Do I Really Need Cyber Crime Insurance?
By: Michael Rothman, Esq., Fund Legal Education Manager
Introduction
Business Email Compromise (BEC) fraud and other social engineering frauds remain a real concern for all those engaged in the real estate profession. A single uninsured and misappropriated wire transfer in the hundreds or even tens of thousands of dollars can cripple one’s business. Per the latest FBI statistics, the real estate sector is now the most targeted area for BEC fraud. In 2017, nearly $1 billion ($969 million, to be precise) was diverted or attempted to be diverted from real estate purchase transactions and wired to criminally controlled accounts. With losses come lawsuits, and real estate licensees and title insurance agencies oftentimes are the targets. Real estate professionals therefore need ask themselves whether they have -- or need -- coverage in place to insure against a security breach, lawsuit and potentially catastrophic loss.
What is BEC Fraud?
Coverage for computer fraud has been available since the 1990’s, largely in response to losses caused by hacking, and is usually found in commercial or business crime insurance policies. “Computer fraud” is generally defined as the unlawful taking of money resulting from a computer violation. A “computer violation” is defined as an unauthorized entry into or deletion of data from a computer system committed by a third party. A typical policy provision covering computer fraud might read as follows:
- We will pay for loss of money resulting directly from the use of any computer to fraudulently cause a transfer of that money from inside the Insured’s premises or banking premises to (a) a person outside those premises, or (b) to a place outside those premises.
Over time, insurers expanded their commercial crime policies to include coverage for “funds transfer fraud.” Funds transfer fraud is generally defined as fraudulent written, electronic, cable or telephone instructions, issued to the insured’s bank, directing it to transfer money from an account maintained by the insured. A computer fraud claim is typically predicated on an unauthorized entry (i.e. a hack) into the computer system, whereas a funds transfer fraud claim usually requires a showing that the instruction was done without the insured’s knowledge or consent.
BEC frauds are different. There is no traditional “hack” and will involve an authorized wire instruction by the insured, or by a client of the insured, to a financial institution, albeit prompted by the fraudulent scheme. Insurers have traditionally defended against BEC claims on grounds (i) there was no hacking involved, (ii) the instruction was authorized, and (iii) the insured did not suffer a “direct” loss. It is therefore crucial that those engaged in the real estate market, handling or directing the movement of millions of dollars of other people’s money, make certain that they have procured the appropriate insurance, with a full understanding of the coverages, exclusions and sub-limits built into the policy.
Examples of BEC Fraud
Recent news reports and court records reveal that the scammers have infiltrated every aspect of the closing process and have exposed real estate licensees to liability. Consider:
- Liz Hazelbaker, a Naples resident, sold her home and expected that her $400,000.00 mortgage would be paid off at closing. Two days before closing, fraudsters posing as her mortgagee, emailed the settlement agent payoff instructions with bogus wiring instructions. The payoff funds were sent to the imposters.
- Scammers posing as the seller’s real estate agent sent the buyer, Tom Erickson of Grand Haven, MI, false wiring instructions for his cash-to-close wire. After learning he had been defrauded, Erickson called and emailed his bank in a frantic effort to retrieve his funds. Soon later, he received an email from the fraudsters, now posing as Erickson’s banker, telling him “not to worry.”
- In June 2018, a Kansas federal judge upheld the jury’s verdict holding the seller’s agent 85% liable for the buyer’s loss of his $196,622.67 cash-to-close wire. Questions of fact existed as to whether the listing agent sent the email actually relied upon by the buyer, but the jury found evidence supporting a finding of the agent’s liability.
- In a highly publicized 2016 California case, First American sued the sellers’ agent, claiming that it had relied upon an email appearing to have been generated by the agent when wiring $513,708.45 to the seller – funds that were ultimately sent to the People’s Republic of China. The agent was charged with failing to implement and maintain reasonable security procedures and practices to protect the personal information of the sellers from an unauthorized access, use, modification, or disclosure.
Considerations when Buying Cyber Risk Insurance
In light of the courts’ struggles to reconcile traditional “computer fraud” with BEC and other social engineering frauds, real estate licensees, attorneys, escrow agents and title agents need review their existing insurance policies, including professional liability, fidelity, and cyber and crime policies, with their insurance professionals to determine if the policies address computer fraud and funds transfer fraud -- and what is actually covered and excluded. Question whether an existing cyber policy or commercial crime policy specifically covers BEC. If coverage for BEC appears to be in place, discuss the policy exclusions; for example, is there an exclusion for funds not owned by the insured? Does the policy clearly address coverage for losses sustained by third parties? Is there exclusionary language for wire transfers made or authorized by the insured?
Absent existing coverage, those engaged in the real estate sphere need consider the merits of procuring a crime policy with an endorsement that provides coverage for BEC and social engineering fraud. As the sheer volume of losses increase, more and more insurers are entering the marketplace, so consider whether a new entrant has the track record in handling these claims. A cyber policy should cover first party direct expenses such as specialized legal counsel, forensic investigation, and notification and credit monitoring costs. The legal landscape and the duties imposed on real estate professionals who are victimized by BEC fraud is evolving, and it is critical that knowledgeable counsel be provided by the insurer to ensure compliance with state laws, Federal statutes (including HIPAA, Sarbanes-Oxley Act and Gramm-Leach-Bliley Act) and to protect privileged communications. As with all policies and endorsements, give careful consideration of the policy exclusions and how they might affect claims seen in this arena. Importantly, check to see if the policy requires the insured to commit to certain verification processes before releasing a wire transfer and the effect of a deviation from such processes. An exclusion of this sort may for all intents and purposes gut the worth of the policy. Many insurers also insist on the insured demonstrating sufficient controls in place to prevent attacks from fraudsters. Can that be reasonably demonstrated -- and at what expense?
Of course, the best insurance is to implement safeguards against being victimized in the first instance. Ensure that multi-level authentication and verification processes are being employed on a constant basis. Evaluate and implement appropriate access controls. Demand that all staff undergo fraud awareness training. It takes just a small lapse in judgment to become a victim. With that in mind, one needs to at least consider the costs, risks and benefits of obtaining insurance to protect against a major loss.