On October 18, 2016, the U.S. Court of Appeals for the Fifth Circuit released its opinion in Apache Corporation v. Great American Insurance Company. This is one of the first appellate decisions to consider coverage for a social engineering fraud loss under “traditional” commercial crime policy wording since the widespread introduction of social engineering fraud endorsements. In holding that the loss did not trigger indemnity under the Computer Fraud coverage, the Fifth Circuit adopted the interpretive approach to Computer Fraud coverage taken by the Ninth Circuit in Pestmaster Services v. Travelers (which we discussed in our August 4, 2016 post) and applied it in the context of social engineering fraud.
Apache is an oil production company which is headquartered in Texas and which operates internationally. In March 2013, an Apache employee in Scotland received a call from a person claiming to be a representative of Petrofac, a legitimate vendor of Apache. The caller instructed the employee to change the bank account information which Apache had on record for Petrofac. The Apache employee advised that such a change request would not be processed without a formal request on Petrofac letterhead.
A week later, Apache’s accounts payable department received an email from a @petrofacltd.com email address. Petrofac’s legitimate email domain name is @petrofac.com. The email advised that Petrofac’s bank account details had changed, and included as an attachment a signed letter on Petrofac letterhead setting out the old and new account numbers and requesting that Apache “use the new account with immediate effect.”
An Apache employee called the telephone number on the letterhead and confirmed the authenticity of the change request. Next, a different Apache employee approved and implemented the change. A week later, Apache was transferring funds for payment of Petrofac’s invoices to the new bank account.
Within a month, Petrofac advised Apache that it had not received payment of approximately $7 million which Apache had transferred to the new account. Apache recovered some of the funds, but still incurred a net loss of approximately $2.4 million.
The Computer Fraud Coverage
Apache maintained a Crime Protection Policy with Great American, but it does not appear that the policy included social engineering fraud coverage. Apache asserted a claim under its Computer Fraud coverage, which provided that:
We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:
a) to a person (other than a messenger) outside those premises; or
b) to a place outside those premises.
In Great American’s view, no indemnity was available because the @petrofacltd.com email did not cause the transfers in issue, and because the coverage was limited to losses resulting from hacking and other incidents of unauthorized computer use.
The Fifth Circuit accepted Great American’s position. Noting that there was no Texas law directly on point, the Court embarked on what it described as a “detailed — but numbing — analysis” of the authorities interpreting the Computer Fraud coverage. Chief among these was the Ninth Circuit’s recent decision in Pestmaster, in which that Court interpreted the coverage to require an unauthorized transfer of funds, rather than simply any transfer which involved both a computer and a fraud at some point.
The Fifth Circuit contrasted that requirement with the lengthy chain of events that had resulted in Apache’s loss:
Here, the “computer use” was an email with instructions to change a vendor’s payment information and make “all future payments” to it; the email, with the letter on Petrofac letterhead as an attachment, followed the initial telephone call from the criminals and was sent in response to Apache’s directive to send the request on the vendor’s letterhead. Once the email was received, an Apache employee called the telephone number provided on the fraudulent letterhead in the attachment to the email, instead of, for example, calling an independently-provided telephone contact for the vendor, such as the pre-existing contact information Apache would have used in past communications. Doubtless, had the confirmation call been properly directed, or had Apache performed a more thorough investigation, it would never have changed the vendor-payment account information. Moreover, Apache changed the account information, and the transfers of money to the fraudulent account were initiated by Apache to pay legitimate invoices.
The Court observed that the authorities generally refuse to extend the scope of the Computer Fraud coverage to situations where the fraudulent transfer is not a direct result of computer use, but rather results from other events.
In concluding that no indemnity was available under the Computer Fraud coverage, the Court held that:
The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster…, convert the computer-fraud provision to one for general fraud. … We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred. In short, few — if any — fraudulent schemes would not involve some form of computer-facilitated communication. [emphasis added]
The Fifth Circuit’s decision in Apache is broadly significant to the fidelity insurance industry not only because, like Pestmaster, it reaffirms the intended scope of the Computer Fraud coverage, but also because it reinforces the purpose behind insurers’ introduction of discrete social engineering fraud coverage in the last few years, i.e., the lack of coverage for social engineering frauds under traditional computer and funds transfer coverages.
The proliferation of social engineering fraud has undoubtedly exposed insureds to greater risk. However, insurers have responded by underwriting discrete social engineering fraud coverages. There is no need for courts to depart from the traditional interpretation of computer fraud and funds transfer fraud coverages in order to address this perceived problem, because a solution is already available.
As a practical matter, Apache confirms that insureds need Social Engineering Fraud coverage for these types of losses. The decision provides greater certainty on the part of insureds, insurers and brokers as to the intended scope of each coverage, and makes it easier for all industry participants to ensure that insureds obtain the coverages they require for the types of potential losses that they face.
Apache Corporation v. Great American Insurance Company, 2016 WL 6090901 (5th Cir.)