otherwise would be to “rewrite the Policy,
such that the exclusion would apply not to ‘any’ authorized representative as the Policy states,
but only to authorized representatives who did not fraudulently induce their status.” 40
34
Id.
35
S. Cal. Counseling Ctr. v. Great Am. Ins. Co., 162 F. Supp. 3d 1045, 1048-49 (C.D. Cal. 2014).
36
Id.
37
Id. at 1049.
38
Id. at 1049-50.
39
Id. at 1050-51.
40
Id. at 1052.
6
In 2016, the Ninth Circuit Court of Appeals affirmed in a brief unpublished decision. 41
The panel emphasized the dictionary definitions of “authorize” and “representative,” and noted
that the function of the exclusion in the policy is “to place the onus of vetting the individuals and
entities whom the insured engages to stand in its shoes – and thus the risk of loss stemming from
their conduct – squarely on the insured.” 42
Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am. (C.D. Cal. 2014)
The facts of this case are strikingly similar to those of Southern California Counseling
Center, which was decided in the same district court just one month earlier. Pestmaster, a pestcontrol company, hired Priority 1 Resource Group (“Priority 1”) to provide payroll services and
executed an authorization that allowed Priority 1 to initiate ACH transfers from Pestmaster’s
bank to pay salaries and payroll taxes. 43 The arrangement was in place for at least a year when,
in June 2011, IRS agents “made a surprise visit to Pestmaster’s office” and revealed that
Pestmaster’s payroll taxes had not been paid for five quarters, to the tune of $335,000. 44
Pestmaster promptly gave notice to Travelers of its loss, and upon Travelers’ denial of the claim
in 2013, Pestmaster filed a coverage action. 45
Pestmaster argued that its loss was covered under either the Funds Transfer Fraud or the
Computer Crime insuring agreements of the crime policy it purchased from Travelers. The
district court agreed with Travelers that the Fund Transfer Fraud provision did not cover losses
arising from “authorized or valid electronic transactions, such as the authorized ACH transfers in
this case, even though they are, or may be, associated with a fraudulent scheme.” 46 The district
court also agreed with Travelers that the Computer Crime coverage did not apply because there
was no unauthorized use of Pestmaster’s computer: Priority 1 was not a hacker or intruder into
Pestmaster’s computers or accounts but rather was invited in by Pestmaster and authorized to
access the funds that it withdrew. 47 The court further noted that the use of a computer to
perpetrate Priority 1’s fraud was merely incidental, and not the direct cause of Pestmaster’s
loss. 48
41
S. Cal. Counseling Ctr. v. Great Am. Ins. Co., --- F. App’x ---, 2016 WL 3545350 (9th Cir. June 28,
2016).
42
Id. at *1.
43
Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., No. CV 13-5039, 2014 WL 3844627 at *1
(C.D. Cal. July 17, 2014).
44
Id. at *2.
45
Id.
46
Id. at *5.
47
Id. at *6-*7.
48
Id. at *7.
7
On appeal, the Ninth Circuit affirmed the district court’s reasoning, agreeing that “there
is no coverage under [the Funds Transfer Fraud] clause when the transfers were expressly
authorized,” and that the Computer Crime agreement did not apply because “the phrase
‘fraudulently cause a transfer’ . . . require[s] an unauthorized transfer of funds.” 49 The panel also
emphasized that because “computers are used in almost every business transaction,” reading
Computer Crime provisions “to cover all transfers that involve both a computer and fraud at
some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy,”
contrary to Travelers’ intent and Pestmaster’s reasonable expectations. 50 The appeals court
vacated and remanded to consider further whether either provision covers certain funds transfers
by Priority 1 that Pestmaster alleged were unauthorized. 51
Taylor & Lieberman v. Fed. Ins. Co. (C.D. Cal. 2015)
The insured, Taylor and Lieberman (“Taylor”), is an accounting firm that issued
payments and transferred funds on behalf of business management clients. 52 In 2012, an
imposter fraudulently took control of a client’s email account and sent wire payment instructions
to a Taylor employee. 53 The email instructed Taylor to wire $94,280.00 to an account in
Malaysia. The employee believed the email to be valid and initiated the transfer process. 54 The
next day, the imposter used the client’s email account to facilitate a similar payment of
$98,485.90 to an account in Singapore. When the employee received a third email, this time
from a different email address requesting a transfer for the same client, the fraudulent scheme
was recognized, and Taylor ceased further payments. Taylor was able to retrieve $93,331.98
from the first transfer, but none of the second. 55 Taylor then sought coverage for the loss under
its crime policy.
Taylor argued for coverage under the forgery, computer fraud, and funds transfer clauses
of the policy. 56 The court held however, that coverage for each clause turned on language in the
policy requiring “direct loss sustained by an Insured.” 57 “In essence,” the court held, “Plaintiff is
attempting to recover for a third-party loss.” 58 The court interpreted the policy to “more likely
contemplate[] fraudulent violations against Plaintiff that result in a ‘direct loss’ of Plaintiff’s own
49
Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 F. App’x 332, 333 (9th Cir. 2016).
50
Id.
51
Id.
52
Taylor & Lieberman v. Fed. Ins. Co., No. 2:14-CV-03608, 2015 WL 3824130, at *1 (June 18, 2015).
53
Id.
54
Id.
55
Id. at *2.
56
Id. at *2-*3.
57
Id. at *3.
58
Id.
8
money – not fraudulent violations upon which Plaintiff relies that result in a loss of a client’s
money, which Plaintiff wants Defendant to reimburse.” 59
Taylor has appealed to the Ninth Circuit. It argues that the district court erroneously held
that Taylor did not suffer a “direct loss” because under controlling law, “a direct loss includes
losses both to the insured’s own property, as well as to property under its control, such as when
the insured is a trustee or bailee of the property.” 60 Oral argument is scheduled for February 13,
2017.
Apache Corp v. Great Am. Ins. Co. (S.D. Tex. 2015), rev’d (5th Cir. 2016)
Apache Oil Corp. sued Great American Insurance Co. (“GAIC”) for coverage under its
crime policy. 61 On March 27, 2013, an Apache accounts payable employee received a phone
call from a person claiming to be one of Apache’s vendors. 62 The caller wanted to change the
account information for future payments to the vendor. The Apache employee notified the caller
that such requests must be made in writing on official company letterhead. A few days later,
Apache’s accounts payable department received an email with an attached letter appearing to be
on the vendor’s letterhead requesting the account number changes. 63 Another Apache employee
called the number on the letterhead to verify the request and, once approved by an Apache
supervisor, changed the account where future payments would be sent. Apache sent $2.4 million
to the new account before receiving notification of nonpayment from the real vendor. 64 Apache
then discovered the fraudulent activity and ceased payments to the false vendor account.
The language at issue in the crime policy concerned “loss . . . resulting directly from
[computer fraud].” 65 GAIC argued that “because of the human intervention that took place
between the fraudulent email that was received and the loss to Plaintiff, the language ‘resulting
directly from’ removes the loss in this case from coverage.” 66 The court rejected this argument,
citing another Texas district court decision holding that a “corporation[] can act ‘only through its
human officers and employees.’” 67 According to the court, “[t]o adopt Defendant’s reading
59
Id. at *4.
60
Appellant Br. at *1, Taylor & Lieberman v. Federal Ins. Co., No. 15-56102, 2016 WL 294077 (9th Cir.
filed Jan. 22, 2016).
61
Apache Corp v. Great Am. Ins. Co., No. 4:14-CV-00237, 2015 WL 7709584, at *1 (S.D. Tex. Aug. 7,
2015).
62
Id.
63
Id.
64
Id.
65
Id. at *2.
66
Id. at *3.
67
Id. (quoting Citibank Texas, N.A. v. Progressive Casualty Ins. Co., No. 3:06-CV-0395-H, 2006 WL
3751301, at *7 (N.D. Tex. Dec. 21, 2006) (overturned on other grounds)).
9
would be to limit the scope of the policy to the point of almost non-existence. That is, if anytime
some employee interaction took place between the fraud and the loss, or anytime fraud was
perpetrated anyway [sic] other than a direct ‘hacking,’ the insurance company could be relieved
of paying under the Policy.” 68
The court looked to the “quality or severity of the intervening acts” to determine whether
the loss resulted directly from the computer fraud. 69 Here, the court held that “the intervening
steps of the confirmation phone call and supervisory approval do not rise to the level of negating
the email as being a ‘substantial factor’ in bringing about the loss.” 70 Apache’s request for
summary judgment was granted.
GAIC appealed, with an insurance industry organization providing amicus support. 71 In
October 2016 the Fifth Circuit reversed, in an opinion not selected for official publication. 72
Citing Texas courts’ preference for “uniformity when identical insurance provisions will
necessarily be interpreted in various jurisdictions,” the Fifth Circuit ruling surveyed decisions
interpreting computer fraud policy language and concluded that “there is cross-jurisdictional
uniformity in declining to extend coverage when the fraudulent transfer was the result of other
events and not directly by the computer use.” 73 Because the fake-vendor emails were only one
step in a long causal chain leading to the fraudulent transfer, and because Owens Schine was the
only case brought to the court’s attention that covered a loss under a computer fraud provision
“when the computer use at issue was limited to email correspondence,” the Fifth Circuit held that
Apache’s loss did not result “directly” from fraudulent computer use. 74
State Bank of Bellingham v. BancInsure, Inc. (8th Cir. 2016)
While the facts of this case align more closely with conventional hacking, some decisions
addressing business email compromise fraud questions have cited it.
A Minnesota bank sued its insurer for coverage of a loss under its computer system fraud
policy. 75 On October 27, 2011, a bank employee logged on to her work computer using her
token, password, and passphrase. At the end of the day, the employee left work without
68
Id.
69
Id.
70
Id.
71
Br. of Amicus Curiae the Sur. & Fid. Ass’n of Am. in Supp. of Appellant Great Am. Ins. Co. Urging
Reversal of the District Court, Apache Corp v. Great Am. Ins. Co., No. 15-20499, 2016 WL 695469 (5th
Cir. filed Feb. 16, 2016).
72
Apache Corp. v .Great Am. Ins. Co., --- F. App’x ---, 2016 WL 6090901 (5th Cir. Oct. 18, 2016).
73
Id. at *3, *6.
74
Id. at *5-*7.
75
State Bank of Bellingham v. BancInsure, Inc., 823 F.3d 456, 457 (8th Cir. 2016).
10
removing her token from the computer or properly logging off the computer. The next day, the
employee found that two unauthorized wire transfers were made from the bank’s account to two
accounts in Poland. Upon investigation, the bank attributed the transfer to malware inserted by a
computer hacker who made the transfers from the system that was left logged on overnight. The
bank was able to retrieve one transfer, but not the second transfer totaling $485,000.00. 76
The bank sought recovery for the loss under its financial institution bond, which covered
losses from forgery computer system fraud among other risks. 77 The insurer denied the claim,
arguing that the loss was caused by employee negligence. The trial court ruled in favor of the
bank, holding that the malware was the efficient and proximate cause of the loss, not the
employee’s failure to follow computer policy. 78 On appeal, the Eighth Circuit affirmed in favor
of the insured bank. 79
Both parties conceded that the policy covered hacking events. 80 The insurer challenged
causation, arguing that the trial court “erred in concluding that the fraudulent hacking of the
computer system by a criminal third party was the overriding, or efficient and proximate, cause
of the loss.” 81 The panel disagreed, holding that “an illegal wire transfer is not a ‘foreseeable
and natural consequence’ of the bank employees’ failure to follow proper computer security
policies, procedures, and protocols.” 82 “Even if the employees’ negligent actions ‘played an
essential role’ in the loss,” the court further held, “and those actions created a risk of intrusion
into Bellingham’s computer system by a malicious and larcenous virus, the intrusion and the
ensuing loss of bank funds was not ‘certain’ or ‘inevitable.’” 83
Aqua Star (USA) Corp. v. Travelers Cas. and Sur. Co. of Am. (W.D. Wash. 2016)
The insured, Aqua Star, is a seafood importer, purchasing shrimp from vendors. 84 In
2013, a hacker compromised a vendor’s computer and accessed email traffic between Aqua Star
and the vendor. The hacker used the information learned from the emails to impersonate the
vendor in an email to Aqua Star. In the email, the hacker directed an Aqua Star employee to
change the bank account information for future payments to the vendor. The employee entered
76
Id. at 457-58.
77
Id. at 458.
78
Id. at 459.
79
Id. at 461.
80
See id. at 460-61.
81
Id. at 460.
82
Id. at 461.
83
Id.
84
Aqua Star (USA) Corp. v. Travelers Cas. & Sur. Co. of Am., No. C14-1368RSL, 2016 WL 3655265, at
*1 (W.D. Wash. July 8, 2016).
11
the new account information into Aqua Star’s computer system and initiated the transfers with
the bank, eventually losing more than $700,000 to the hacker. 85
Aqua Star’s crime policy covering computer fraud contained an exclusion for “loss
resulting directly or indirectly from the input of Electronic Data by a natural person having the
authority to enter the Insured’s Computer System.” 86 In denying coverage, Travelers argued that
the exclusion was triggered because the Aqua Star employee was authorized to input the account
data into the company’s computer system. As such, the loss resulted indirectly from the
employee’s input of the data. 87
The district court agreed, granting Travelers’ motion for summary judgment. 88
According to the court, “the entry of data into the Excel spreadsheet on Aqua Star’s Computer
system was an indirect cause of Aqua Star’s loss.” 89 This indirectly resulted in the loss because
the entered data was later “used to prepare a packet of materials for approval of the payment by
Aqua Star’s management” and was “a necessary step prior to initiating any transfer.” 90 Even if
management had not reviewed the fraudulent information for approval, the Aqua Star employee
used the fraudulent information when filling out the subsequent wire transfers. These actions
qualified as intermediate steps in the chain of events leading to the transfer and thus brought the
loss within the exclusion. 91
The court rejected Aqua Star’s argument that the exclusion for entry of electronic data
should not apply because saving the imposter email and entering the fake account information
into a spreadsheet on a computer was functionally no different from writing the information on a
sticky note or index card. The court noted that the exclusion “may not apply in such a case,” but
“that is not the factual situation before the Court.” 92
Aqua Star has appealed to the Ninth Circuit, 93 and as of this writing, the parties are in the
midst of briefing.
85
Id.
86
Id. at *2 (emphasis added).
87
Id.
88
Id. at *3-*4.
89
Id. at *3.
90
Id.
91
Id.
92
Id.
93
Aqua Star (USA) Corp. v. Travelers Cas. & Sur. Co. of Am., No. 16-35614 (9th Cir. Aug. 1, 2016).
12
Principle Solutions Group, LLC v. Ironshore Indem., Inc. (N.D. Ga. 2016).
In July 2015, the controller of Principle Solutions Group, a technology staffing and
consulting firm, received an email purportedly from one of the firm’s managing directors,
instructing her to issue a wire transfer that day in coordination with an attorney named Mark
Leach. 94 The controller then received an email from a “Mark Leach,” who claimed to be a
partner at Alston & Bird. He sent instructions to wire a payment to a bank in China and followed
up with the controller by phone to emphasize that the wire transfer must be completed that day.
The controller logged into Principle’s online bank account to initiate the transfer. The bank’s
fraud prevention unit called and emailed the controller to request verification of the transaction,
including confirmation of how Mr. Leach had received the wire instructions. The controller
called Mr. Leach, who said that he received the instructions from the firm’s managing director
who had allegedly sent the original email. The controller relayed this information to the bank,
which then released the funds to the Chinese bank. 95
The next day, the controller spoke with the managing director and told him the wire
transfer had been completed successfully. 96 The managing director of course had no knowledge
of the transfer, of a Mr. Leach, or of the previous day’s emails. By the time the bank’s fraud
department tried to recover the funds, it was too late: Principle suffered a $1.7 million loss. 97
Principle filed a claim with Ironshore under a Commercial Crime policy that included
coverage for “Computer and Funds Transfer Fraud.” 98 Ironshore denied coverage, and Principle
filed suit. The parties filed cross-motions for summary judgment as to coverage. Principle
argued that the loss was covered because it “resulted directly from the fraudulent email that
appeared to have been sent by” the managing director. 99 Ironshore countered that the loss was
not direct because additional information was conveyed after the email by “Mr. Leach,” and
because Principle employees took additional steps to set up and approve the transfer. 100
The court found the policy language ambiguous and ruled in favor of Principle, citing the
district court’s similar decision in Apache and noting that if employee action after receipt of a
fraudulent email was sufficient to defeat coverage, the “provision would be rendered ‘almost
pointless’ and would result in illusory coverage.” 101 In so ruling, the court rejected Ironshore’s
94
Principle Solutions Group, LLC v. Ironshore Indem., Inc., No. 1:15-CV-4130, 2016 WL 4618761, at *1
(N.D. Ga. Aug. 30, 2016).
95
Id.
96
Id. at *2.
97
Id.
98
Id.
99
Id. at *4.
100
Id.
101
Id. at *5 (quoting Apache, 2015 WL 7709584, at *3).
13
proffer of a “Cyber Deception Coverage” endorsement that, according to Ironshore, illustrated
the type of language that might provide coverage for Principle’s loss had Principle purchased
it. 102 The court considered the endorsement irrelevant because it was not part of Principle’s
policy, and also noted that there was no evidence that the Georgia Department of Insurance had
approved the endorsement’s use. 103
Ironshore moved for reconsideration in September 2016, asserting that the court
overlooked its argument that for a loss to be covered, it must arise from a fraudulent instruction
sent directly to the bank – in other words, that the fraudulent email caused Principle employees
to direct the bank to execute an authorized transfer, rather than directly causing the bank to
execute an unauthorized transfer. 104 After briefing on the motion for reconsideration was
complete, the Fifth Circuit reversed the pro-coverage ruling in Apache, and Ironshore requested
leave to supplement its argument on that basis. 105 As of this writing, the motion remains
pending.
Settled/Dismissed Cases
The cases below were filed within the past two years and attracted attention because they
were prime examples of social engineering fraud. They have now been dismissed, however,
with no ruling on the merits. We include them as additional examples of the fact pattern and to
showcase the arguments made while they were pending.
Bitpay, Inc. v. Massachusetts Bay Ins. Co. (N.D. Ga. 2015-2016)
In an inversion of the typical fact pattern, this case involved a CEO who was duped by a
“fake CFO.” Bitpay, a global bitcoin payment processor, had a commercial crime policy with
Massachusetts Bay Insurance Company (“MBIC”). 106 The computer fraud clause covered loss
resulting “directly from the use of any computer to fraudulently cause a transfer” of property,
including bitcoin, from the premises. 107 On December 11, 2014, Bitpay’s CFO, Bryan Krohn,
received an email from someone impersonating a journalist requesting comment on a bitcoin
industry document. The phony email “directed Mr. Krohn to a website controlled by the hacker
102
Id. at *3.
103
Id.
104
See generally Mot. to Alter or Amend the Judgment & For Recons. with Mem. of Law in Supp.,
Principle Solutions Group v. Ironshore Indem. Co., No. 1:15-cv-4130 (N.D. Ga. Sept. 27, 2016).
105
See generally Mot. for Leave to File Supplemental Br. to Support Mot. to Alter or Amend the
Judgment & for Recons., Principle Solutions Group v. Ironshore Indem. Co., No. 1:15-cv-4130, 2016
WL 7159169 (N.D. Ga. Oct. 31, 2016).
106
Compl. ¶¶ 6-8, Bitpay, Inc. v. Massachusetts Bay Ins. Co., No. 1:15-CV-03238, 2015 WL 5446711
(N.D. Ga. filed Sept. 15, 2015).
107
Id. ¶¶ 10-11.
14
wherein Mr. Krohn provided the credentials for his Bitpay corporate email account.” 108 The
hacker, using Krohn’s credentials, then sent an email to the CEO with false information about a
false transaction requiring payment approval. 109 The CEO approved and facilitated multiple
transfers at the direction of the fake CFO, totaling $1.85 million.110
MBIC denied Bitpay’s claim. 111 MBIC asserted that the loss was not “direct” because an
unauthorized user did not hack into Bitpay’s computer system and use that access to fraudulently
cause a funds transfer. 112 According to MBIC, “there is an important distinction between
fraudulently causing a transfer, as the Policy language requires, and causing a fraudulent transfer,
which is what occurred upon the CEO’s approval of the bitcoin transactions.” 113 MBIC cited
Pestmaster in support of this distinction.114 MBIC cited both Pestmaster and Universal for the
proposition that “fraudulently caused” language in a computer fraud policy precludes coverage
“when an authorized person entered fraudulent data into a computer system.’” 115
Bitpay asserted that Pestmaster should be distinguished because there the insured granted
an accounting firm full access to its accounts to pay taxes, and the firm failed to pay those taxes
after withdrawing the funds. 116 Bitpay argued in the alternative that Pestmaster stands for the
proposition that computer fraud “exists whether the hacker actually makes the transfer or the
hacker causes the transfer (e.g., via fraudulent authorization).” 117
The parties settled the case and jointly requested dismissal with prejudice on June 1,
2016.
118
Ameriforge Group Inc. v. Fed. Ins. Co. (S.D. Tex. 2016-2017)
In this case, which was originally filed in Texas state court in January 2016 and removed
to federal court the following month, the insured, AFGlobal, sued Federal Insurance Co. for
108
Id. ¶¶ 12-14.
109
Id. ¶¶ 15-16 & Ex. B at 2.
110
Compl. ¶ 17 & Ex. B at 2-3.
111
Id. ¶¶ 19-22 & Ex. B at 4.
112
Id. Ex. B at 3.
113
Id.
114
Id. Ex. D at 5 (citing Pestmaster, 2014 WL 3844627, at *6).
115
Id. (quoting Pestmaster, 2014 WL 3844627, at *6).
116
Id. Ex. C at 4.
117
Id. Ex. C at 3.
118
Stipulation of Dismissal with Prejudice at 1, Bitpay, Inc. v. Massachusetts Bay Ins. Co., No. 1:15-CV03238, 2016 WL 3218121 (N.D. Ga. filed June 1, 2016).
15
coverage of a social engineering fraud loss of $480,000. 119 On May 21, 2014, someone
impersonating AFGlobal’s CEO Gean Stalcup emailed the company’s director of accounting.
The fraudster informed the accounting employee that he was now responsible for a new matter
involving an attorney named Steven Shapiro and instructed him that the new matter was to
remain confidential within the company per SEC regulations. Thirty minutes later, the employee
received a phone call from someone purporting to be Shapiro, informing him that due diligence
fees associated with an AFGlobal acquisition of a Chinese company were needed. The employee
then facilitated the $480,000 wire transfer. 120
The imposters contacted the accounting employee again on May 27 and requested an
additional $18 million.121 He then became suspicious and notified his supervisors about the
request. Recognizing the fraud, the company attempted to recall the transferred funds, but was
unsuccessful. The same day, AFGlobal notified its insurer of the loss. 122
On July 7, the insurer denied AFGlobal’s claim under its crime policy provisions for
forgery, computer fraud, and funds transfer fraud. 123 Federal asserted that the language of the
forgery clause of the crime policy requires the forgery by a third party to be of a “Financial
Instrument.” 124 The policy defined “Financial Instrument” as a check, draft, or similar written
promise, order, or direction. 125 Federal asserted that the imposter’s email to the accounting
employee does not qualify as a Financial Instrument, citing a federal case describing financial
instrument documents as those with legal effect that can be deposited. 126
As for the computer fraud clause of the crime policy, Federal asserted that an email does
not constitute “an unauthorized introduction of instructions, programmatic, or otherwise, which
propagate themselves through a Computer System” per the policy language. 127 AFGlobal
initially cited Owens Schine in support of its policy interpretation, but Federal pointed out that
the ruling in that case had since been vacated. Additionally, Federal claimed that the term
“unauthorized” requires a hacking event. Because the email address to which the imposters sent
fraudulent instructions was publicly accessible, Federal asserted that the introduction of those
119
1st Am. Compl. ¶¶ 2, 7, 6-15, Ameriforge Group Inc. v. Fed. Ins. Co., No. 4:16-cv-00377, 2016 WL
1391493 (S.D. Tex. filed Mar. 10, 2016).
120
Id. ¶¶ 6-10.
121
Id. ¶¶ 10.
122
Id. ¶¶ 11-14.
123
Id. ¶ 15 & Ex. C at 1-4.
124
Id. Ex. D at 1.
125
Id. Ex. D at 2.
126
Id. (quoting Vons Cos., Inc. v. Fed. Ins. Co., 57 F. Supp. 2d 933, 945 (C.D. Cal. 1998), aff’d, 212 F.3d
489 (9th Cir. 2000) (holding that invoices did not qualify as financial instruments)).
127
Id.
16
instructions was not unauthorized. 128 Finally, Federal noted that the email instructions could not
propagate themselves because they were not capable of spreading on their own, and required
AFGlobal’s affirmative authorized acts to complete the transaction. 129 Accordingly, Federal
asserted that the loss was not a “Computer Fraud” as defined in the policy. 130
For similar reasons, Federal denied coverage under the funds transfer clause of the crime
policy: according to Federal, that policy language requires the transfer to occur without the
knowledge or consent of the insured, but AFGlobal knowingly issued the transfer instructions. 131
After some discovery, the case was dismissed with prejudice by stipulation in early
February 2017. 132
Maxum Indem. Co. v. Long Beach Escrow Corp. (C.D. Cal. 2016)
The insurer, Maxum, initiated a declaratory judgment action to terminate its coverage for
a “fake-client” fraud loss suffered by its policyholder, Long Beach Escrow Corp (“LBEC”). 133
LBEC is an escrow company that holds and transfers funds for its real estate clients. In early
2016, hackers obtained control of the email account belonging to the managing partner of Keely
Partners, a real estate firm that had been a client of LBEC’s since 2010. The imposters posed as
the Keely partner and directed LBEC to transfer more than $250,000 in Keely funds to different
accounts. 134 LBEC complied with the fraudulent requests, and when the scheme was uncovered,
Keely sued LBEC for negligence and breach of fiduciary duty. Maxum agreed to defend LBEC
in the underlying action while reserving its rights to contest coverage. 135 Maxum then filed this
coverage action.
This version of the business email compromise fact pattern resembles the third-party
scenario of Taylor & Lieberman discussed above (at page 8), where the trial court’s ruling for
the insurer is currently on appeal. For now it appears that the LBEC coverage dispute has been
128
Id. Ex. D at 2-3 (citing Universal and Pestmaster).
129
Id. Ex. D at 3.
130
Id.
131
Id.
132
Order Of Dismissal at 1, Ameriforge Group Inc. v. Fed. Ins. Co., No. 4:16-CV-00377 (S.D. Tex. Feb.
6, 2017).
133
Compl. ¶ 1, Maxum Indem. Co. v. Long Beach Escrow Corp., No. 2:16-CV-05907, 2016 WL 4199087
(C.D. Cal. filed Aug. 8, 2016).
134
Id. ¶¶ 8-10.
135
Id. ¶¶ 10-14.
17
settled: Maxum voluntarily dismissed its complaint on September 8, 2016, with no responsive
filing from LBEC. 136
Pending Cases
The cases described below are still in active discovery and have not yet generated any
coverage rulings. The ultimate resolution of these coverage disputes may shed further light on
how policyholders and insurers will fare when fake-president (or fake-client) fraud arises under
standard crime policies, and in turn may be instructive in how newly-emerging insurance
products geared specifically to such fraud losses are designed and implemented.
Medidata Solutions, Inc. v. Fed. Ins. Co. (S.D.N.Y.)
Medidata, a cloud-based data analysis firm, purchased a Federal Insurance crime policy
covering computer fraud, funds transfer fraud, and forgery. 137 On September 16, 2014, a
Medidata employee received an email from an imposter purporting to be a Medidata executive.
The email stated that the company was on the verge of an acquisition that required coordination
with an outside attorney who would provide information necessary to finalize the deal. The
imposter informed the employee that the deal was confidential and instructed complete silence
on the matter. 138
The employee told the imposter that additional approval would be necessary from one of
her supervisors. 139 The imposter then corresponded with the employee’s supervisors in the same
manner, providing instructions to wire over $4 million to a Chinese account and to keep the
matter confidential until a public announcement. A supervisor approved the requested funds,
with all three involved employees believing the instructions were coming directly from the
purported Medidata executive. 140 Medidata later detected the fraud, notified the FBI, conducted
internal investigations, and filed an insurance claim.
Federal denied Medidata’s claim. 141 Federal cited Universal for the proposition that
fraudulent entry of data requires some type of hacking event. 142 As it did in Ameriforge, Federal
136
Notice of Voluntary Dismissal (Without Prejudice), Maxum Indem. Co. v. Long Beach Escrow Corp.,
No. 2:16-CV-05907 (C.D. Cal. filed Sept. 8, 2016).
137
Plaintiff Medidata Solutions, Inc.’s Mem. of Law in Supp. of its Mot. for Summ. J. (“Medidata
Mem.”) at 3-6, Medidata Solutions, Inc. v. Fed. Ins. Co., No. 15-CV-00907, 2015 WL 10438135
(S.D.N.Y. filed Aug. 13, 2015).
138
Id. at 7-8.
139
Id. at 8.
140
Id. at 8-9.
141
Id. at 9-10.
142
Fed. Ins. Co.’s Mem. in Supp. of its Mot. for Summ. J. at 11-12, Medidata Solutions, Inc. v. Fed. Ins.
Co., No. 15-CV-00907 (S.D.N.Y. filed Aug. 13, 2015).
18
asserted that because Medidata’s email addresses are publicly accessible, the act of sending an
email to a publicly known address does not rise to the necessary level of hacking intrusion, and
that because the emails could not initiate a wire transfer absent employee action, there was
insufficient causal nexus between the emails and the fund transfer. 143
Medidata argued that if the policy intended to limit coverage to hacking, it could have
expressly so stated, but did not. 144 Medidata also argued that the entry of fraudulent data
occurred when the imposter falsified the purported sender email address to match the Medidata
executive’s address rather than the true source. Additionally, Medidata asserted that causation is
satisfied because the Medidata employees merely acted as “conduits for the fraudulent
instructions.” 145
The parties cross-moved for early summary judgment, but the court denied both motions
without prejudice “due to an insufficient record.” 146 The court granted leave for limited expert
discovery focused on “establishing the method in which the perpetrator sent its emails to plaintiff
and discussing what alterations, if any, were made to plaintiff’s computer systems when the
emails were received.” 147 This emphasis on computer methods and alterations may indicate that
the court is inclined to focus on the technical details underlying the use of electronic
communications and data systems to perpetrate the fraud. On May 13, 2016, the parties
submitted a joint stipulation of findings resulting from this expert discovery, but wrote separate
letter briefs in June to place the joint findings into the context of each party’s summary judgment
position. The parties have filed multiple follow-up letters between June and October 2016, but
no further activity appears on the docket.
Quality Sausage Co. v. Twin City Fire Ins. Co. (S.D. Tex.)
According to its complaint, Quality Sausage Company (“QSC”) and its subsidiary, HM
International LLC (“HMI”), are covered under a policy issued by Twin City that includes D&O
coverage, an Entity Liability insuring agreement, and a Crime Coverage part that includes a
Computer and Funds Transfer insuring agreement. 148 HMI provides accounting, tax preparation,
insurance procurement, and other financial services to its clients. In January 2015, the vice
president, chief administrator and secretary of HMI received an email purportedly from an HMI
client instructing HMI to wire $1 million from the client’s account in Arizona to another account
in South Carolina. Two days later, another email from the client requested a transfer to yet
143
Id. at 12-13.
144
Medidata Mem. at 18.
145
Id. at 19-21.
146
Medidata Solutions, Inc. v. Fed. Ins. Co., No. 15-CV-00907, 2016 WL 7176978, at *1 (S.D.N.Y. Mar.
9, 2016).
147
Id.
148
Compl. ¶¶ 9-16, Quality Sausage Co. v. Twin City Fire Ins. Co., No. 4:17-cv-111, 2017 WL 189494
(S.D. Tex. filed Jan. 13, 2017).
19
another account. The HMI officer called the client to confirm the request and learned that the
client had not sent either email. Most of the $1 million transferred to South Carolina had in the
interim been transferred to a bank in Singapore. 149
QSC provided notice of the loss through its broker. HMI’s client sent a demand letter
seeking to hold HMI responsible for the loss; HMI forwarded the letter to Twin City and again
demanded coverage and a defense under at least the D&O provisions of the policy. Twin City
denied coverage under the professional services exclusion, and further refused to accept liability
under the Crime Coverage part. 150
As of this writing, the case docket shows no substantive entries after the complaint filing.
Conclusions
Among the relatively few coverage decisions to date that have addressed coverage for
losses from business email compromise, even fewer decisions favoring coverage have survived
as binding precedents. For example, the earliest public-record decision, in Owens (discussed
above at 3-4), found coverage but was then strategically settled to vacate its judgment. 151 The
coverage-favoring Apache decision (discussed above at 9-10) was appealed with insurance
industry amicus support, and reversed by the Fifth Circuit, albeit in an unpublished decision. 152
The Principle Solutions Group decision (discussed above at 13-14), finding coverage for a loss
arising from “fake-lawyer” social engineering fraud, has been challenged by the insurer in the
wake of the Apache reversal. 153 And while the State Bank of Bellingham decision (discussed
above at 10-11) remains good law, its finding of coverage can be distinguished as involving a
direct computer hack rather than an imposter’s social engineering fraud or some other form of
business email compromise. 154 In sum, for a company purchasing insurance, the case law offers
far from certain comfort that traditional crime policies or financial institution bonds will provide
protection for this novel form of fraud risk.
Since these coverage issues have first emerged, moreover, insurers have learned to
exclude business email compromise risk specifically – or to cover it specifically for an additional
149
Id. ¶¶ 21-34.
150
Id. ¶¶ 39-46.
151
Owens, Schine & Nicola, P.C. v. Travelers Cas. & Sur. Co. of Am., No. CV-09-5024601-S, 2011 WL
3200296 (Conn. Super. Ct. June 24, 2011), vacated, 2012 WL 12246940 (Conn. Super. Ct. Apr. 18,
2012).
152
Apache Corp. v .Great Am. Ins. Co., --- F. App’x ---, 2016 WL 6090901 (5th Cir. Oct. 18, 2016).
153
Mot. for Leave to File Supplemental Br. to Support Mot. to Alter or Amend the Judgment & for
Recons., Principle Solutions Group v. Ironshore Indem. Co., No. 1:15-cv-4130, 2016 WL 7159169 (N.D.
Ga. Oct. 31, 2016).
154
See State Bank of Bellingham v. BancInsure, Inc., 823 F.3d at 457.
20
premium. 155 These newly minted “social engineering” endorsements are neither uniform nor
always skillfully drafted. Therefore, the coverage disputes going forward may turn on the
interpretation of highly specialized policy terms and their application to highly specific fact
patterns.
Looking ahead, prudent policyholders need to pay careful attention both to their
vulnerability to this 21st-century fraud risk and to appropriate risk management measures. This
will require close review of the terms of both crime and cyber insurance programs at the
underwriting stage. Policyholders must be prepared to negotiate amendments to standard
wordings; to survey the market for purpose-built specialty coverage and to request both further
clarification of inartful wordings and adequate sublimits, if necessary; or simply to self-insure
the risk of fake president fraud.
155
For a list of insurers claiming to offer some form of social engineering fraud or “deceptive funds
transfer” coverage, see Richard S. Betterley, The Betterley Report: Cyber/Privacy Insurance Market
Survey 2016, at 90-93 (June 2016).
21