Lack of Knowledge Requirement Nixes Coverage for Social Engineering Fraud Under Computer Transfer or Funds Transfer Fraud Limits
The United States District Court for the Northern District of Mississippi, applying Mississippi law, held that only a “Social Engineering Fraud” provision responded to a loss resulting when an unknown third-party, posing as the insured’s vendor, sent fraudulent banking information and the insured issued payments based on that information. Miss. Silicon Holdings, LLC v. AXIS Ins. Co., 2020 WL 868874 (N.D. Miss. Feb. 21, 2020). The court, holding that the policy provisions were unambiguous, rejected the insured’s argument that the policy’s “Computer Transfer Fraud” and “Funds Transfer Fraud” provisions should apply.
The insured, a manufacturing company, received an email in October 2017 from what appeared to be its supplier, but instead was sent by an unknown third-party purporting to be the vendor contact. The unknown third-party provided updated banking information to the insured and requested that several invoices be paid pursuant to the new banking information. The insured performed a three-step “verification” process and remitted two payments in the amounts of $250,030 and $775,851.13, following the updated payment instructions from the third-party. Upon discovering the fraud and that the unknown third-party had accessed its system, the manufacturer notified its insurer of the matter. The insurer concluded that the manufacturer was entitled to coverage only under the “Social Engineering Fraud” provision, with a $100,000 limit, and not the “Computer Transfer Fraud” or the “Funds Transfer Fraud” provisions, each with a $1 million limit. The manufacturer filed suit, alleging that the matter should have been covered by the other two provisions and that it was entitled to $1 million in coverage.
The court first analyzed the “Computer Transfer Fraud” provision and held that the provision did not apply because the transfer occurred with the insured’s consent. The provision provided, in relevant part, that “[t]he Insurer will pay for loss . . . resulting directly from Computer Transfer Fraud that causes the transfer, payment, or delivery . . . to a person, place, or account beyond the Insured Entity’s control, without the Insured Entity’s knowledge or consent.” (emphasis added). “Computer Transfer Fraud” was defined as “the fraudulent entry of Information into or the fraudulent alteration of any Information within a Computer System.” The insurer contended that no one entered in or altered any of the information in the insured’s computer systems to directly cause the wires to be initiated. The manufacturer argued that it could recover under a proximate cause standard because the e-mail caused the insured to initiate the wire transfers. The court rejected that argument. It held that the inclusion of the word “directly” unambiguously required that the loss result directly from “Computer Transfer Fraud,” and no direct loss occurred because the insured’s “employees, not the fraudulent emails, actually initiated and authorized the transfers.”
The court also concluded that the “without the Insured’s knowledge or consent” requirement unambiguously applied only to losses that occurred without the manufacturer’s knowledge or consent. The insured contended that this policy language should be construed only to apply when the insured knew of the actual facts—that is, that the wire instructions were fraudulent. The court disagreed. It held that “[t]he inescapable fact, however, is that the ‘without the Insured Entity’s knowledge or consent’ language is included in the provision, and coverage therefore clearly and unambiguously only applies for losses that occur without [the insured’s] knowledge or consent.” Because three of the insured’s employees authorized the transfer, the court determined that the transfer was not “without the Insured’s knowledge or consent.”
Finally, the court considered the “Funds Transfer Fraud” provision, which provided, in relevant part: “[t]he insurer will pay for loss of Money or Securities resulting directly from the transfer of Money to a person, place, or account beyond the Insured Entity’s control, by a Financial Institution that relied upon...[an] instruction that purported to be a Transfer Instruction but, in fact, was issued without the Insured Entity’s knowledge or consent.” Again, the court focused on the knowledge requirement and held that the provision unambiguously required that the loss occur as a result of a financial institution’s reliance on instructions given without the insured’s knowledge or consent. Because the insured’s employees were aware of and authorized the financial institution to initiate the transfers, the court held that the incident did not constitute “Funds Transfer Fraud.”