March 26, 2020
Business Email Compromise (BEC) remains a popular form of social engineering where bad actors utilize common security flaws and vulnerabilities in Microsoft Office 365 to gain access to a business’s network. Once inside, these bad actors have the ability and lateral capability to study a company’s internal communication, gather information on key stakeholders, and create new unauthorized privileges in the system. Eventually, armed with enough information, these bad actors can spoof invoices or requests for payment resulting in either a company’s funds or the funds of customers (or other third parties) being sent to the bad actors.
Recently this social engineering strategy has been commonly deployed in the financial sector where fraudsters have been successful in duping financial account administrators and custodians into wiring money to the bad actor’s accounts. In the case of Naomi Berman, a bad actor was able to trick her 401k’s record keeper, Alight Solutions, and its custodian, State Street Bank Trust, into siphoning $99,000 out of her accounts. Disclosure1 Neither Alight nor State Street Bank Trust contacted Ms. Berman to gain her consent prior to the distributions being made and the funds disbursed. Ms. Berman has since sued both Estee Lauder Inc. and Alight Solutions for the loss. Similarly, the Oklahoma Law Enforcement Retirement System suffered a financial loss when an employee’s email was compromised resulting in $4.2 million being stolen from the pension fund for the State’s highway troopers, state agents, park rangers, and other officers. Disclosure2
While the fact pattern above is nothing new to the world of “cyber-related” social engineering, what continues to be a point of contention is the proper home for coverage under a business’s insurance programs. Fraudulent transfers and other social engineering losses have more commonly been covered under Crime Policies and Financial Institution Bonds (FIB) for those insureds responsible for the loss of those funds, but what happens when a third party who facilitated the transfer or was party to the network security compromise is sued for the financial loss? Crime/FIB policies typically don’t cover liability claims, so it’s critical to analyze other potential policies for coverage.
Cyber policies often include liability coverage for claims resulting from a security breach of the insured’s computer system or network, so if such a breach led to the fraudulent fund transfer, there is potentially an avenue for coverage of a claim against the insured. Unfortunately, many Cyber insurance policies also carry exclusions or carve-outs to covered damages for the “transfer of money or securities.” These limitations and exclusions seem designed to narrow or deny coverage entirely for this type of event. A Cyber policy should, however, cover the cost of forensic investigation. Since Cyber policies vary in how coverage is triggered, it is important to review the wording carefully. Forensic investigation costs can be substantial, and we recommend that the work be overseen by competent Breach Counsel and under attorney-client privilege. Legal costs for this oversight would also be important coverage in a Cyber insurance policy.
Fiduciary Liability policies may have coverage for liability claims, provided the allegation contends there was a breach of the insured’s fiduciary responsibilities. While uncommon, it’s possible that these policies can have cyber-specific exclusions which could preclude recovery if the claim arose out of a breach of network security.
Finally, an Errors and Omissions (E&O) insurance policy could potentially have coverage for those insureds who find claims made against them after a fraudulent transfer for their performance or failure to perform certain professional services. While similar transfer of funds exclusions found on cyber policies exist in E&O policies, a recent dispute between AIG and SS&C Technologies resulted in a court ruling in favor of coverage under SS&C’s E&O policy with AIG, despite such an exclusion. Disclosure3
SS&C Technologies was responsible for handling transfers of funds and other business process services for Tillage Commodities Fund. A bad actor, purporting to be acting on behalf of Tillage, instructed SS&C to transfer funds to an account in Hong Kong, so SS&C wired roughly $5.9 million from Tillage’s accounts to the bad actors. The resulting claim for the lost funds from Tillage against SS&C was at first denied by AIG under a transfer of funds-like exclusion (among others). When SS&C brought suit against AIG for its denial, however, the courts ultimately ruled in SS&C’s favor. The court found that SS&C’s lack of any “authority or discretionary control” over the accounts (an important qualification for the applicability of this particular exclusion), and ambiguity around the meaning of the word “lost” as it related to stolen funds, were compelling enough that the specific transfer of funds exclusion in this policy did not apply.
Decisions like SS&C’s are encouraging, but further outline the nuance and variable outcomes for coverage as it relates to the fraudulent transfer of funds and other social engineering losses across different lines of insurance. As bad actors find new ways to dupe businesses into relinquishing financial resources, policyholders must continue to be diligent in the review of their insurance policies.
During this COVID-19 quarantining period, it is especially easy for companies to fall prey to these schemes. With a fully distributed workforce (most employees working from home), organized crime rings will take advantage of increased communications across more channels, some of which may not be as secure. Spoofed emails (falsified to appear legitimate) from unauthorized parties will increase exponentially, so companies should be more vigilant in their efforts to verify any wire transfer changes or adjustments in traditional payment instructions. Given current economic conditions, many customers, vendors and suppliers will need to change their payment schedules, and hackers are well aware of this. Every employee should question all changes and should contact the source by phone (as per the original contract terms or other independent source). Do not trust the email or phone listed in the “change in instruction” email—go outside this line of communication to verify from a known and trusted party at that customer, vendor or supplier to verify. It may take more time, but will save millions in misdirected funds.