The growth and sophistication of modern fraud and cyber security attacks has necessitated adaptable countermeasures by for-profit and non-profit organizations alike.
Of these countermeasures, the emergence of niche cyber crime/fraud insurance (e.g. cyber liability insurance) has given credence to the ethos that such attacks are not a matter of “if” but “when”.  One of the benefits of these forms of insurance is anticipating the pernicious reality of the causes of cyberattacks: vulnerabilities may arise from factors internal to an organization, as much as threats external to it. However, such policies similar to all insurance policies are not without their limits.
The Brick Warehouse LP v Chubb Insurance Company of Canada, 2017 ABQB 413
The decision of The Brick Warehouse LP v Chubb Insurance Company of Canada, 2017 ABQB 413 [Brick Warehouse] recently considered the limits of a funds transfer fraud policy (“Policy”). In August 2010, fraudsters orchestrated a scheme to have The Brick change payment information for a supplier, Toshiba Canada, to a new bank account controlled by the fraudsters. Over the course of a few days, the fraudsters used a combination of telephone and email impersonations of Toshiba employees in a type of fraud known as “social engineering fraud”. After $338,322.22 had been transferred to the fraudsters’ account, and a representative of Toshiba Canada inquired about a delinquent payment, The Brick discovered it had been a victim of fraud. Although police recovered some funds, $224,475.14 remained unrecovered. The Brick made a claim to Chubb Insurance under the Policy, which defines funds transfer fraud as:
The fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent.
The Brick’s right to recovery turned on the scope of their knowledge and consent. Accordingly, Justice Fraser noted (at para 19) that for The Brick to recover losses pursuant to the Policy, The Brick had to:
Show that its bank transferred funds out of the Brick’s account under instructions from a third party impersonating The Brick. It is not covered if The Brick knew about, or consented to the instructions given to the bank. The insurance policy also contains in the exclusion section a clause which denies coverage if the loss is due to the insured knowingly having given or surrendered money, securities or property in exchange or on purchase to a third party, not in collusion with an employee.
In other words, the Court conditioned recovery under the Policy on the presence of fraudsters impersonating The Brick and instructing The Brick’s bank. The Court found that The Brick was not entitled to coverage because the transfer was done with The Brick’s consent and/or knowledge.
The Court considered an American decision, Taylor and Lieberman v Federal Insurance Company, 2:14-cv-03608 [Taylor], to find that an employee’s knowledge/consent to the transfer per se, despite fraudulent instructions, excluded coverage. In Taylor, the United States Court of Appeals, Ninth Circuit, characterized the relevant scope of knowledge accordingly: “Although T&L did not know that the emailed instructions were fraudulent, it did know about the wire transfers.”
Giving the undefined terms “knowledge” and “consent” their plain and ordinary meaning, even though the fraudulent instructions came from a third party, it was The Brick – and not a third party – causing the transfer of funds. The Brick employee did not need to give informed consent, for a fraudulent transfer, for The Brick to have the knowledge/consent contained in the meaning of funds transfer fraud.
The American case law interpreting such policies has typically treated the duped employee as the basis to deny coverage for socially engineered frauds. Where the loss must result directly from a fraudulent activity, the duped employee transferring funds severs the causal nexus; and where funds must have been transferred without an insured’s knowledge or consent, as in The Brick Warehouse, the Court interpreted this to mean that the duped employee could neither consent to, nor have knowledge of the transfer itself for recovery.
In a more recent decision from the United States Court of Appeals, Second Circuit, Medidata Solutions Inc. v. Federal Insurance Company, 17-2492-cv (2d Cir. 2018), a slightly different approach was taken. Applying New York law, the Court found that although the employee voluntarily and unwittingly transferred the funds to the fraudster, the insured had suffered a direct loss where a spoofing attack was the proximate cause of the losses, and the duped employee’s actions were not “sufficient to sever the causal relationship between the spoofing attack and the losses incurred”.
In one sense, decisions such as The Brick Warehouse highlight the importance of carefully reading one’s insurance policy.
In another sense, such decisions and policies undermine the wisdom that cyber security breaches are not a matter of “if” but “when”. If employees of an insured who unwittingly facilitate fraud can make the difference in an insured’s disentitlement from recovery under such policies, the insured ultimately bears the risk for adequate end-user security training.
Perhaps unsurprisingly, social engineering fraud coverage has emerged as yet another form of specialized insurance in this area.