Cybercrime held to be a social engineering loss not computer fraud under policy

The insured was defrauded when a bad actor tricked the company CEO into wiring nearly $600 000 into the bad actor’s bank account. It was held that the loss was covered under the social-engineering-fraud cover with a limit of $100 000 and not the computer-fraud cover limited at $1 million.  The court said the wording was unambiguous and the claimant’s arguments ranged “from creative to desperate”.

The policy was a crime-insurance policy.  The computer-insuring agreement provided that the insurer would pay for “a direct loss … directly caused by Computer Fraud” which was in turn defined as “an intentional, unauthorised and fraudulent entry or change of data or computer instructions directly into a computer system”.  It specifically excluded any “entry or change made by an employee or authorised person … made in reliance upon any fraudulent … instruction” and social engineering fraud was excluded.

The social-engineering-fraud insuring agreement provided that the insurer will pay for “direct loss … directly caused by Social Engineering Fraud” which was defined as “the intentional misleading of an Employee or Authorised Person by a natural person impersonating: (1) a Vendor, or that Vendor’s attorney; (2) a Client, or that Client’s attorney; (3) an Employee; or (4) an Authorised Person through the use of a Communication” and specifically excluded computer fraud.

The court held that the event fitted exactly into the description of a social engineering fraud and was not a computer fraud as defined.  In addition, the computer fraud section had an exclusion for “loss resulting from forged, altered, or fraudulent negotiable instruments, securities, documents, or instructions used as source documents to enter Electronic Data or send instructions”.  This exclusion excluded cover for the event in question.

The policy is a good example how to draft two insuring agreements which are mutually exclusive in the clear language as to what is to be covered by each with appropriate limits.

SJ Computers, LLC v Travelers Casualty and Surety Co of America case no. 0:21-cv-02482, in the US District Court for the District of Minnesota