The Sixth Circuit recently put Traveler’s Insurance Company on the hook for a policyholder’s $834,000 loss when scammers posing as a vendor deceived the company into wiring money to a sham bank account through a series of emails. In the unanimous opinion, American Tooling Center Inc. v. Travelers Casualty and Surety Co. of America, 895 F. 3d 455 (6th Cir. 2018), the appellate court granted summary judgment to the insured, determining that it was a “direct loss” that was “directly caused by” the use of a computer, as required by the insurer’s policy. Further, none of the policy exclusions barred coverage for the loss.
Travelers, in its appeal and its subsequent petition for rehearing, argued that the policyholder didn’t suffer a direct loss attributable to computer fraud because the employees took several steps, and several days elapsed, between receiving the sham emails and wiring the payments.
Federal appeals courts are split on the availability of coverage under crime policies for email-based theft schemes, also known as “phishing,” “spoofing,” or “social engineering” scams. A “social engineering” loss is accomplished by tricking an employee of a company into transferring funds to a fraudster. While several similar actions for computer fraud and cybercrime coverage remain pending across the county, insurers have started offering policies with sublimits explicitly for “social engineering” theft scams. Similarly, many traditional crime policies contain a “voluntary parting” exclusion that bars coverage for losses that arise out of anyone acting with authority who voluntarily gives up title to, or possession of, company property.
Cybercrime insurance continues to be an evolving area of insurance coverage that requires diligent vigilance.