The 9th U.S. Circuit Court of Appeals affirmed the district court’s ruling in Aqua Star (USA) Corp., vs Travelers Casualty and Surety Company of America. The case involved fraudulent emails purporting to be from the insured’s suppliers directing that the insured direct its payments to a new account purportedly opened by that supplier. Based on that fraudulent communication, the insured transferred $713,890 due its supplier to the fraudulent “new account.”
At issue was whether an exclusion in the insured’s Wrap and Crime Policy applied. That exclusion precludes coverage for loss resulting directly or indirectly from the input of electronic data by a natural person having authority to enter the insured’s computer system. The Ninth Circuit found the insured’s losses were the result of entries made on the insured’s computer system to change the wiring information for its supplier. Because the employees involved were authorized to enter the insured’s computer system to make such entries, the court affirmed the decision of the district court and found that the exclusion applied.
The ruling is consistent with other precedents. It’s a good reminder to businesses to check their cyber security insurance coverage to ensure that it meets their needs, since social engineering fraud is becoming more prevalent.