Recent Cases Hold that Policyholders Are Entitled to Insurance Coverage Under Various Types of Insurance Policies for Losses Associated with Social Engineering Schemes and Ransomware Attacks
In recent weeks, several courts across the country have ruled that policyholders are entitled to insurance coverage for losses incurred as a result of social engineering schemes and ransomware attacks. Over the past few years, certain insurers have started to develop specific forms or endorsements that attempt to address this risk (either expressly affording or restricting coverage). Numerous courts across the country have addressed coverage disputes, reaching mixed results, with many of the opinions focusing on commercial crime policies.  The recent cases discussed herein illustrate that, in addition to commercial crime policies, policyholders may be entitled to coverage under a wide array of policies that do not include terms that expressly address fraudulent schemes or ransomware attacks, but whose general terms may nonetheless cover such risks. For example, one court recently held that a policyholder was entitled to coverage under an Errors and Omissions (E&O) liability insurance policy for a social engineering scheme. As discussed in a recent firm alert,  another court recently held that a policyholder was entitled to coverage under a property policy for losses arising from a ransomware attack. Thus, when faced with a loss, policyholders should consider their rights under a wide array of policies.
COMMERCIAL CRIME INSURANCE
On December 9, 2019, the Eleventh Circuit held that a policyholder was entitled to coverage under a commercial crime policy for a loss incurred after the policyholder wired funds to a criminal’s account based on a fraudulent scheme. See Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., No. 17-11703 (Opinion dated Dec. 9, 2019, 11th Cir.) (affirming district court’s order granting summary judgment to policyholder).
In Principle Solutions, a criminal e-mailed the controller of the policyholder purporting to be the managing director of the policyholder. The criminal’s e-mail directed the controller to work with an outside attorney to effectuate a wire “as soon as possible” with respect to a “key acquisition” that was “not public.” Shortly after receiving the criminal’s e-mail, the controller was contacted by the purported outside attorney, who requested that the controller wire funds to a bank in China.
The controller then arranged for the transfer of $1.7 million to the criminal’s bank account. When the controller spoke to the actual managing director the next day, it was discovered that the policyholder had been the victim of a scam.
The policyholder sought coverage under a commercial crime policy, which covered “Loss resulting directly from a ‘fraudulent instruction’ directing a ‘financial institution’ to debit your ‘transfer account’ and transfer, pay, or deliver ‘money’ … from that account.” The policy defined “fraudulent instruction” to include instructions sent by a person posing as an “employee” of the company. 
The insurer denied coverage based on the fact that the scheme involved separate communications (1) from the criminal purporting to be an employee of the policyholder, and (2) from the purported outside attorney. The insurer argued that the first e-mail from the criminal posing as an employee did not trigger coverage because it did not contain any specific instructions related to wiring a specific amount of money to a specific recipient. The insurer argued that the subsequent communications with the purported outside attorney did not trigger coverage because they were not from a purported “employee” of the policyholder.
The court rejected this argument, stating that “we disagree with the [insurer’s] divide-and-conquer approach. Nothing in the policy language warrants the assumption that the two emails could not be part of the same fraudulent instruction…. And reading the emails together leaves no doubt that they were part of the same fraudulent instruction.” 
The insurer also denied coverage based on its argument that the loss was not a “direct” loss given that, after the criminal sent the first e-mail purportedly from the managing director, there were various acts leading up to the funds being wired. For example, a dissenting opinion identified 11 steps in the process, including the fact that a bank’s fraud department contacted the policyholder to confirm the request.  The insurer argued that “no immediate link existed between the instruction and the loss.”  The court rejected this argument, holding that the phrase used in the policy (“resulting directly from”) required only “proximate causation between a covered event and a loss, not an ‘immediate’ link.”  The court held that the intervening events cited by the insurer did not “sever the causal chain. Both were foreseeable consequences of the email.” 
E&O LIABILITY INSURANCE
In late 2019 and early 2020, the Southern District of New York issued two rulings that rejected insurer defenses related to a claim under an E&O liability policy. See SS&C Technology Holdings, Inc. v. AIG Specialty Ins. Co., No. 19-cv-7859 (JSR) (S.D.N.Y.). In this case, the policyholder sought coverage for Loss arising from the transfer of client funds to a fraudster’s account. The policyholder was in the business of providing software and software-enabled services to thousands of clients. A criminal posed as one client using stolen credentials and requested that the policyholder transfer certain funds of the client to a Hong Kong account controlled by the criminal. Over a three-week period, the policyholder transferred $5.9 million from the client’s account to the criminal’s account. After the fraud was discovered, the actual client sued the policyholder for gross negligence and breach of its services contract. 
The policyholder sought coverage under a professional services/E&O liability policy, which covered “Loss … resulting from a Claim alleging a Wrongful Act.” The policy defined “Wrongful Act” as any “negligent act, error or omission, misstatement or misleading statement in an Insured’s performance of Professional Services for others.”  Ultimately, the policyholder settled the underlying lawsuit filed by the client.
AIG agreed to cover the policyholder’s defense costs but denied coverage for the settlement payment. The policyholder then filed a coverage action. The Southern District of New York has issued two opinions rejecting defenses asserted by the insurer. First, on November 5, 2019, the court denied the insurer’s motion to dismiss the policyholder’s complaint based on a fraud exclusion in the policy, which potentially applied to claims:
alleging, arising out of, based upon or attributable to a dishonest, fraudulent, criminal or malicious act, error or omission, or any intentional or knowing violation of the law; provided, however, [AIG] will defend Suits that allege any of the foregoing conduct, and that are not otherwise excluded, until there is a final judgment or final adjudication against an Insured in a Suit, adverse finding of fact against an Insured in a binding arbitration proceeding or plea of guilty or no contest by an Insured as to such conduct, at which time the Insureds shall reimburse [AIG] for Defense Costs. 
AIG argued that the fraud exclusion applied not only to fraudulent conduct of the insured, “but also broadly to such acts committed by third-party fraudsters, such as here.”  The court rejected this attempt to expand the scope of the fraud exclusion. The court reasoned that, even if the first sentence of the exclusion could be read to apply to any and all fraudulent conduct by anyone, the exclusion must be read in its entirety. The court held that “provided, however” clause clearly indicated that the exclusion applied only to fraudulent conduct of the policyholder.  As noted above, the “provided, however” clause refers to a “final adjudication against an Insured.” The court also reasoned that National Union’s position was inconsistent with the “very rationale” of such exclusions, e.g., that a “tortfeasor may not protect himself from liability by seeking indemnity from his insurer for damages, punitive in nature, that were imposed on him for his own intentional or reckless wrongdoing.” 
Second, on January 20, 2020, the court granted summary judgment to the policyholder with respect to another defense asserted by the insurer based on the so-called “Modified Investment Advisor Exclusion Endorsement,” which potentially applied to:
Loss in conjunction with a Claim made against an Insured alleging, arising out of, based upon or attributable to . . . the exercise of any authority or discretionary control by an Insured with respect to any client’s funds or accounts.
Provided, however, that this exclusion shall not apply to any Claim arising out of your performance of Professional Services.
Notwithstanding the foregoing sentence, it is expressly understood and agreed that there shall be no coverage for the monetary value of any funds lost due to the Insured’s exercise of such authority or discretionary control . . . . 
This exclusion includes three parts. First, the exclusion potentially applies to Claims that “allege” that the policyholder “exercise[d] … authority or discretionary control . . . with respect to any client’s funds or accounts.” The second clause (the “provided, however” clause) states the exclusion does not apply to any Claim arising out of the policyholder’s performance of Professional Services. The third clause then states that, “notwithstanding” the “provided, however” clause, “there shall be no coverage for the monetary value of any funds lost due to the Insured’s exercise of such authority.”
The court rejected the insurer’s defense based on “undisputed facts [that] clearly establish that [the policyholder] lacked authority or discretionary control” over the client’s funds.  The court reasoned that the insurer was “erroneously conflating [the policyholder’s] administrative ability” to transfer funds based on written instructions from the client with “authority and control over the account.” 
For reasons that are not clear from the opinion, the court focused on the second and third sentences in the exclusion (rather than holding that the claim fell outside the basic scope of the exclusion as set forth in the first sentence). The court stated that the “parties do not dispute that the ‘provided, however’ exception to the exclusion … applies” given that the Claim arose of the policyholder’s provision of professional services.  The court then defined the “main dispute” as “whether the final ‘Notwithstanding’ clause, a carve-out to the ‘Provided, however’ clause, in applicable.”  The court held that the ‘Notwithstanding’ clause did not defeat coverage on the grounds that the policyholder did not have “authority and control” over the funds. 
The court also rejected the insurer’s defense on the independent ground that the insurer had not established that the money was “lost” (the third sentence refers to funds that are “lost”). The policyholder argued that the third clause potentially eliminated coverage only for funds that were “lost,” not for funds that were “stolen.” The insurer argued that the term “lost” should include funds that were stolen. After considering various dictionary definitions, the court held that the term “lost” was ambiguous and should be construed in favor of the policyholder. 
Also, as discussed in more detail in the recent firm alert cited above, the United States District Court for the District of Maryland recently held that a policyholder was entitled to coverage under a property policy for losses incurred due to a ransomware attack. See National Ink and Stitch, LLC v. State Auto Property and Casualty Ins. Co., No.SAG-18-2138 (Mem. Op. Jan. 23, 2020, D. Md.). In that case, the policyholder was the victim of a ransomware attack. Even though the policyholder paid the attacker, the criminal demanded further payment. Ultimately, the policyholder paid a security company to replace and reinstall software and to install protective software on its server. Although the computers still functioned, there was a “loss of efficiency”; the policyholder still could not access certain files; and the ransomware virus likely remained on the system and there was a risk of re-infection. 
The policyholder sought coverage under a business owner’s property insurance policy, which covered, among other things, “direct physical loss or of damage to Covered Property.” The policy defined “Covered Property” to include “Electronic Media and Records (including Software),” which in turn was defined to include not only various types of media (“such as films, tapes, discs, drums or cells”), but also “data stored” on such media. 
The insurer denied coverage, arguing that because the policyholder “only lost data, an intangible asset, and could still use its computer system to operate its business, it did not experience ‘direct physical loss’ as covered by the Policy.” 
The court rejected this argument, focusing in part on the fact that the policy expressly referred to “Software” and “data” stored on covered media. The court reasoned that the “plain language of the Policy contemplates that data and software are covered and can experience ‘direct physical loss or damage.’” 
The court also rejected the insurer’s position that the phrase “physical loss or damage to” required proof that the policyholder’s computer system suffered an utter inability to function. The court held that “the Policy language, and the relevant case law impose no such requirement.”  The court held that “loss of use, loss of reliability, or impaired functionality” were types of “damage to” covered property sufficient to trigger coverage. The court stated that “[h]ere, not only did Plaintiff sustain a loss of its data and software, but Plaintiff is left with a slower system, which appears to be harboring a dormant virus, and is unable to access a significant portion of software and stored data.”  Based on such facts, the court granted summary judgment in favor of the policyholder.
When faced with losses arising from social engineering or ransomware attacks, policyholders should consider the potential for coverage under a wide array of policies. Policyholders also should review their current policies (and/or proposed renewed policies) to evaluate the scope of such policies and consider other products or endorsements related to such risks.
 See G. Wright, “Insurance Coverage for Business Email Compromise Losses,” COVERAGE, VOL. 27, ISSUE 4, Nov. 20, 2017. See also G. Wright, Alert dated Aug. 7, 2018, “Two Federal Appellate Courts Rule That Policyholders Are Entitled to Insurance Coverage for Losses Arising from Social Engineering Schemes” (citing Medidata Solutions, Inc. v. Federal Ins. Co., No. 17-2492-cv (2d Cir. 2018) and American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 17-2014 (6th Cir. 2018)), available at http://www.klgateshub.com/details/?pub=Two-Federal-Appellate-Courts-Rule-That-Policyholders-Are-Entitled-to-Insurance-Coverage-for-Losses-Arising-from-Social-Engineering-Schemes-08-07-2018.
 See L. Tanglen and E. Hoadley, Alert dated Feb. 11, 2020, “Maryland Federal Court Confirms Coverage for Ransomware Damage under Property Insurance Policy,” available at http://www.klgateshub.com/details/?pub=Maryland-Federal-Court-Confirms-Coverage-for-Ransomware-Damage-Under-Property-Insurance-Policy-02-11-2020.
 Principle Solutions Group, at 4–6. In particular, the policy defined “fraudulent instruction” to include instructions to make payments, “which instruction purports to have been issued by an employee, but which in fact was fraudulently issued by someone else without [the policyholder’s] knowledge or consent.” Id. at 6.
 Id. at 8.
 Id. at 25–26.
 Id. at 9.
 Id. at 9.
 Id. at 11.
 See SS&C, Order dated Nov. 5, 2019, at 2-3.
 Id. at 3 n.1.
 Id. at 6–7.
 Id. at 7.
 Id. at 7.
 Id. at 8.
 SS&C, Order dated Jan. 20, 2020, at 8.
 Id. at 9.
 Id. at 11.
 Id. at 9.
 Id. at 9.
 Id. at 12–14.
 National Ink, Mem. Op. dated Jan. 23, 2020, at 1–2.
 Id. at 2–3.
 Id. at 4–5.
 Id. at 5.
 Id. at 11.
 Id. at 11.