(Article from Insurance Law Alert, June 2022)
For more information, please visit the Insurance Law Alert Resource Center.
A Pennsylvania district court granted an insurer’s summary judgment motion, finding that a policy exclusion for losses caused by computer-related activities barred coverage for cyber-related losses. Constr. Fin. Admin. Servs. LLC v. Fed. Ins. Co., 2022 WL 2073824 (E.D. Pa. June 9, 2022).
Construction Financial was the victim of a fraudulent scheme involving impersonating emails, resulting in wire transfers to a hacker’s account. In effectuating those transfers, a Construction Financial employee failed to follow a protocol designed to ensure legitimate invoice payments. When Construction Financial filed an insurance claim for its loss, Federal denied coverage on the basis of exclusions that applied to loss “based upon, arising from or in any consequence of any . . . unauthorized access to, or use or alteration of, any computer program, computer, computer system or communication facilities that are connected thereto.”
In response, Construction Financial argued that the losses were proximately caused by the employee’s negligence, not the unauthorized access to computers, and that under applicable North Carolina law, there is coverage when there is more than one cause of injury and only one of the causes is excluded. Rejecting this contention, the court held that the employee’s failure to obtain the necessary documentation was not an independent cause of loss. The court stated:
CFAS’s lack of receipt of proper documentation could not have caused the injury in question (here, the fraudulently-induced money transfers) without the emails precipitated by the hacker’s unauthorized access to [the] network. CFAS would not have sent the funds to the bank account included by the fraudster without first receiving the unauthorized emails. The existence of the loss did not depend on the existence (or lack thereof) of the documentation, but rather upon the unauthorized emails.
Additionally, the court noted that the exclusion contained particularly broad language that encompassed losses based upon, arising out of or “in consequence of any” computer-related losses.