Engineering Coverage for Social Engineering Schemes in Light of New Jersey Federal Court Opinion Finding No Errors and Omissions Coverage for Email Scam
It’s a cautionary tale of cyber fraud. A title agent in a real estate transaction receives an email ostensibly from the mortgage lender providing instructions for transferring the loan proceeds into a settlement bank account. After transferring the funds ($520,000), it becomes apparent that the transfer instructions came from an email address that was one letter off from the mortgage lender’s actual email address – it was a scam. But it’s too late, the scammer has already withdrawn the funds from the settlement account and cannot be traced.
These were the circumstances underlying the November 17, 2020 decision by a New Jersey federal court, in Authentic Title Services, Inc. v. Greenwich Insurance Co., et al., Civil No. 18-3121 (KSH) (CLW) (D.N.J. Nov. 17, 2020). The court declined to find coverage for the fraud and resulting demand for payment from the lender under Authentic’s errors and omissions (E&O) insurance policy. In the E&O policy, the insurer agreed to pay “damages and defense expenses arising out of a claim . . . by reason of an actual or alleged negligent act or omission or personal injury, in the performance of professional services . . . .” The E&O insurer denied coverage for the claim based on an exclusion for any claim based on or arising out of “the commingling, improper use, theft, stealing, conversion, embezzlement or misappropriation of funds or accounts” (the “Theft Exclusion”). Following the denial of coverage, the title agent brought an action against the E&O insurer seeking coverage for the claim.
In deciding cross-motions for summary judgment, the New Jersey federal court reviewed the issue of whether the claim fell within the E&O policy’s Theft Exclusion based on the “theft,” “stealing”, “conversion,” or “misappropriation” of the settlement funds. Supplying dictionary definitions for the terms, which were not defined in the policy, the court determined that the Theft Exclusion unambiguously precluded coverage for the claim. Id. Specifically, the court determined that the settlement funds had been “misappropriated,” as involving “application of another’s property or money dishonestly to one’s own use.” The court also concluded that there was no language in the Theft Exclusion that would limit its application to conduct by parties other than the insured. Therefore, the court granted the insurer’s motion for summary judgment and denied the title agent’s cross-motion for summary judgment.
The Authentic decision illustrates the importance of policyholders carefully reviewing all of their insurance policies for any gaps in coverage concerning commonly occurring cyber-crimes, such as email scams and social engineering schemes like those at issue here. Had the title agent in Authentic reviewed his E&O policy prior to the email scam discussed above, he might have been able to pay an additional premium to remove the policy’s Theft Exclusion, and/or he might have purchased additional coverage for these circumstances. Indeed, such risks are typically, and may be more appropriately, covered under a commercial crime insurance and/or fidelity insurance policy with a fraudulent transfer and/or social engineering endorsement. While crime insurance policies may sublimit social engineering and/or fraudulent transfer coverage to amounts between $100,000 and $500,000, policyholders can often seek “drop-down” excess coverage that will apply excess of the sublimits in their primary crime insurance policy to create total limits (in the excess program) that far exceed those they may be able to purchase on the primary crime form alone. In addition, some cyber insurers will also offer excess social engineering coverage for an additional premium. Authentic serves as a cautionary tale for policyholders to work with competent policyholder counsel to ensure that they have adequate insurance protection in place for renewal or policy procurement. These common coverage gaps between policies can and should be filled before your next renewal.