(Article from Insurance Law Alert, February 2021)
For more information, please visit the Insurance Law Alert Resource Center.
The Fifth Circuit ruled that losses stemming from wire transfers initiated by spoofed emails were not covered by Computer Transfer Fraud or Funds Transfer Fraud coverage provisions of a commercial crime insurance policy. Mississippi Silicon Holdings, L.L.C. v. Axis Ins. Co., 2021 WL 406238 (5th Cir. Feb. 4, 2021).
An employee of MSH, a manufacturing company, received an email purportedly from one of its suppliers, directing it to change banking information for future payments. In accordance with that email, the MSH employee electronically changed the information and initiated a wire transfer. Another MSH employee authorized the transfer on the bank’s website, and during a confirmation call with the bank, a third MSH employee verbally authorized the transfer. A second payment was made, following the same three-step authorization process. Thereafter, MSH discovered that the emails were fraudulent and that the funds had been sent to hackers’ bank accounts. Axis Insurance paid MSH the $100,000 limit under a Social Engineering Fraud clause. MSH filed suit, alleging it was entitled to coverage under the Computer Transfer Fraud and Funds Transfer Fraud provisions. A Mississippi federal district court granted Axis Insurance’s summary judgment motion, finding that neither provision covered the loss. See April 2020 Alert.
The Fifth Circuit affirmed, ruling that there was no “Computer Transfer Fraud,” defined by the policy as “the fraudulent entry of Information into or the fraudulent alteration of any Information within a Computer System.” The court explained that although the scheme “involved the creation of a ‘fraudulent channel’ in MSH’s email system through which the scammers could monitor, and when necessary, alter emails,” such manipulation “does not constitute Computer Transfer Fraud” because the scammers “did not manipulate those systems through the introduction of data or programs that could independently instruct the Computer System . . . . At best, the breach allowed the fraudsters to monitor the computer system and to act based on the information they learned.”
Additionally, the court ruled that even assuming the scheme constituted Computer Transfer Fraud, other language in this provision “clearly suggests that this was not the type of scheme Axis agreed to insure MSH against.” The provision also required the transfer to be made “without the Insured Entity’s knowledge or consent.” Here, however, three MSH employees affirmatively authorized the transfer. The court deemed it irrelevant that the employees were tricked into action by the fraudulent emails, noting that the Computer Transfer Fraud provision did not provide coverage for such scenarios. By way of contrast, the court emphasized that the Social Engineering Fraud provision clearly contemplated situations such as the present one, in which an employee acts in good faith on a fraudulent instruction.
Having ruled that MSH’s knowledge of and involvement in the wire transfer precluded coverage, the court declined to address the “complicated question” of whether the loss “resulted directly from” the fraud scheme, as required by the Computer Transfer Fraud provision. Courts in other jurisdictions have applied various causation standards in determining whether the “direct” requirement has been met in similar factual circumstances.