“Phishing” occurs through a fake email message to obtain sensitive information for the purpose of committing fraud. Phishing schemes are becoming more sophisticated, resulting in many organizations falling victim and incurring financial loss. Some organizations have filed claims with their cyber insurance carriers. Lawsuits have followed after insurance companies have denied coverage.
One example is American Tooling Center v. Travelers Casualty and Surety Company of America. In 2015, an ATC officer responded to an email from an apparent ATC vendor by wiring $800,000 to the vendor’s “new” bank account. The email was actually sent by a phisher and the funds could not be recovered. Upon receipt of ATC’s claim, Travelers denied coverage, claiming that ATC’s loss was not “directly caused by the use of a computer.” The federal trial court in Michigan granted summary judgment in Travelers’ favor, finding that there were “intervening events between the receipt of the fraudulent emails and the (authorized) transfer of funds.” ATC has appealed to the 6th Circuit Court of Appeals where the matter is currently pending.
Other federal courts of appeal that have reached similar conclusions in favor of the insurers, including the 9thCircuit in Aqua Star (USA) Corp. v. Travelers Casualty and, most recently, the 11thCircuit in Principle Solutions Group LLC v. Ironshore Indemnity, Inc.
Given these decisions, organizations seeking to avoid a phishing loss should consider instituting and maintaining robust employee phishing training and to check any cyber insurance policies carefully to glean whether a phishing-related loss would be covered.
© 2018 Ossian Law P.C.