Cyber Insurance Policies May Not Cover Phishing Attack Funds Diversion

The Eleventh Circuit Court of Appeals is considering an appeal from the United States District Court for the Middle District of Florida , in which the District Court ruled that a cyber insurance policy did not cover diversion of funds for a real estate closing. In Star Title Partners of Palm Harbor, LLC v. Illinois Union Insurance Co., District Court Case No. 8:20-CV-02155, Star Title Partners mistakenly wired funds related to a Florida real estate transaction to a fraudster who posed as a Texas mortgage company.  Star Title’s employees purportedly failed to authenticate the perpetrator’s wire instructions. Upon learning that the fraudster had diverted the funds, Star Title tendered a wire fraud claim to its cyber insurance carrier, which denied coverage.

Star Title sued its carrier for breaching the insurance policy, and alleged that the policy’s Cybercrime Endorsement covered the loss.  In September 2022, Judge Moody in the Middle District dismissed the lawsuit, finding both that Star Title had failed to verbally authenticate the wire instructions, and that, in any event, the policy excluded coverage for wire fraud that did not directly involve Star Title’s employees, customers, clients or vendors.  Judge Moody found that the mortgage company was none of those.

Star Title appealed to the Eleventh Circuit.  In its answer brief, as it did in the trial court, the carrier argues that Star Title’s failure to authenticate the wires relieves the carrier of any obligation to cover the loss. 

The carrier also argues that the policy excludes losses that result from wires sent to persons purporting to represent “financial institutions.”  Specifically, the policy’s Cybercrime Endorsement provides that the carrier will not be responsible for losses that result from persons “purporting to be a representative of any financial institution, asset manager, broker-dealer, armored motor vehicle company, or any similar entity.”  Judge Moody’s order did not address this argument because he found that Star Title failed to satisfy its obligations.  Should the Eleventh Circuit rule on this argument, however, it could prove critical and costly for unwary purchasers of cyber insurance. 

The carrier notes that, generally, “financial institutions” include companies that are engaged in the business of financial and monetary transactions.  The carrier also argues that in 2009, after the subprime mortgage crisis, the federal government amended the definition of “financial institution” in federal regulations to include “mortgage lending businesses.”  Therefore, the bad actor impersonating the Texas mortgage lender fits squarely within the policy exclusion for those who “purport to represent financial institutions.” 

Phishing attack-related funds diversion is, unfortunately, not unusual.  It is absolutely critical, therefore, that companies especially those that routinely wire funds to transact their business  be aware of the type, extent and limitations of their cyber insurance coverage.