Shawn E. Tuma

Cyber Insurance: Social Engineering Not Covered Under “Computer Fraud” Insurance Provision

In cyber insurance on October 22, 2016 at 10:56 am

Losses stemming from social engineering scams like the business email compromise are not covered by “computer fraud” provisions of commercial crime insurance policies according to the Fifth Circuit Court of Appeals in Apache Corp. v. Great American Insurance Co.

In this case, scammers pretended to be a vendor of Apache and called one of its employees in the accounts payable department to advise that they were changing bank accounts. The scammer then followed up the call with an email (on the purported vendor’s letterhead) to the employee advising of the new bank wiring instructions. After receiving this confirming email, Apache sent $7 million to the fraudsters. Apache was able to recover all but $2.4 million of the funds.

Apache made an insurance claim under “Computer Fraud” provision of its commercial crime insurance policy premised on the argument that the email was the cause of the transfer of the funds. Computer Fraud provisions in these policies cover losses “resulting directly from the use of any computer to fraudulently cause a transfer” of funds. The Fifth Circuit rejected this argument, finding that the use of the email was incidental to the transfer:

The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster II, convert the computer-fraud provision to one for general fraud.

I am very familiar with the arguments made in this case. Back in 2009, I was counsel in a similar case against some of the attorneys who handled this appeal. In that case, I extensively researched, diagramed, briefed, and argued these issues and we ultimately negotiated a favorable settlement for my client.

What does this mean for business?

When it comes to cyber insurance and insurance coverage for cyber-related events, there are many nuances that business people tend to gloss over and miss. They see the words “computer fraud” and think it covers every bad thing that can happen to them that is related to a computer but this is wrong. It does not and often times that means they believe they are getting coverage for risks when they really are not.

The time to think about this is before you have an incident — when you are procuring your insurance or now when you are reviewing your insurance coverage to see what you have. It is a whole lot more expensive to try and litigate it later and the odds are against you. I am happy to help you with either the review or the litigation but remember, “an ounce of cybersecurity prevention is often cheaper that the first day of litigation.


Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.


Why is Healthcare Data So Valuable to Cyber Criminals?

In Data Breach, Privacy on October 21, 2016 at 6:00 am

Healthcare data is one of the most desirable forms of data for cyber criminals to steal because its value on the cyber black market — the Dark Web — is much higher than most other forms of data. While there are several reasons for this, the recent study Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims, concluded

Invitation to the Cyber Future Summit – 10/28/16 at SMU’s Bush Center

In Computer Fraud and Abuse Act, Cyber Issues on October 19, 2016 at 10:12 pm

Dear Friends & Colleagues,

I want to invite you to attend the inaugural Cyber Future Summit, being held on Friday, October 28, at the Bush Presidential Library adjacent to the SMU campus in Dallas.

We have a stellar lineup of speakers, including our luncheon Keynote Speaker, 4-Star Admiral Patrick Walsh, USN (Ret), who retired from active service after a long and honorable career which included serving as the Vice Chief of Naval Operations, and Commander – Pacific Fleet, the largest naval command in the world. In addition, Adm. Walsh spent time as a Navy Pilot in the “Blue Angels”, and earned a Ph.D. in International Relations from the Fletcher School of Law and Diplomacy at Tufts University.

In addition to Admiral Walsh, there will be a stellar lineup of speakers and panelists that you will NOT want to miss!

The day will begin with a press conference announcing the official launch of the Cyber Future Foundation, as well as keynote addresses, panels presented by future-oriented thought leaders across multiple disciplines, and will conclude with table-top exercises led by the speakers and panelists, as well as leaders from government, industry, and academia. The product of these table-top exercises will result in white papers that will be published and disseminated globally and will guide the agenda for the 2017 Global Cyber Future Summit.

For Registration, click here:

For more information: ;


%d bloggers like this: