No Coverage for Loss in Consequence of Social Engineering Fraud
Applying North Carolina law, a federal district court has held that an E&O insurance policy does not provide coverage for loss arising from social engineering fraud despite the fact that the insured’s negligence also contributed to the loss. Constr. Fin. Admin. Servs. LLC d/b/a CFAS v. Fed. Ins. Co., 2022 WL 2073824 (E.D. Pa. June 9, 2022).
An insurer issued an E&O Policy to a third-party construction funds company whose business required it to disburse its client funds directly to construction contractors and subcontractors. The policy contained two exclusions barring coverage for claims based upon, arising from or in consequence of “unauthorized access to, or use or alteration of . . . computer systems” and “unauthorized or exceeded authorized access to, use of or alteration of, any . . . computer system.” The policy also provided that the insured would not “settle or offer to settle any Claim . . . or otherwise assume any contractual obligation or admit any liability” without the insurer’s prior written consent.
During the policy period, an executive at the insured was duped into wiring $1.3 million of a client’s funds to a fraudster who had gained access to a subcontractor’s email system. The executive did so without following the protocols relating to confirming the authenticity of the request as outlined in the insured’s contract with its client. After discovering the fraud loss, and before providing notice to its insurer, the insured reimbursed its client for the missing funds. It later sought coverage for the loss, but its insurer declined coverage, and coverage litigation ensued.
On cross-motions for summary judgment, the court granted summary judgment to the insurer, holding that claim was “arising from” or “in consequence of” the fraudster’s unauthorized access or use of the subcontractor’s computer systems. The court rejected the insured’s argument that the exclusions did not apply because the insured’s own negligence in failing to authenticate the payment request was the proximate cause of the loss, explaining that the exclusion applied “so long as the excluded conduct played a role in the claimed loss.” Here, as the unauthorized access to the subcontractor’s email account played such a role, the exclusion applied.
The court also held that coverage was unavailable because the insured breached the policy’s consent clause by replacing the missing funds in its client’s account before providing notice to the insurer. The court found that the insurer was prejudiced by the unilateral settlement because it was deprived of the ability to assert defenses under the contract between the insured and its client.