This important blog post takes a look at a critical cyber insurance case affecting Michigan businesses. This case ultimately went to the Sixth Circuit Federal Court of Appeals. This court case is a solid reminder to review your cyber insurance policy before it’s too late.
The Facts of the Case
The American Tooling Center, Inc. CFO sent an email to YiFeng (a subcontractor) to confirm certain work was completed and to verify payments due. Somehow, this email was intercepted by an unidentified third party impersonating YiFeng. The impersonator had follow-up e-mails with ATC, and ultimately directed the CFO to send payment to a new bank account (that the CFO never verified). This new bank account was the fraudulent bank account.
By the way, the impersonator was very slick. He used a domain called yifeng-rnould.com, when the real domain was yifeng-mould.com. If you ever wrote an “r” and “n” together they could certainly look like an “m,” and even a brief look could misidentify the domain name (which happened to the ATC CFO).
After the fraud was discovered, ATC sought recovery for its loss from Travelers Insurance Company, arguing it fell within its “Computer Fraud” coverage. Travelers denied the claim.
The relevant portion of the Travelers policy states that Travelers will pay ATC, if ATC suffers a direct loss of, or direct loss from damages to, money, securities, and other property directly caused by computer fraud.
The Arguments and Court Decision
The first and most important issue is whether there was a “direct loss.” Travelers argued the loss did not arise when ATC paid the impersonator, because ATC had already contracted with YiFeng to pay the amount, rather the loss arose after the fraud was discovered. A simplistic argument, but one the lower federal court (United State District Court, Eastern District of Michigan) accepted when ruling for Travelers in the original case. However the 6th Circuit reviewed the definition of “direct,” and found that whether it means “immediate” or “proximate [cause of],” ATC’s loss was a direct loss.
Then, the court reviewed whether this was an actual case of “computer fraud.” Travelers argued computer fraud requires “a computer to ‘fraudulently cause the transfer. It is not sufficient to simply use a computer and have a transfer that is fraudulent.’” Again, the court ruled for ATC stating that, “the impersonator sent ATC fraudulent emails using a computer, and these emails fraudulently caused ATC to transfer the money to the impersonator.” The court also stated Travelers’ argument was not even supported by the terms of the policy.
Finally, ATC must show the “direct loss” was “directly caused” by the computer fraud. The Sixth Circuit again ruled in favor of ATC on this one.
Travelers, as a Hail Mary, argued their policy contained exclusions exonerating them from coverage. Under Michigan law, exclusions are strictly construed in favor of the insured and will only be enforced if they are absolutely clear and specific. The court ruled against Travelers because none of exclusions met this threshold.
How This Case Affects You
While this was a case where an email was intercepted and a loss occurred, there are many other ways for computer scams to affect businesses. Just last week, the Detroit News had an article about how there was a disclosure of significant confidential information from an automobile supplier. These cases are a reminder that you can suffer serious damage for failing to understand your cyber insurance coverage, or not having the right IT security in place.
I’ve always preached to my clients the need to review their cyber insurance policy, but I think there is even more urgency now. The reason is that insurance companies are likely to modify their policy so they don’t have to payout like Travelers. Businesses must carefully analyze their policy upon renewal to understand how this case has impacted their coverage.
For the full case, click here.