Home Page The Publication The Editor Contact Information Insurance Key issues Book Subscribe

 

Vol. 8 - Issue 10
November 20, 2019

 

$6 Million E-Mail Spoofing Claim: Professional Liability Policy Exclusion Does Not Apply

 

There has been much discussion of coverage for email spoofing losses under crime/computer fraud policies.  These are first-party policies and ones that were written before such claims were contemplated.  Thus, arguments have abound whether coverage is owed.

As SS&C Technology Holdings v. AIG Specialty Insurance Company, No. 19-7859 (S.D.N.Y. Nov. 6, 2019) demonstrates, e-mail spoofing losses can give rise to liability claims too.         

As e-mail spoofing losses go, the one at issue in SS&C Technology Holdings is large dollar. The opinion describes it like this. SS&C is a global provider of software and software-enabled services to thousands of clients, including Tillage Commodities Fund, L.P. "In March 2016, unknown third parties using stolen credentials sent transfer requests via e-mail to SS&C, falsely claiming to be acting on behalf of Tillage. SS&C believed these requests to be from Tillage and processed those requests. As a result, over the course of three weeks, SS&C transferred over $5.9 million from Tillage's accounts to certain bank accounts in Hong Kong, as requested by the fraudsters."

Tillage filed suit against SS&C alleging all manner of causes of action.  SS&C was insured under an AIG policy that provided coverage for negligence, errors, or omissions relating to the performance of its professional services.  AIG undertook SS&C’s defense but asserted that, based on certain exclusions, it had no obligation to provide coverage for any of SS&C’s liability.  SS&C’s effort, to defeat the suit on motions, was not successful.  The case settled, for an unstated amount, just prior to trial.

Of relevance here, AIG maintained that exclusion 3(a) excluded “coverage for losses in connection with claims: alleging, arising out of, based upon or attributable to a dishonest, fraudulent, criminal or malicious act, error or omission, or any intentional or knowing violation of the law; provided, however, [AIG] will defend Suits that allege any of the foregoing conduct, and that are not otherwise excluded, until there is a final judgment or final adjudication against an Insured in a Suit, adverse finding of fact against an Insured in a binding arbitration proceeding or plea of guilty or no contest by an Insured as to such conduct, at which time the Insureds shall reimburse [AIG] for Defense Costs.”

As AIG saw it, “Exclusion 3(a) applies not only to ‘dishonest, fraudulent, criminal or malicious act, error or omission, or any intentional or knowing violation of the law’ committed by SS&C, but also broadly to such acts committed by third-party fraudsters, such as here.”  (emphasis added).

The court was not convinced.  While AIG’s argument, the court noted, may have been successful, based on a reading of a portion of the exclusion, the exclusion, read in its totality, did not apply to such wrongful acts committed by third-party fraudsters. 

The court explained its decision:

“But even though reading the first clause in isolation might support AIG’s interpretation, this interpretation falters when the sentence is read in its entirety. For coupling the first clause with the ‘provided, however’ clause of the same sentence clearly indicates that Exclusion 3(a) applies only to dishonest, fraudulent, criminal, or malicious acts committed by SS&C, and not to these such acts committed by third-party fraudsters. This is because the ‘provided, however’ clause, which modifies the first clause, refers specifically to ‘Suits that allege any of the foregoing conduct’ against SS&C. This reading also comports with what the parties most likely intended when they entered into the Policy. Indeed, the very rationale of such exclusionary provisions is that a tortfeasor may not protect himself from liability by seeking indemnity from his insurer for damages, punitive in nature, that were imposed on him for his own intentional or reckless wrongdoing.”

And as with the crime policies, I suspect that most liability policies also did not have email spoofing claims in mind when written.  Thus, here too, arguments concerning coverage are likely to arise.

 

 
Website by Balderrama Design Copyright Randy Maniloff All Rights Reserved