Employees continue to jeopardize cybersecurity insurance coverage

Lately, this blog has covered a number of cases between insureds and their insurance companies over losses resulting from cyberattacks. In several of these cases, insurance policies have not provided coverage for losses.

However, a recent decision from a federal district court in Georgia ruled that an insured did have coverage after it fell victim to a social engineering attack. In Principle Solutions Group v. Ironshore Indemnity, an asset management company was tricked into wiring more than $1 million to a fraudster’s overseas bank account. Principle Solutions Group (“PSG”) is an asset management company for high-wealth individuals. PSG’s clients provide PSG with a power of attorney, access to bank accounts, and access to other facets of their lives so that PSG can manage their clients’ affairs.

One morning, PSG’s controller received an email from an individual claiming to be one of PSG’s managing directors. The timeline of the subsequent events demonstrates how quickly social engineering fraud can occur.

At 9:10 am, the controller received an email from fraudsters that purported to be from one of PSG’s managing directors. The email instructed the controller to work with an attorney who would be contacting the controller. The lawyer, who was also a fraudster, sent an email to the controller providing wire instructions that the lawyer claimed were from the managing director.

At 10:15 am, the lawyer called the controller, and told the controller that the wire had to be completed that day, and that the lawyer had the managing director’s full approval to execute the wire.

The controller forwarded the lawyer’s email to PSG’s bank to execute the wire. The bank, however, had a policy that prevented the bank from executing a wire based solely on an email so the bank contacted the controller. The controller then logged into the bank’s online platform to authorize the wire transfer. After confirming that the wire could be authorized via the online platform, the controller called the lawyer to explain the wire transfer could occur. The controller had another employee prepare the wire that the controller then authorized.

However, the fraud prevention unit at the bank called and emailed the controller to verify the wire transfer before it went out. The bank asked the controller to verify how the lawyer acquired the wire transfer instructions. The controller then called the lawyer and asked how the lawyer received the wire instructions; the lawyer replied the managing director provided the wire instructions. The controller called the bank back and told the fraud unit what the lawyer said. The bank then released the wire.

The next day the controller told the managing director what happened. The managing director told the controller that he did not authorize the wire, and he immediately called PSG’s bank to try to stop the wire. Neither the bank nor law enforcement were able to stop the wire, which amounted to $1.717 million.

PSG made a claim on its insurance policy. PSG’s policy provided coverage for the following:

Loss resulting directly from a “fraudulent instruction” directing a “financial institution” to debit your “transfer account” and transfer, pay or deliver “money” or “securities” from that account . . . 

The insurance policy defined a “fraudulent instruction” as an instruction received via a computer or other electronic means.

The insurance company denied coverage for PSG’s loss. According to the insurance company, there were two reasons that the policy did not cover PSG’s loss. First, some of the instructions the controller received were conveyed orally over the phone. Second, PSG employees voluntarily setup the wire transfer.

PSG and the insurance company both filed motions asking the court to determine whether the insurance policy provided coverage. After analyzing the policy language, the court concluded that the policy language was ambiguous, and that either PSG’s or the insurance company’s interpretation of the policy was reasonable. However, under the law of Georgia, and Iowa, ambiguous insurance language is interpreted in favor of the insured. The court explained that adopting the insurance company’s interpretation would render the policy language almost meaningless. As a result, the Court entered a judgment in favor of PSG to cover the loss.

The court, however, denied PSG’s claim for bad faith against the insurance company. Bad faith claims can be brought by insureds against their insurance companies when there is no good cause for an insurance company to deny coverage. Bad faith damage awards can exceed the policy limits and include punitive damages. The court ruled, however, in this case the policy language was ambiguous, so the insurance company was not liable for bad faith.  

This case exemplifies many of the pitfalls that this blog has previously covered. First, fraudsters easily tricked the controller at PSG into transferring funds. Second, even though PSG was ultimately covered, it took over a year for PSG to recoup its loss. By designing more robust internal controls and policies that limit the ability of individual employees to transfer funds, PSG could have avoided this loss entirely. Organizations need to keep in mind that insurance is just one part of a comprehensive cybersecurity program. Organizations should review policy language to determine coverage weak points, and focus security efforts on processes that may have ambiguous insurance coverage.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

- John Lande