“Spoofing” involves disguising an email to make it appear to come from a sender from whom it did not actually originate. A fraud committed via a spoof email does not necessarily require the recipient’s IT system security to have been compromised.
A US case has recently considered if a disputed insurance claim for “spoofing” fraud was recoverable under a policy that provided relatively broad cover for “Computer Fraud”.
American Tooling Center, Inc (“ATC”) v Travelers Casualty and Surety Company of America (“Travelers”), United States Courts of Appeals, Sixth Circuit 895F.3d 455, 13 July 2018
ATC, a US company that subcontracts manufacturing work to a vendor in China, was insured by Travelers. ATC received emails, purportedly from a Chinese vendor, claiming that the vendor had changed its bank accounts and ATC should make payments to new accounts. After ATC had made the payments it discovered that the emails had been sent by a fraudster. ATC claimed for its losses under its “Wrap+” business insurance policy, which included cover for “Computer Fraud”. “Computer Fraud” was defined as: “The use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises: (1) to a person (other than a Messenger) outside the Premises or Financial Institution Premises; or (2) to a place outside the Premises or Financial Institution Premises.”
Travelers argued that “Computer Fraud” was limited to hacking and similar activities where a nefarious party manages to gain access to and/or take control of the insured’s computer. The Court rejected this and found that if Travelers had wished to limit the definition of “Computer Fraud” in the policy to this type of criminal behaviour it could have done so. As a result, the fraudulent scheme fell within the policy’s definition of “Computer Fraud”. The Court also found that ATC’s loss was directly caused by the fraudulent scheme and that ATC’s claim did not fall within the scope of any of the three specific exclusion clauses that Travelers sought to rely upon.
This case has recently been read as casting doubt on the scope of cyber insurance policies. We do not agree. Cyber policies generally respond only where there has been a failure of the Insured’s IT, data or network security, whereas spoofing is simply a fraud based on the acquisition of a false identity and committed electronically. Even if the information used to create the false identity is garnered by social engineering the issue arises from lax use of social media by others, not necessarily the Insured.
Cyber policies should be interpreted on their particular terms and conditions, and some may provide a measure of cover for spoofing by endorsement. If there is any doubt on the point an insured should consult its broker.
We are indebted to Jerry Ferguson at Baker Hostetler, a member of the CMS Cyber Network for the case law and comment.
The CMS Cyber Network provides 24/7/365 emergency cyber breach response support in 47 jurisdictions to subscribing clients of Network members.