A company that transferred $1.3 million from a customer’s payout fund in response to emailed requests from a hacker has lost its insurance offer to cover the loss.
Construction Financial Administration Services (CFAS), based in Pennsylvania, argued that the money error should be covered under its errors and omissions policy, even though the policy contained breach exclusions. CFAS argued that the breach of the client’s systems was not the cause of the loss, but even if it was, its own negligence was also a cause, so the loss should be covered.
Federal District Court for Western Pennsylvania found that Federal Insurance Co. was correct in denying the $1.3 million claim under the breach exclusions. The wording of both exclusions “clearly contemplates losses” precipitated by fraudulent social engineering schemes such as hacking, the court found.
The policy excluded any claims “based on, arising out of, or as a result of” any unauthorized access to or use of any computer program.
Even if the exclusion did not apply, Federal was correct in denying the claim because the insured failed to notify the insurer as required before admitting liability and taking action, further noted the court.
CFAS administered a fund for construction projects, receiving funds and making payments to suppliers and contractors on behalf of clients, including SWF Construction, a company working on a border fence in Calexico, Calif., in 2017. To trigger a payment, the client would provide the person at CFAS authorized to make disbursements with a voucher for each payment request and identify the item to be invoiced.
The two wire transfers at issue — one for $600,000 and the other for $700,000 — were made by the CFAS employee in response to email inquiries from what he believed to be the client. However, the employee transferred the funds without first obtaining supporting documentation or position information from the client. As it was later learned, the requests were frauds made by someone who gained unauthorized access to SWF’s systems.
CFAS argued that the loss was not “based on, resulting from, or as a result of” unauthorized access to or use of a computer system. Instead, CFAS argued that its failure to obtain the proper documents was an immediate cause of the fraudulent transfer, in addition to the attacker’s access to SWF’s computer system. Because CFAS’s inability to obtain the necessary documents contributed to the company’s actions, CFAS concluded that the exclusion did not apply.
According to the CFAS, a loss can have more than one cause. Even if the breach exclusion applies, a policyholder is not excluded from coverage where there is more than one cause of injury and only one of the causes is excluded, the company argued. .
The insurer argued that the facts clearly fall within the exceptions since the fraudulent user logged into the client’s email accounts and posed as one of its employees.
The court sided with Federal that “even under the narrowest construction” the language of the policy excludes CFAS’ claim.
The court rejected the idea that the wire transfers resulted from the failure of the paperwork. There was only one cause – unauthorized emails – and losses caused by social engineering events such as hacking are not covered by the policy, the court said.
“The failure of CFAS to receive the proper documentation could not have caused the harm in question (here, the fraudulently induced money transfers) but for the emails precipitated by the hacker’s unauthorized access to the network of SWF. CFAS would not have sent the funds to the bank account included by the fraudster without first receiving the unauthorized emails. The existence of the loss did not depend on the existence (or its absence) of the documentation, but rather the unauthorized emails. Even more literally, CFAS would not have been able to transfer the funds to HK without the unauthorized emails, as the emails contained the account information “, indicates the opinion.
The court added that the policy had broader language than necessary in this case. Instead of limiting the violation exclusions to injuries “arising from” unauthorized access, it further excludes injuries “based on, resulting from, or as a result of any unauthorized or exceeded access to” any computer program or network. The fact that this language casts a wider net cannot be ignored, the court added.
In addition to the violation exclusions, the policy included a notice requirement that CFAS could not settle any claim or admit any liability with respect to any claim without Federal’s prior written consent. Following the fraudulent disbursements, in response to a request from SWF, CFAS borrowed $1 million and placed these funds in SWF’s disbursement account to avoid default on payment to the client’s actual subcontractors and suppliers. He did not notify Federal first.
The insurer argued that CFAS breached the notice clause by responding to SWF’s demand letter with a unilateral payment of $1 million. This deprived Federal of the ability to investigate any comparative misconduct on SWF’s behalf or to assess the events and its options regarding fraudulent transfers.
The court concluded that the insurer had likely demonstrated that the failure to notify CFAS was a sufficient basis to deny coverage.
Interested in Errors Omissions?
Receive automatic alerts for this topic.