The United States District Court for the Southern District of New York, applying Connecticut law, has concluded that a fraud exclusion is not triggered where an insured unwittingly transferred a client’s funds to third-party fraudulent actors based on spoofed emails, because the fraudulent acts were not committed by the insured.  SS&C Techs. Holdings, Inc. v. AIG Specialty Ins. Co., No. 19-cv-7859 (S.D.N.Y. Nov. 5, 2019).

The insured, a global software and software-service provider, received a series of money transfer requests via emails purportedly from its client.  Unbeknownst to the insured, the emails were in fact sent by third-party fraudsters using stolen credentials.  Based on the spoofed emails, the insured transferred over $5.9 million of its client’s funds to the fraudsters.  The insured’s client filed suit arising out of the incident, alleging gross negligence, among other claims.  The insured reported the suit to its errors and omissions insurer, which agreed to provide a defense but denied indemnity coverage based in part on the policy’s fraud exclusion, which, in relevant part, excludes coverage for claims:

alleging, arising out of, based upon or attributable to a dishonest, fraudulent, criminal or malicious act, error or omission, or any intentional or knowing violation of the law; provided, however, [the insurer] will defend Suits that allege any of the foregoing conduct, and that are not otherwise excluded, until there is a final judgment or final adjudication against an Insured in a Suit, adverse finding of fact against an Insured in a binding arbitration proceeding or plea of guilty or no contest by an Insured as to such conduct, at which time the Insureds shall reimburse [the insurer] for Defense Costs.

The insured ultimately filed this coverage action, asserting claims for breach of contract, declaratory relief, and bad faith, and the insurer moved to dismiss the complaint.  The court largely denied the insurer’s motion to dismiss.  First, the court rejected the insurer’s argument that the fraud exclusion applied not only to fraudulent conduct actually committed by the insured, but also to fraudulent acts committed by third parties, like the fraudsters in this case.  The court held that the fraud exclusion, when read as a whole, indicates that the relevant conduct must be committed by the insured.  At a minimum, the court found the provision ambiguous and thus construed it in favor of coverage.

Additionally, the court denied the insurer’s motion to dismiss the bad faith claim, concluding that the insured had sufficiently pleaded bad faith based on the insurer’s alleged pretextual reading of the policy and the fact that it allegedly changed in position, initially having reserved the right to deny coverage based on the fraud exclusion only to the extent the insured worked with the fraudsters.

The court granted the insurer’s motion to dismiss the claim for declaratory relief, concluding that it was duplicative of the breach of contract action since the underlying case had already been settled.