On April 17, 2018, the Ninth Circuit Court of Appeals released its decision in Aqua Star (USA) Corp. v. Travelers Casualty and Surety Company of America, affirming the decision of the U.S. District Court for the Western District of Washington (see our July 19, 2016 post). The decision offers guidance to fidelity insurers with respect to the application of the “authorized entry” exclusion found in the base wording of many commercial crime policies (sometimes referred to as the “authorized access” exclusion), and illustrates how this exclusion may operate in the context of a social engineering fraud loss.
The insured, Aqua Star (USA) Corp. (“Aqua Star”), is a seafood importer that had a pre-existing relationship with a legitimate vendor, Longwei. In the summer of 2013, Longwei’s computer system was hacked. The hacker apparently monitored email exchanges between an Aqua Star employee and a Longwei employee before intercepting those email exchanges and using a “spoof” email domain to send fraudulent emails to the Aqua Star employee. In the spoofed emails, the hacker directed the Aqua Star employee to change the bank account information Aqua Star had on record for Longwei for future wire transfer payments.
The Aqua Star employee inserted the revised banking information into Aqua Star’s computer system. This revised information was then used to create wire instructions that were transmitted to Aqua Star’s bank, the Bank of America. As a result, $713,890 was wired to the hacker’s account before the fraud came to light.
The Travelers Coverage
Aqua Star maintained a Wrap+ Crime Policy with Travelers. The policy covered Aqua Star for its “direct loss of, or direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud”, as defined. Travelers relied on Exclusion G to the policy, which provided that the policy:
will not apply to loss resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.
As a general observation, this type of exclusion is intended to reinforce the industry view that traditional commercial crime coverage is not intended to respond to social engineering fraud losses. At present, social engineering fraud coverage is typically added to commercial crime policies by endorsement, with the endorsement providing that the exclusion in the base wording does not apply in respect of coverage afforded by the endorsement. The intent is to reinforce that only social engineering fraud coverage, and not the traditional computer or funds transfer fraud coverages, responds to social engineering fraud losses.
The District Court had granted Travelers’ summary judgment motion on the issue of whether Exclusion G applied to the loss. The District Court rejected Aqua Star’s arguments that Exclusion G did not apply because: (i) Aqua Star had also entered data into the computer system of a third party, Bank of America; and, (ii) Exclusion G should be confined to circumstances in which a fraud is perpetrated by an authorized user of an insured’s computer system, such as an employee or legitimate customer.
In brief reasons, the Ninth Circuit affirmed the District Court’s grant of summary judgment, holding that:
Exclusion G unambiguously provides that the policy “will not apply to loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System….” Aqua Star’s losses resulted from employees authorized to enter its computer system changing wiring information and sending four payments to a fraudster’s account. These employees “ha[d] the authority to enter” Aqua Star’s system when they “input” Electronic Data, on Aqua Star computers, to change the wiring information and authorize the four wires. Their conduct fits squarely within the Exclusion. While other contractual exclusions may also bar coverage in this case, we need not go any further.
The Ninth Circuit’s decision in Aqua Star provides a concise affirmation of the District Court’s detailed analysis of Exclusion G of the Travelers Wrap+ policy. This case, along with numerous others such as Pestmaster (see our August 4, 2016 post) and InComm (see our March 22, 2017 post), reflects the intended boundary between social engineering fraud coverage and “traditional” computer fraud and funds transfer fraud coverages. Courts have generally interpreted the computer fraud coverage as being intended to cover loss due to unauthorized hacking and payment instructions by third parties, not employees’ authorized entries of data or payment instructions induced by external fraud.
To address this perceived gap, insurers have introduced social engineering fraud endorsements to respond to the latter scenario. Such coverage has been available in the United States since 2013 and in Canada since 2014. The “authorized entry” exclusion reinforces the underwriting intent that the two coverages respond to different loss scenarios. In our view, it is appropriate to keep this context in mind in assessing both the applicability of “authorized entry” exclusions and, more generally, the dividing line between social engineering fraud coverage and other coverages.
Aqua Star (USA) Corp. v. Travelers Casualty and Surety Company of America, 2018 WL 1804338 (9th Cir.)