A subsidiary of Chubb Insurance has spent years fighting a business email compromise (BEC) claim from one of its clients.
Last week, the 2nd Circuit Court declined to reconsider an earlier verdict and ordered the insurer to cover $4.8 million in losses.
An employee of Medidata, which makes software for clinical trials, made a wire transfer of $5 million to a cyber attacker's account, after a social engineering campaign that involved spoofed emails.
The emails appeared to be from both an outside law firm and the company's CEO, but they were from cybercriminals instead. The topic the criminals used was an upcoming acquisition.
The Insurance Journal does a nice job of spelling out the coverage terms that Federal Insurance Company and Medidata were fighting about:
Medidata argued that its computer fraud provision should cover its loss because the Federal policy defined a computer violation as any “entry of Data into” or “change to Data elements or program logic of a computer system.” The firm argued that the fraudsters entered data when they changed the “From” entry in emails to make it appear they were from real Medidata executives.
Federal Insurance denied the claim, arguing that the email case did not amount to entry of data into or a change to the elements of the Medidata computers. Federal said the policy applies to only hacking-type intrusions. The insurer also argued that the computer fraud provision was not triggered because the spoof was not the direct cause of the loss since Medidata’s own employees made the transfer.
In July, the court found that cyber bad actors did insert spoofing email code into the company's email system, which triggered coverage under the "entry of data" language noted in the policy.
Federal Insurance appealed to the court to reconsider the verdict, but last week the court denied that appeal.