An insured whose comptroller wired funds to a fraudster's account on a fraudulent email purportedly from the insured's majority shareholder was found not to be covered for the losses because of the wording of its cyber insurance policy.
Sanderina, LLC v Great American Insurance Company, 2019 U.S. Dist LEXIS 154760 (Nevada), per Dorsey, J.
Facts + Issues
The insured Sanderina, LLC (Sanderina) suffered a loss when a fraudster, posing as the company's majority shareholder, sent an email to the company's comptroller instructing her to wire funds to the fraudster's account. The fraudster's email contained the sender's email address which was nearly identical to the majority shareholder's, except that the domain name was altered from "usfantasy.com" to ", except that the domain name was altered from "usfantasy.com" to "usfontasy.com". Sanderina's comptroller ultimately transferred $260,994 to the fraudster's account, of which it was later able to recover $82,234.79. Sanderina's investigation discovered that Sanderina's email system and accounts had not been hacked. Further investigation was unable to identify any unauthorized access to the insured's computer system.
Sanderina claim against its insurer, Great American Insurance Company (Great American), was refused and the Sanderina sued Great American for breach of contract, bad faith, and breach of a Nevada fair trading statute. Three different coverage clauses were relied upon by the insured:
- The "forgery-or-alteration
provision" which covered losses "resulting directly from
forgery or alteration of cheques, drafts, promissory notes, or
similar written promises, orders, or directions to pay sum certain
- The computer fraud coverage clause
which covered losses "resulting directly from the use of any
computer to impersonate you, or your authorized officer or
employee, to gain direct access to your computer system, or to the
computer system of your financial institution, and thereby
fraudulently caused the transfer of money"; and
- The funds-transfer fraud coverage clause which covered losses "resulting directly from a fraudulent instruction directing a financial institution to transfer, pay or deliver finds from your transfer account".
The insurer applied for summary dismissal of the claim.
HELD: For the insurer; insured's claim summarily dismissed
The Court held that the forgery coverage did not apply because the fraudulent email directing a transfer did not qualify as a financial instrument as referred to in the coverage clause:
The forgery-or-alteration provision covers losses "resulting directly from forgery or alteration of checks, drafts, promissory notes, or similar written promises, orders, or directions to pay a sum certain in money . . . ." Sanderina argues that the policy covers "forgery . . . or . . . directions to pay a sum certain in money" and that the emails contained directions to pay money. But the policy unambiguously requires "directions to pay a sum certain in money" to be "similar" to "checks, drafts, [and] promissory notes." The Ninth Circuit considered similar facts in Taylor & Lieberman v. Federal Insurance Company [681 F. App'x 627, 628 (9th Cir. 2017).] and concluded that emails containing directions to pay money were not similar to checks or drafts. So it is clear that this provision does not cover Sanderina's losses here.
The computer fraud coverage was also held to be inapplicable because there had not been direct access into the insured's computer system. The sending of an email that did not involve actually hacking into the system was held not to qualify:
In Taylor & Lieberman, the Ninth Circuit concluded that losses resulting from similar emails were not covered under a policy requiring "entry into" a computer system without authorization because "there is no support for [plaintiff's] contention that sending an email, without more, constitutes an unauthorized entry into the recipient's computer system." The "direct access" requirement here is substantially similar to the "entry into" requirement in the Taylor & Lieberman policy, and this record does not support a finding that merely sending an email to a Sanderina employee constituted direct access to Sanderina's computer system. Sanderina's 30(b)(6) representative testified that neither it nor Network Security found any evidence that the perpetrator accessed Sanderina's computer system. In its opposition, Sanderina conjectures a "high likelihood" that the perpetrator may have accessed Sanderina's computer system to "case the joint" because the emails were signed "Vic" and sent during the CEO's vacation. But Sanderina is required to "produce evidence of a genuine dispute of material fact that could satisfy its burden at trial," and Sanderina's speculation45 is not evidence. Because a reasonable person could not find on this record that the perpetrator directly accessed Sanderina's computer system, there is no genuine dispute of material fact for trial based on the computer-fraud provision.
Finally, the funds-transfer fraud coverage clause was also held to be inapplicable because the unwitting comptroller had knowledge of the sending of her instructions to the bank and had consented to wire the funds. the fraudulent email which the comptroller acted upon had been sent to the insured, not to the insured's bank:
The funds-transfer fraud provision covers losses "resulting directly from a fraudulent instruction directing a financial institution to transfer, pay or deliver funds from your transfer account." The policy defines "fraudulent instruction" as a "written instruction . . . which purports to have been issued by you and which was sent or transmitted to a financial institution to establish the conditions under which transfers are to be initiated by such financial institution through an electronic funds transfer system and which was issued, forged or altered without your knowledge or consent." Sanderina argues that the funds-transfer fraud provision applies because (1) the provision covers fraudulent instructions that are indirectly transmitted to financial institution through an unwitting employee and (2) "knowledge" and "consent" require more than approval of a transfer.
But the Ninth Circuit considered a similar provision in Taylor & Lieberman and concluded that the policy did not extend to the plaintiff's losses resulting from similar emails for two reasons. First, the fraudulent instruction was not without "knowledge or consent"—plaintiff "did not know the emailed instructions were fraudulent," but it "requested and knew about the wire transfers." Second, the emails did not constitute "fraudulent . . . instructions issued to a financial institution" because the emails were sent to the plaintiff—not a financial institution.
Both reasons apply equally here. Sanderina is not a financial institution, so the fraudulent instructions were not "sent or transmitted to a financial institution." Plus, Sanderina controller Donna Atwood requested and knew about the transfers, so the fraudulent instructions were not "issued, forged or altered without [Sanderina's] knowledge or consent." So there is no disputed issue of material fact for trial on the funds-transfer fraud provision either. And, because I find that there is no disputed issue of fact as to whether the policy covers Sanderina's loss, I grant summary judgment in favor of Great American on Sanderina's breach-of-contract claim.
There are no "standard form" cyber insurance policies. Thus, this case is yet another example that insureds must be careful in bargaining for and interpreting cyber insurance policies to ensure that the coverage clauses and exclusion clauses provide them with the coverage desired.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.