/home/rsslex/public_html/wp-content/themes/_RSS2/index.php

Future Electronics v. Chubb Insurance: The Insurer Prevails in Canada’s First Ruling on the Social Engineering Fraud Endorsement

By Nick Krnjevic and Maro Coric, from our Insurance Law Practice Group

October 15, 2020 — The Quebec Superior Court ruling rendered on September 29 in Future Electronics Inc. (Distribution) Pte Ltd. v. Chubb Insurance Company of Canada, 2020 QCCS 3042 is the first Canadian decision, and only the second North American ruling, that has analyzed the interplay between the Social Engineering Fraud, Computer Fraud and Funds Transfer Fraud insuring agreements of a Commercial Crime Policy.[1]

The multi-million-dollar loss arose out of a vendor impersonation e-mail scam, which is a typical example of “social engineering” fraud. There is currently a lack of coherency among certain US appellate courts as to whether “social engineering” losses are covered under a Crime Policy’s Computer Fraud and Funds Transfer Fraud coverages. No US appellate court, and only one US trial court, has interpreted a policy which contained a Social Engineering Fraud insuring agreement.

The Quebec Superior Court [Court] agreed with Chubb Insurance Company of Canada [Chubb] that the loss clearly fell within the ambit of the Crime Policy’s Social Engineering Fraud Endorsement, which was subject to $50K limits. The Court rejected Future Electronics Inc.’s [FEI] attempt to secure coverage under the Crime Policy’s Computer Fraud and Funds Transfer Fraud insuring agreements, which had $25M limits.

Per the Court, when considered in the context of the Crime Policy read as a whole, including, in particular, the Social Engineering Fraud insuring agreement, neither the Computer Fraud nor the Funds Transfer Insuring Agreements afforded coverage for loss that was directly caused by the deceitful representations contained in emails the impersonator sent to the insured’s accounts payable employees.

The Court further held that the Voluntary Parting exclusion would have applied had either the Computer Fraud or the Funds Transfer Insuring Agreements been triggered.

This is an important case for Crime insurers. Unlike hacking attacks, which can be managed by robust technical defences, “social engineering” fraud is a risk that is particularly difficult to effectively control given the natural human tendency to trust other people, and take their representations at face value. Future Electronics Inc. v. Chubb confirms that coverage for this risk is limited to that afforded under Social Engineering Fraud endorsements, which contain, inter alia, fraud scenario restrictions, and which typically provide substantially lower limits than are available for the far more manageable risks covered under Computer Fraud and Funds Transfer Fraud Insuring Agreements.

The Fraud

A Singapore subsidiary [FESG] of Future Electronics Inc. [FEI] was the victim of a multi-million dollar vendor impersonation scam: an impostor [Impostor] masquerading as the CFO of a California-based supplier, Exar, persuaded FESG’s accounts-payable employees to change the banking instructions for the wire-payment of Exar’s invoices. FESG instructed its bank accordingly, and the payments ended up in bank accounts controlled by the Impostor. The Impostor, who communicated with FESG’s employees via email, and, on a few occasions, via telephone, never contacted the bank.

The Problematic Nature of Social Engineering Fraud Risks

Vendor impersonation scams are a typical example of “social engineering fraud”. Cyber-criminals increasingly engage in “social engineering” — which is a 21st century version of the classic “con game” — in order to avoid having to directly attack the robust technological cyber defenses adopted by many corporations. Law enforcement agencies have described this subset of cyber-criminals as “social or human hackers who specialize in exploiting personal connections through social networks. Social hackers, sometimes referred to as ‘social engineers,’ manipulate people through social interactions (in person, over the phone, or in writing)”.[2]

Because trusting humans are vulnerable to being duped by a sophisticated fraudster, the latter can infiltrate even the best-managed and most secure businesses by deceptively posing as a trusted vendor, client or employee and induce an insured or an insured’s employee to divert assets.

Unlike such cyber-risks as a direct computer attack on an insured’s technological systems, “social engineering” fraud is a risk that is particularly difficult to effectively control because its victims innately want to trust other people, and take their representations at face value. Consequently, the coverage insurance companies are willing to offer for “social engineering” fraud is typically subject to, inter alia, fraud scenario constraints and restricted limits.

The Claim for Coverage

FEI benefited from an Executive Protection Insurance Policy [Policy] issued by Chubb. The Policy included a Social Engineering Fraud Endorsement, which had limits of $50K. It also afforded $25M of coverage under the Computer Fraud and Funds Transfer Fraud insuring agreements.

Chubb agreed that coverage existed under the Social Engineering Fraud Endorsement, but concluded that the loss did not trigger either the Computer Fraud or the Funds Transfer Fraud coverages.

FEI disagreed. It declined to accept the $50K check issued by Chubb, and filed suit in Quebec Superior Court.

The Ruling

The Social Engineering Fraud Insuring Agreement covered loss that directly resulted from “Social Engineering Fraud committed by a person purporting to be a Vendor, Client, or an Employee who was authorized by the Insured to instruct other Employees to transfer Money or Securities” [par 102]. “Social Engineering Fraud” was defined as “the intentional misleading of an Employee, through misrepresentation of a material fact which is relied upon by an Employee, believing it to be genuine”. [par 100]

The Social Engineering Fraud Endorsement did not apply to loss covered under, inter alia, the Policy’s Computer Fraud and Funds Transfer Fraud Insuring Agreements.

The Court agreed with Chubb that the loss, which stemmed from a classic social engineering fraud scenario, clearly, and exclusively, fell within the ambit of the Policy’s Social Engineering Fraud Endorsement.

The Court rejected FEI’s attempt to secure coverage under the Policy’s Computer Fraud and Funds Transfer Fraud Insuring Agreements. The Court held that these insuring agreements had to be interpreted in the context of the Policy as a whole, including, in particular, the Social Engineering Fraud Endorsement.

The Court concluded that the Computer Fraud insuring agreement, which afforded coverage for “direct loss” resulting from “unlawful taking […] through the use of a computer”, protected the insured from losses it suffered when a third-party used a computer to directly and illegally seize the insured’s assets.

The Court held that the Computer Fraud Insuring Agreement was not triggered if the computer was simply a passive conduit for sending “social engineering” email communications in order to manipulate employees into voluntarily transferring assets of the insured to the fraudster. Per the Court, FEI’s loss was directly caused by the deceitful representations made by the Impostor, and did not constitute “direct loss” resulting from “unlawful taking […] through the use of a computer.”

The Court distinguished recent US appellate case-law — including Medidata Sols. Inc. v. Fed. Ins. Co., 729 Fed. Appx. 117, 2nd Cir. 2018) [Medidata] and Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 895F.3d 455; 6th Cir. 2018, rehearing en banc denied) [ATC] — on the ground that the policies in issue in those cases did not limit coverage to “direct loss” resulting from “unlawful taking […] through the use of a computer”.

For example, Medidata covered “the unlawful taking or the fraudulently induced transfer of Money, Securities or Property resulting from a Computer Violation”, while ATC defined “Computer Fraud” as “the use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises”.

Since email is the 21st century’s default mode of business communication, the Court, citing US appellate case-law,[3] further held that the Computer Fraud coverage would be transformed into General Fraud coverage if, as FEI argued, it encompassed any and all fraudulent schemes involving email communications.

The Court therefore concluded that the loss FEI sustained when its employees were duped by the Impostor was clearly and exclusively covered under the Social Engineering Fraud Endorsement, and did not trigger the Computer Fraud coverage. The Court further held that FEI’s contention that the claim could be covered under both the Social Engineering Fraud and the Computer Fraud coverages was contrary to the clear wording of Policy. Per the Court, the coverages were mutually exclusive.

The Funds Transfer Fraud Insuring Agreement afforded coverage for “direct loss” resulting from “the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver Money or Securities from any account maintained by an Insured at such institution, without an Insured’s knowledge or consent.” [par 88]

FEI’s bank had issued payments on the basis of instructions it had received directly from FEI’s duped employees. The Court rejected FEI’s assertion that the coverage was triggered because the deceived employees had not knowingly issued fraudulent instructions to the insured’s bank. Citing the majority line of US case-law, which was followed in the only relevant Canadian common-law decision,[4] the Court held that the loss did not trigger the clear wording of the Funds Transfer Fraud coverage since the only payment instructions received by the bank had been approved and sent by the insured, which necessarily had knowledge of same.

The Court reiterated that such claims were exclusively covered under the Social Engineering Fraud Endorsement.

Both the Computer Fraud and Funds Transfer Fraud Insuring Agreements were also subject to a Voluntary Parting Exclusion which precludes coverage for “loss due to an Insured knowingly having given or surrendered Money, Securities or Property in exchange or purchase to a Third Party, not in collusion with an Employee. This exclusion shall not apply to Money Orders and Counterfeit Currency Fraud.” [par 97]

This Exclusion was specifically deleted from the Social Engineering Fraud Endorsement.

The Court held that the Voluntary Parting exclusion would have applied had either the Computer Fraud or the Funds Transfer Insuring Agreements been triggered. The Court rejected FEI’s assertion that the clause was ambiguous and should be limited to transactions in which there were simultaneous exchanges of funds for goods/services. The Court concluded that on its plain wording the exclusion applies to any exchange/purchase transaction, simultaneous or otherwise, in which the insured voluntary parts with money/securities/property, regardless of whether the monies are paid to a legitimate third-party or a fraudster.

Conclusion

Social engineering fraud, the success of which depends on the inherent human inclination to trust other people, is a particularly difficult risk to control. Future Electronics Inc. v. Chubb confirms that coverage for this risk is limited to that afforded under Social Engineering Fraud endorsements, which contain, inter alia, fraud scenario restrictions, and which typically provide substantially lower limits than are available for the far more manageable risks covered under Computer Fraud and Funds Transfer Fraud insuring agreements.


[1] RSS attorneys Nick Krnjevic and Élisabeth Laroche successfully argued the case on behalf of Chubb.

[2] US Department of Justice, Federal Bureau of Investigation: Internet Social Networking Risks, <https://www.dni.gov/files/NCSC/documents/campaign/internet-social-networking-risks.pdf>.

[3] Apache Corp. v. Great American Ins. Co. 662 Fed. Appx. 252 (5th Cir. 2016) [Apache], and PestmasterServs., Inc. v. Travelers Cas. & Sur. Co. of Am. 656 F. App’x 332 (9th Cir. 2016) [Pestmaster].

[4] See, inter alia, Taylor & Lieberman v. Federal Ins. Co., 681 Fed. Appx. 627, 628 (9th Cir. 2017); Pestmaster, The Brick Warehouse LP v Chubb Insurance Company of Canada, 2017 ABQB 413.

PDF Version

Posted in Publications |