In The Brick Warehouse LP v. Chubb Insurance Company of Canada, 2017 ABQB 413, 2017 CarswellAlta 1308. G.R. Fraser J. held that social engineering of a company employee to transfer funds is not covered by a crime coverage insurance policy that normally would cover bank transfer fraud. The reason being is the employee permitted all the tractions and thus this situation falls into an exclusion in the fraud transfer provision.
In August 2010, a person contacted an employee of The Brick’s payroll department. The person represented himself as a Toshiba employee and request documentation on transactions between The Brick and Toshiba. Later in August, an email was sent to the Brick’s payroll department from “firstname.lastname@example.org” requesting The Brick update its baking information for future a different bank account. The Brick employees started the process of changing the banking information on file for Toshiba and no employee independently checked with Toshiba to confirm the changeover. Eventually a total of $338.322.22 was transferred to the new bank account. The fraud only started to unravel when in early September a Toshiba representative inquired with The Brick to why their invoices had not paid. The fraud was then reported to police and the police were subsequently able to recover $113, 847.18. As a result, the Brick made a claim on its business insurance with Chubb Insurance for the unrecovered monies of $224,475.14 On March 15, 2012, Chubb provided an official denial on the basis this the type of transfer that took place did not fall under the fraud provisions of the policy.
The justice set out that the Brick when purchasing the policy obviously intended to cover itself from loss due to criminal activity by its purchase of a “crime coverage policy.” The Brick argues their loss should fall under the umbrella of “fraud transfer funds” in the policy:
Fraud transfer funds means the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay, or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent
However, the justice held this provision would only apply if a bank upon the instruction of an individual impersonating a Brick employee had directed the fund transfer or in the event the actual brick employee was in on the fraud. Further, the Justice noted an exclusion to coverage where an employee knowingly surrendered money. The Justice held the emails to The Brick were fraudulent but the employee was aware of the transfers. The Justice on a plain reading of the words “knowledge or consent” in the policy, held the employee knew and permitted the transfers to take place and therefore the loss was covered by the exclusion in the policy.
The above ruling sets out that social engineering of an employee may result in a loss not being covered by a business Insurance even if the policy contains a loss by crime coverage policy. This is of course raises the questions of if future cases will follow the decision above. It also would suggest that companies with vast accounts who fear loss from social engineering practices may have to seek further or additional coverage from their insurance company. Notably the scenario above only required a convincing person, an email address, and a bank account to pull off. In essence, this is a low cost crime to commit with potentially a large reward. Due to these factors, in likely we will see further claims and litigation on this issue in the future.