Cyber insurance policies may not cover phishing attack embezzlement | Bilzin Sumberg
The Eleventh Circuit Court of Appeals is hearing an appeal from the United States District Court for the Intermediate District of Florida, in which the district court ruled that a cyber insurance policy did not cover misappropriation of funds for a building closure. In Star Title Partners of Palm Harbor, LLC v. Illinois Union Insurance Co., Case No. 8:20-CV-02155, Star Title Partners mistakenly transferred funds related to a real estate transaction in Florida to a fraudster posing as a Texas Mortgage Company. Star Title employees allegedly failed to authenticate the author’s telegraphic instructions. After learning that the fraudster had misappropriated the funds, Star Title filed a wire fraud complaint with its online insurance company, which denied coverage.
Star Title sued its carrier for breach of insurance policy and alleged that the policy’s cybercrime endorsement covered the loss. In September 2022, Intermediate District Judge Moody dismissed the lawsuit, finding both that Star Title had failed to verbally authenticate the wire instructions and that, in any event, the police were excluding wire fraud coverage that did not did not directly involve Star Title employees. , customers, clients or suppliers. Justice Moody concluded that the mortgage company was not one.
Star Title appealed to the Eleventh Circuit. In its reply brief, as it did in the trial court, the carrier argues that Star Title’s failure to authenticate the wires releases the carrier from any obligation to cover the loss.
The carrier also argues that the policy excludes losses resulting from wire transfers sent to people claiming to represent “financial institutions.” Specifically, the policy’s cybercrime endorsement provides that the carrier will not be liable for losses resulting from persons “claiming to be a representative of a financial institution, asset manager, broker, ‘an armored car company or similar entity’. Judge Moody’s order did not address this argument as he found that Star Title failed to meet its obligations. Should the Eleventh Circuit rule on this argument, however, it could prove critical and costly for unwary buyers of cyber insurance.
The carrier notes that, generally, “financial institutions” include businesses that engage in financial and monetary transactions. The carrier also argues that in 2009, after the subprime mortgage crisis, the federal government changed the definition of “financial institution” in federal regulations to include “mortgage companies.” Therefore, the bad actor impersonating the Texas mortgage lender fits nicely into the policy exclusion for those who “claim to represent financial institutions.”
Embezzlement associated with a phishing attack is unfortunately not unusual. It is therefore absolutely essential that companies, especially those that regularly transfer funds to carry out their transactions, are aware of the type, extent and limits of their cyber insurance coverage.