December 21, 2017 Practice Points

Insurance Claims for Business Email Compromise Losses: Best Practices

Policyholders should remember that there currently are decisions favoring policyholders on this type of coverage, and should consider responding to denials or limitations on coverage accordingly

by Scott Godes

While data breaches and ransomware attacks have continued to be splashed across the news, a quieter, but just as dangerous, form of cyberattack has been business email compromises and social engineering fraud. These cyberattacks can take many forms, all of which ultimately result in money being wired to fraudsters.

In some instances, the fraudster poses as an employee, sending an email that looks like it came from the employee’s account, and duping someone else at the company into wiring money to the fraudster. A variation of that is a fraudster posing as a vendor of the policyholder, telling the policyholder that the vendor has changed bank accounts for payment of invoices, resulting in the policyholder making payment to a fraudster’s account and the actual vendor going unpaid. The latest variation of this type of attack involves hackers who actually gain access to the policyholder’s email accounts, sending emails directly from the policyholder’s account, and directing wires and other payments to be made to fraudsters.

Some high level best practices for policyholders making insurance claims to cover resulting losses include:

· Check all possible policies for coverage, including, but not limited to, cyberinsurance, errors and omissions liability insurance, directors and officers liability insurance, crime insurance, all risks policies, and others.

· If the obligation to pay the losses results from obligations to a third party, consider whether those obligations should be covered by third-party liability insurance, including cyberinsurance policies with third-party liability coverage parts.

· When evaluating coverage, consider caselaw from around the country and the policy form language at issue, as there is a split in authority on these issues and the insurance industry updated insurance policy forms multiple times. Also consider whether insurers’ statements to regulators about their policy language provide insight about reasonable interpretations of their policy language.

Policyholders should keep in mind that, in certain instances, insurance carriers have refused to cover such losses. And, under newer insurance policies with social engineering fraud endorsements, insurance carriers have taken the position that only the social engineering fraud endorsements apply—with their low sublimits of coverage. When considering insurance carrier positions, policyholders should remember that there currently are decisions favoring policyholders on this type of coverage, and should consider responding to denials or limitations on coverage accordingly.

Scott Godes  is with Barnes & Thornburg LLP, Washington, DC.


Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).