Cyber incidents can take many forms—phishing, insider theft, SQL injection, malware, denial of service, session hijacking, credential farming, or just old fashion “hacking.” Although many of these attack vectors employ technical knowledge, some utilize deception to manipulate individuals into performing certain actions or divulging confidential information.
Commonly referred to as “social engineering,” a perpetrator can exploit human behavior to pull off a scam. Oftentimes this comes as an email, which appears to be from a trusted colleague, vendor, or business partner, asking for a wire transfer to a particular account to settle a bill or provide payment for services.
To date, many of these social engineering schemes have been denied under cyber or computer fraud insurance policies, with many insurance carriers insisting that the policies only cover hacking-type intrusions.
In recent months, this stance has been denied—twice. Once by the Second Circuit in Medidata Solutions Inc. v. Federal Insurance Co. and once by the Sixth Circuit in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America.
In both cases, the court found in favor of the policyholder in a dispute over coverage for social engineering schemes. In Medidata, the insured brought suit claiming that its losses from an email spoofing attack were covered by a computer fraud provision in its insurance policy. The provision at issue covered losses stemming from any “entry of Data into” or “change to Data elements or program logic of” a computer system. The court reasoned that although no hacking occurred, the perpetrators crafted a computer-based spoofing code that enabled the fraudsters to send messages that appeared to come from one of Medidata’s employees. Similarly, in American Tooling, a fraudster send a series of emails, purportedly from a vendor, requesting that American Tooling wire transfer payments to new accounts. American Tooling wired over $800,000 before realizing that the emails were fraudulent. The court in American Tooling found that the loss was covered under the policy and that none of the asserted policy exclusions applied, finding that the emails were computer fraud that directly caused the loss.
Companies should understand the complexity and varied types of cyber incidents that they face, build in mechanisms to avoid engineering scams by validating proposed requests, and review their cyber and crime insurance policies to ensure that they take full advantage of available insurance coverage. These cases also serve as a reminder to have a clear incident response policy in place and to quickly engage counsel who understands the complexities of the incident, as well as the insurance coverage, in order to minimize loss.