In the recent decision of Sanderina, LLC v. Great American Insurance Company, the U.S. District Court for the District of Nevada rejected an insured’s claim that a social engineering fraud loss arising from a “phony executive” email scam was covered under a commercial crime policy. Following leading U.S. authorities such as the Ninth Circuit’s Taylor & Lieberman decision (see our April 3, 2017 post), the Court found that none of the Forgery, Computer Fraud or Funds Transfer Fraud insuring agreements responded in respect of the email scam.
In 2017, an unknown third party sent a series of emails to Sanderina, LLC’s controller. The emails appeared to have been sent by Sanderina’s majority owner. The unknown sender’s email address was nearly identical to the owner’s, except the domain name was altered from “usfantasy.com” to “usfontasy.com.” Over the course of eight days, the imposter asked the controller to make six transfers to his bank accounts. The controller submitted the transfer requests to Bank of America, which transferred a total of $260,994 to the imposter.
After realizing that it was the victim of a scam, Sanderina investigated the incident. Sanderina’s computer consultant investigated whether there had been a breach of Sanderina’s computer systems, and was unable to identify any instances of a third party accessing Sanderina’s computer system or email accounts. As such, there was no evidence that Sanderina’s computer system had been hacked.
Sanderina submitted a claim to Great American, alleging that the email scam losses fell within the Forgery, Computer Fraud and Funds Transfer Fraud insuring agreements. Although it is not clear from the reasons, it appears that Sanderina did not obtain Social Engineering Fraud coverage, either by endorsement to its crime policy or otherwise. Great American concluded that none of the three referenced insuring agreements responded to the loss. Sanderina sued, and Great American successfully moved for summary judgment dismissing the claim.
The Forgery Insuring Agreement
The Forgery insuring agreement in Sanderina’s policy indemnified for losses:
resulting directly from forgery or alteration of checks, drafts, promissory notes, or similar written promises, orders, or directions to pay a sum certain in money …
Sanderina asserted that the policy covered “forgery … or … directions to pay a sum certain in money” and that the emails contained directions to pay money. The Court rejected this contention, observing that the policy unambiguously required such “directions to pay a sum certain in money” to be “similar” to “checks, drafts, [and] promissory notes.” The Court followed Taylor & Lieberman, in which the Ninth Circuit held that emails containing directions to pay money were not “similar” to cheques or drafts.
The Computer Fraud Insuring Agreement
The Computer Fraud insuring agreement in Sanderina’s policy indemnified for losses:
resulting directly from the use of any computer to impersonate you, or your authorized officer or employee, to gain direct access to your computer system, or to the computer system of your financial institution, and thereby fraudulently cause the transfer of money …
The intent of computer fraud coverage is to indemnify the insured with respect to hacking incidents, i.e., where a hacker directly causes the insured’s computer to make an unauthorized transfer of money, without the involvement of the insured or its employees.
On the evidence before the Court in Sanderina, there had been no hack – there were only deceptive emails which were acted upon by the controller. Based on this, the Court found that there was no coverage under the Computer Fraud insuring agreement:
In Taylor & Lieberman, the Ninth Circuit concluded that losses resulting from similar emails were not covered under a policy requiring “entry into” a computer system without authorization because “there is no support for [plaintiff’s] contention that sending an email, without more, constitutes an unauthorized entry into the recipient’s computer system.” … this record does not support a finding that merely sending an email to a Sanderina employee constituted direct access to Sanderina’s computer system.
The Funds Transfer Fraud Insuring Agreement
The Funds Transfer Fraud insuring agreement in Sanderina’s policy indemnified for losses:
resulting directly from a fraudulent instruction directing a financial institution to transfer, pay or deliver funds from your transfer account.
The policy defined “fraudulent instruction” as a:
written instruction … which purports to have been issued by you and which was sent or transmitted to a financial institution to establish the conditions under which transfers are to be initiated by such financial institution through an electronic funds transfer system and which was issued, forged or altered without your knowledge or consent.
The Court found that there was no coverage available on two independent bases:
… the Ninth Circuit considered a similar provision in Taylor & Lieberman and concluded that the policy did not extend to the plaintiff’s losses resulting from similar emails for two reasons. First, the fraudulent instruction was not without “knowledge or consent” — plaintiff “did not know the emailed instructions were fraudulent,” but it “requested and knew about the wire transfers.” Second, the emails did not constitute “fraudulent … instructions issued to a financial institution” because the emails were sent to the plaintiff — not a financial institution.
Both reasons apply equally here. Sanderina is not a financial institution, so the fraudulent instructions were not “sent or transmitted to a financial institution.” Plus, Sanderina[’s] controller … requested and knew about the transfers, so the fraudulent instructions were not “issued, forged or altered without [Sanderina’s] knowledge or consent.” So there is no disputed issue of material fact for trial on the funds-transfer fraud provision either.
Great American was granted summary judgment with respect to all three insuring agreements.
Sanderina serves as a cautionary tale for businesses (and for their brokers) of how a business may be exposed to an uninsured loss in the event that it does not maintain social engineering fraud coverage. The decision provides another example of a clear trend on the part of the courts to refuse to find coverage for social engineering fraud losses under the “traditional” crime policy coverages.
The proliferation of social engineering frauds has created an additional exposure for insureds. Crime insurers have responded by creating discrete social engineering fraud coverages. Such coverage has been available in the United States since 2013 and in Canada since 2014. It is incumbent upon brokers and corporate risk managers to ensure that appropriate coverage is in place.
Sanderina, LLC v. Great American Insurance Company,, 2019 WL 4307854 (D. Nev.)