Mississippi Silicon: Fifth Circuit finds No Coverage for Social Engineering Fraud Loss under Crime Policy’s Computer Fraud Coverage

On February 4, 2021, the Fifth Circuit Court of Appeals released its decision in Mississippi Silicon Holdings, LLC v. AXIS Insurance Company. In affirming the lower court’s grant of summary judgment in favour of AXIS, the Fifth Circuit made important findings regarding the proper scope of the Computer Fraud coverage; whether a fraudster’s opening of a “fraudulent channel” in an insured’s email system meets the requirements of that coverage; and whether it is appropriate to consider a policy’s Social Engineering Fraud (SEF) coverage in interpreting the scope of the Computer Fraud coverage.

The Facts

Mississippi Silicon Holdings, LLC (“MSH”) is a silicon metal manufacturer. In October 2017, MSH’s Chief Financial Officer received an email which appeared to be from a regular vendor, Energoprom, advising that future payments should be routed to a new bank account. A letter confirming these instructions, written on Energoprom’s letterhead and apparently signed by an Energoprom executive, was attached to the email. The email body also contained previous emails between the CFO and Energoprom personnel concerning invoices and shipment details.

The CFO proceeded to authorize two wire transfers from MSH to Energoprom’s purported new bank account, totaling $1,025,881. These payments were made in accordance with MSH’s three-step verification process for large transfers: first, the CFO initiated a transfer via the online banking system; second, another MSH employee confirmed the transfer on the bank’s website; and third, MSH’s Chief Operating Officer verbally authorized the transfer on a phone call with a bank representative.

In December 2017, Energoprom called MSH regarding outstanding receivables, at which point the fraud came to light.

MSH’s Claim under its Commercial Crime Policy

MSH filed a proof of loss seeking indemnity of $1,025,881 under its Computer Fraud, Funds Transfer Fraud and SEF insuring agreements. The SEF coverage carried a limit of $100,000, whereas the other two coverages carried $1 million limits. AXIS promptly indemnified MSH $100,000 on the basis that the loss met the elements of the SEF coverage, but found that coverage was unavailable under either the Computer Fraud or Funds Transfer Fraud coverages.

MSH brought a coverage action. The District Court granted summary judgment in favour of AXIS, finding that, although the Computer Fraud provision unambiguously “requires that the fraudulent act directly cause the loss,” MSH’s loss was caused not by the fraudulent computer use, but by the affirmative acts of MSH employees in initiating and authorizing the transfer.

The District Court also found that no coverage was available under the Funds Transfer Fraud coverage, as the loss did not result from an instruction which was issued without the insured’s knowledge or consent. As MSH employees were aware of, and specifically authorized, the transfer, the loss did not come within the Funds Transfer Fraud coverage – a rationale consistent with Canadian authorities such as The Brick Warehouse LP v. Chubb Insurance Company of Canada (see our July 13, 2017 post).

The Fifth Circuit’s Decision on Computer Fraud

On appeal, only the Computer Fraud coverage was in issue. The Fifth Circuit did not disturb the District Court’s holding on direct loss, but took a different approach in affirming summary judgment. The Fifth Circuit focused on the “Computer Transfer Fraud” element of the insuring agreement, which the policy defined as “the fraudulent entry of Information into or the fraudulent alteration of any Information within a Computer System.”

Citing authorities such as Pestmaster (see our August 4, 2016 post), Apache (October 24, 2016) and Taylor & Lieberman (April 3, 2017), the Fifth Circuit held that the loss was not covered:

Both this court and others have ruled that the mere receipt of an email does not constitute computer fraud in the context of similar insurance provisions. Although the instant scheme involved the creation of a “fraudulent channel” in MSH’s email system through which the scammers could monitor and, when necessary, alter emails sent between MSH and Energoprom, we agree that the manipulation of emails in this manner does not constitute Computer Transfer Fraud as defined by the insuring agreement. The fraudsters apparently gained access to the company’s email system, but they did not manipulate those systems through the introduction of data or programs that could independently instruct the Computer System “to receive, process, store, retrieve, send, create, or otherwise act upon Electronic Data.” At best, the breach allowed the fraudsters to monitor the computer system and to act based on the information they learned.

The AXIS policy’s inclusion of SEF coverage enabled the Fifth Circuit to make a second important finding regarding the proper interpretation of a Commercial Crime Policy. Observing that the SEF coverage already applied to exactly the type of loss MSH incurred, the Court held that it was appropriate to consider the scope of that coverage in interpreting the Computer Fraud coverage:

The Policy also contained coverage (which MSH received) for Social Engineering Fraud … The policy admittedly anticipates situations in which one fraud could fall under various fraud-related provisions. The fact that MSH recovered under the Social Engineering Fraud provision in the instant case is not itself dispositive. However, as the district court noted, the Social Engineering Fraud provision specifically contemplates situations in which an employee relies in good faith on a fraudulent instruction. The Computer Transfer Fraud provision does not. … Our obligation to read the integrated provision as a whole bolsters our conclusion that coverage is not due.

This holding is helpful to claims professionals in reinforcing that each insuring agreement and other provision of a crime policy must be interpreted in the context of the policy as a whole. Such policies are defined-perils in nature, and it makes sense that they are drafted in such a manner as to avoid overlap between insuring agreements. The availability of SEF coverage, intended to encompass a specific set of loss-causing scenarios, suggests that such scenarios are not intended to fall within other insuring agreements.

Conclusion

Mississippi Silicon represents another decision in a growing line of jurisprudence which holds that there is no coverage for vendor impersonation and other SEF losses under traditional commercial crime coverages. To address those types of risks, insurers introduced SEF coverage, which has been available in the United States since 2013 and in Canada since 2014. Given the increasing frequency of vendor impersonation and other SEF losses, insureds and their brokers would be well-advised to ascertain the risks that SEF poses to insureds’ businesses, and the availability of SEF-specific coverage to address such risks.

In addition to reinforcing the proper scope of the Computer Fraud coverage, Mississippi Silicon also highlights the importance of interpreting insuring agreements and other policy provisions in the context of the policy as a whole. This should assist claims professionals in addressing loss scenarios where an insured is duly indemnified under its SEF coverage, but then attempts to “fit” any uninsured portion of its loss into another insuring agreement.

Mississippi Silicon Holdings, LLC v. AXIS Insurance Company, 2021 WL 406238 (5th Cir.)