While our brains may feel like they are fused with the computers, smart phones, and other devices we use on a constant basis, a direct connection between these machines and our brains is still (mostly) a thing of the future. So, even as companies continue to strengthen and refine their network security systems against cybercrime, the human brain can remain a weak link for criminals to exploit. Unfortunately for some policyholders, this time-honored tactic of targeting the human element involved with a technology may actually fall right into a gap in companies’ insurance coverage, as highlighted in the Fifth Circuit’s decision this month in Apache Corporation v. Great American Insurance Company.
An Apache employee got a call from a person who said they were with one of Apache’s vendors. According to the caller, the vendor needed Apache to change the bank account information to pay the vendor. Apache requested and received a formal change request on the vendor’s letterhead by email—from a fake account similar to the actual vendor’s email address—which Apache employees confirmed by calling the number on the letterhead. Roughly $7 million in payments to the criminal’s bank account later, Apache learned that the change request was a fraud—a type of scheme often called a “social engineering” scam.
Apache had a crime-protection insurance policy with Great American that covered “Computer Fraud,” including the loss of money “resulting directly from the use of any computer to fraudulently cause a transfer of that property” from Apache to someone or someplace else. But Great American denied Apache’s claim, saying that the emails did not “cause” the transfer of payments to the criminals and that this coverage was limited to hacking and unauthorized computer use.
The trial court found coverage for Apache’s loss because the emails were a “substantial factor” in the fraud, despite the “human factor” of the telephone calls and Apache employees’ approval of the payment change. But the Fifth Circuit recently disagreed and held that Apache’s loss was not covered because the emails were only “part of the scheme.” According to the Court, if Apache’s loss was “Computer Fraud,” then that term would cover virtually any fraud because of our constant communications by computer.
This decision raises the question: how exactly are companies supposed to insure for the risk of social engineering fraud? Cyber policies are typically designed to cover loss caused by unauthorized data breaches or system failures, and crime policies are where policyholders would generally expect to have coverage for fraud. But in this strange intersection between computer crime and old-fashioned human fraud, companies may find themselves stuck in the gap between the two. Some insurers now offer social engineering fraud endorsements to crime and fidelity policies. Policyholders should certainly review their crime coverage and consider the risk of such hybrid computer/human combination schemes. After all, no matter how advanced the technology involved—or how secure the protocols in place—there’s always potential for a criminal “social engineer” to hack into the human brain. Make sure you’re covered.