Numerous courts have recently addressed disputes between policyholders and insurers related to insurance coverage for so-called business email compromise (BEC) losses. There are various forms of BEC schemes, but in many, a criminal uses “fake” or fraudulent emails, social engineering, hacking, or other manipulation of the policyholder’s computer system through malware to fraudulently induce the policyholder to wire funds to a bank account controlled by the criminal. The Federal Bureau of Investigation (FBI) has described this issue as a $5 billion scam.[1]
This article provides an overview of BEC schemes and the types of policies and bonds that might apply, and then discusses recent case law addressing coverage disputes related to these losses. In many cases, policyholders may have strong arguments for coverage for BEC losses under a variety of policies, including commercial crime policies, crime-related coverage parts included in package policies offering multiple lines of coverage, and financial institution bonds, all of which may include coverage parts for so-called “computer fraud” or “funds transfer fraud.” In addition, certain insurers are now offering endorsements to crime policies that more specifically focus on BEC-related risks.
A growing number of courts across the country have considered BEC coverage claims, reaching mixed results. As discussed below, courts have considered two major defenses: (1) whether any involvement of a deceived employee of the policyholder defeats coverage and (2) whether any proof of “hacking” is required to trigger coverage. Going forward, it is likely that the courts also will focus on factual issues and expert testimony related to the criminal’s scheme. These cases are reviewed below.