Business Email Compromise (BEC) attacks are sophisticated scams that commonly use social engineering, phishing and spoofing to compromise legitimate business e-mail accounts. In 2017, the FBI reported receiving 15,690 BEC complaints with BEC losses topping $675 million. The FBI warns small, medium and large businesses alike that constantly expanding and evolving BEC attacks put them all at risk.
Businesses can and should take preventative measures to protect against BEC attacks, but what happens when they fail? Are BEC attacks considered a type of Computer Fraud that is covered under a standard crime insurance policy? Well…it depends.
Losses and claims associated with BEC attacks are relatively new. Standard crime insurance policies are not. Like Über and Airbnb, BEC attacks don’t fit neatly into standard insurance policies, so coverage isn’t always clear. As expected, this coverage confusion produced coverage disputes that became coverage lawsuits.
Lawsuits can provide clarity because they require courts to interpret and apply specific insurance policies and provisions. But, that’s not necessarily the case with BEC attacks because some federal appellate courts don’t necessarily agree on whether a BEC attack constitutes Computer Fraud under a standard crime policy.
Since coverage isn’t obvious one way or the other, courts must dig deep into the policy and relevant case law to determine whether coverage exists. As the following cases illustrate, this can create conflicting case law.
Apache Corporation (5th Circuit 2016). A BEC attack was part of a scam to change the account number used to pay a legitimate vendor. Apache was unaware of the fraud until the vendor told them payments were overdue. By then, approximately $7 million had been diverted to the fraudulent account.
The Fifth Circuit ruled that Apache’s losses are not covered because the BEC attack was merely incidental to an overall scheme to defraud. According to the court, most fraudulent schemes involve some form of computer-facilitated communication, and interpreting Computer Fraud to include any fraudulent scheme that uses email would convert a crime policy’s computer-fraud provision into one for general fraud. Regrettably, the court concluded, Apache sent payment for a legitimate invoice to the wrong bank account.
American Tooling Center (6th Circuit 2018). American Tooling filed a Computer Fraud claim after a BEC attack tricked the Treasurer to wire $834,000 to a fraudulent account. The Sixth Circuit ruled that American Tooling’s losses are covered because the BEC attack constituted Computer Fraud under the crime insurance policy.
According to the court, an impersonator used a computer to send fraudulent emails that fraudulently caused American Tooling to transfer money to the impersonator. The Computer Fraud provision, the court noted, does not require that the fraud cause any computer to do anything. The court said that if the insurance company wanted to limit Computer Fraud coverage to hacking or unauthorized computer access it could have done so in the policy.
These cases didn’t involve identical facts or policy forms, yet they reveal potentially significant conceptual differences about the nature of BEC attacks and the scope of Computer Fraud coverage. Though the circumstances were quite similar, the outcomes were very different.
As a result, determining whether a BEC attack is covered under a standard crime policy may depend, at least in part, on where it occurred. This can make it difficult for businesses to effectively evaluate, mitigate and insure against the serious risk posed by BEC attacks.
Please contact us if you would like more information about insurance specifically designed to protect against cyber threats.
To receive regular insurance and risk management informational updates, please subscribe to our newsletter.