Skip to main content

Cyber Insurance Policies May Not Cover Phishing Attack Funds Diversion

Kelly Ruane Melchiondo
Fishing hook illustration about cyber phishing attacksThe Eleventh Circuit Court of Appeals is considering an appeal from the United States District Court for the Middle District of Florida , in which the District Court ruled that a cyber insurance policy did not cover diversion of funds for a real estate closing. In Star Title Partners of Palm Harbor, LLC v. Illinois Union Insurance Co., District Court Case No. 8:20-CV-02155, Star Title Partners mistakenly wired funds related to a Florida real estate transaction to a fraudster who posed as a Texas mortgage company.  Star Title’s employees purportedly failed to authenticate the perpetrator’s wire instructions. Upon learning that the fraudster had diverted the funds, Star Title tendered a wire fraud claim to its cyber insurance carrier, which denied coverage.

Star Title sued its carrier for breaching the insurance policy, and alleged that the policy’s Cybercrime Endorsement covered the loss.  In September 2022, Judge Moody in the Middle District dismissed the lawsuit, finding both that Star Title had failed to verbally authenticate the wire instructions, and that, in any event, the policy excluded coverage for wire fraud that did not directly involve Star Title’s employees, customers, clients or vendors.  Judge Moody found that the mortgage company was none of those.

Star Title appealed to the Eleventh Circuit.  In its answer brief, as it did in the trial court, the carrier argues that Star Title’s failure to authenticate the wires relieves the carrier of any obligation to cover the loss. 

The carrier also argues that the policy excludes losses that result from wires sent to persons purporting to represent “financial institutions.”  Specifically, the policy’s Cybercrime Endorsement provides that the carrier will not be responsible for losses that result from persons “purporting to be a representative of any financial institution, asset manager, broker-dealer, armored motor vehicle company, or any similar entity.”  Judge Moody’s order did not address this argument because he found that Star Title failed to satisfy its obligations.  Should the Eleventh Circuit rule on this argument, however, it could prove critical and costly for unwary purchasers of cyber insurance. 

The carrier notes that, generally, “financial institutions” include companies that are engaged in the business of financial and monetary transactions.  The carrier also argues that in 2009, after the subprime mortgage crisis, the federal government amended the definition of “financial institution” in federal regulations to include “mortgage lending businesses.”  Therefore, the bad actor impersonating the Texas mortgage lender fits squarely within the policy exclusion for those who “purport to represent financial institutions.” 

Phishing attack-related funds diversion is, unfortunately, not unusual.  It is absolutely critical, therefore, that companies especially those that routinely wire funds to transact their business  be aware of the type, extent and limitations of their cyber insurance coverage.  

 
Related Practices
YOU MIGHT ALSO LIKE
Blog February 03, 2021
As we anticipated back in May, there has been a significant increase in litigation relating to business interruption insurance coverage for losses attributable to COVID-19 restrictions. Restaurant policyholders, in particular, have been at the forefront of raising these disputes. These cases have ma...
Blog December 26, 2023
Philanthropic organizations have started being recognized as a potential new arm to the traditional P3 delivery mechanism. They bring a number of unique benefits that add tremendous value to certain projects and communities.
Privacy Portal Blog December 4, 2020
Kelly Ruane Melchiondo authors a blog post in which she discusses the case of Van Buren v. United States, a recent SCOTUS case that highlights ambiguities in the Computer Fraud and Abuse Act (CFAA).
VIEW MORE