Of late, insurers who write crime and fidelity coverage have been “spooked” by “spoofing” scams in which bad guys use spoofed emails to trick company executives to wire transfer funds to phony accounts.
Curious about this phenomenon, I Googled “How do you spoof an email?” It’s shockingly easy as I learned from watching You Tube how-to videos and reading scores of articles that popped from my simple query. And the very ease of spoofing is at issue in Medidata Solutions, Inc. v. Federal Insurance Company, a matter about to be heard in the Second Circuit.
In that case, Federal wrote “Funds Transfer Fraud” and “Computer Fraud” coverage. In 2014, Medidata sustained a loss when it wire transferred close to $5 million dollars from its account at Chase Bank to an account in a Bank in China that proved to be the account of a fraudster and not the party that Medidata thought it was paying.
In the coverage contest in the District Court, both sides agreed that spoofed emails, seemingly coming from the plaintiff’s CEO, tricked authorized employees to trigger the wire transfers. Federal argued its coverage was limited to third party hacking or otherwise a physical intrusion into the company’s computer system or bank account. But Federal contended that simple spoofing scams – – resulting in authorized transfers by the insured itself – – did not fit within the embrace of its coverage. The District Court disagreed with Federal’s reading of the coverage grant, finding the wording wide enough to embrace a scheme in which a spoofed email prompted an employer to trigger a wire transfer.
That this issue is central to Crime and Fidelity insurers is made plain by the amicus brief submitted by The Surety & Fidelity Association of America (SFAA), an organization that drafts fidelity and crime insurer policy forms. See, Medidata Solutions, Inc. v. Federal Insurance Company, Brief of Amicus Curiae Supporting Reversal.
In essence, SFAA argued that if the Circuit accepts the ruling below – – that a simple spoofed email scam triggers computer fraud coverage – – the availability of such coverage will likely either become too expensive or too burdensome because of cyber security requirements likely to be imposed by insurers.
The outcome of this contest, whether for against Federal, will no doubt prompt wording revisions in crime and fidelity policies – – and so it is a case well worth following. But as I reflect on this post, I find it a bit scary that a simple Google search explained in great detail how to perpetrate a fraud. I thought more “phishing” would be required. Look that term up if you are curious or if you want more information on how to commit a cyber-crime.
And that’s it for This and That.”