The Fifth Circuit's ruling Wednesday that Apache Corp. isn't covered for losses stemming from a fraudulent scheme that caused it to reroute vendor payments to a phony account curtails the use of computer fraud insurance to cover complex, multistep scams, requiring that an act of computer-based deception directly cause the loss, experts say.
Reversing a Texas federal court's decision, an appellate panel agreed with Great American Insurance Co. that the oil and gas exploration company's losses weren't covered because an email to Apache containing instructions to change a vendor's payment information didn't directly cause a series of fraudulent transfers. The computer fraud provision in Apache's commercial crime policy with GAIC extended coverage for losses "resulting directly from the use of any computer to fraudulently cause a transfer."
The panel determined that the fraudulent email was just one step in an intricate scheme that ultimately led Apache employees to authorize legitimate transfers, albeit to a bogus bank account.
"The email was part of the scheme, but the email was merely incidental to the occurrence of the authorized transfer of money," the panel wrote. "To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would ... convert the computer fraud provision to one for general fraud."
According to experts, the decision will curtail coverage under commercial crime policies for many so-called "social engineering" scams in which a criminal manipulates a company's employees into transferring money into a fraudulent account. Such schemes often involve a combination of deceptive emails, phone calls and even written communications.
Attorneys representing policyholders say that the Fifth Circuit's reasoning may unfairly foreclose coverage for losses that a company would expect to fall under a typical computer fraud policy provision.
"It was unfortunate the court minimized the role of the electronic communication in perpetrating the fraud, saying that it was incidental to the overall crime," said Anderson Kill PC shareholder Joshua Gold. "It seems to me that this event was exactly what the policyholder would have expected the policy to cover — theft perpetrated via computer fraud."