On August 12, 2022, the U.S. District Court for the District of Minnesota entered an order in favor of Travelers Casualty and Surety Company of America, dismissing the complaint filed by SJ Computers, LLC, a Minnesota-based computer store. The case should serve as a cautionary tale to businesses across the country, underscoring the critical need to closely read the terms of any cyber insurance policies.
SJ Computers found itself the victim of a business email compromise attack when an attacker gained access to a purchase manager’s email account and sent the company’s CEO purchase orders, purportedly from one of SJ Computers’ existing vendors, Electronic Recyclers International Direct – with the bank account information edited. The CEO, without verifying the new bank information, sent two wire transfers to satisfy the invoices. After the payments had cleared, SJ Computers discovered the fraud and subsequently attempted to seek coverage under its cyber insurance policy by claiming that the attack was computer fraud rather than social engineering fraud because of the increased limits of coverage.
While acknowledging that lawyers had only identified three similar cases across the country, the judge identified a key distinction from those cases in this matter. The policy at issue here covers both computer fraud and social engineering fraud and makes clear that the two are mutually exclusive categories. The Travelers’ policy defines computer fraud, which provides coverage up to $1 million, “as intentional, unauthorized, and fraudulent entry or change of data or computer instructions directly into a computer system.” Moreover, the policy states that entries or changes made by employees or authorized persons on the basis of fraudulent instructions is not covered. Instead, such actions constitute social engineering fraud (which is what Travelers agreed to cover SJ Computers under) and is defined in the policy as “the intentional misleading of an employee or authorized person by a natural person impersonating [vendors, clients, employees or authorized persons] through the use of a communication.” Unfortunately for SJ Computers, this provision only provides coverage up to $100,000.
Based on the policy language, the court held that the claim was covered under the social engineering fraud provision, rather than the computer fraud provision. In a comment that underscores the important role individuals play in protecting a company, the judge stated:
“SJ Computers did not suffer a penny of financial loss when the bad actor hit ‘send’ on his email messages. And SJ Computers would never have suffered a penny of financial loss if the CEO had not opened those email messages, or if the CEO had asked the purchasing manager about them, or if ERI Direct had answered its phone when the CEO called, or if ERI Direct had promptly returned the voicemail message left by the CEO, or if the CEO had waited to hear from ERI Direct before paying the invoices.”
All businesses with cyber insurance should carefully review their policies and consult with legal counsel and their brokers to fully understand the scope and limitations of what they are purchasing. In today’s world of ever changing ways in which computers and other technology are being utilized to carry out attacks on businesses by bad actors, the circumstances surrounding the attacks and the language in these policies becomes even more critical to ensure that organizations are properly insured for losses. Moreover, as occurred here, efforts to keep employees ever vigilant in their efforts to identify and act on any suspicious information they encounter is paramount to keeping an organization safe.