Cyber Heist Excluded ffom Coverage

    The court found there was no coverage for the insured’s transmission to a foreign account held by someone who gained unauthorized access to the account. Construction Fin. Admin. Services, LLC v. Fed Ins. Co., 2022 U.S. Distl LEXIS 103042 (E.D. Pa. June 9, 2022). 

    The insured, Construction Financial Administration Services, LLC (CFAS) was a thirty-party construction funds administration company. CFAS disbursed funds for contractors whose clients required performance and payment bonds from sureties. One of CFAS’s clients was SWF Constructors (SWF). In 2017, SWF agreed to perform construction work in California for the U.S. Army Engineer District involving fence replacement over two miles. 

    A surety issued performance bonds and required SWF to deposit all payments received from the project owner into a disbursement account administered by an independent third-party. SWF entered into a funding agreement with CFAS in order to meet the surety’s requirement that project payments be administered by an independent third party. 

    CFAS established a disbursement account and arranged for project payments from the owner to be directly deposited into the disbursement account. On April 9, 2018, CFAS received a request from what it believed to be SWF to make a payment from the account of $600,000 by wire transfer to a company in Hong Kong named HK Canopy Technology Limited (HK). HK was no listed in SWF’s budget as a subcontractor, nor had CFAS received a copy of any executed agreement between HK and SWF. Further, the invoice did not refer to the project nor identify what work or materials were supplied. Nevertheless, the payment was made. 

    The next day, another request was received from what CFAS believed was from SWF seeking payment from the disbursement account for $700,000 by wire transfer to HK. Again, no disbursement voucher nor any item identification was received. The payment was sill authorized.

    When SWF submitted a disbursement voucher, CFAS stated that the two payments to HK had left insufficient funds to make the requested disbursement. CFAS borrowed $1,000,000 and placed those funds into the disbursement account in order to avoid SWF’s default  of payment to its actual subcontractors and supplies. 

    An investigation revealed that a SWF employee’s email had been hacked by an unknown fraudster. The fraudster gained access to SWF’s network prior to the unauthorised transfers. Posing as a SWF employee the fraudster sent emails to CFAS requesting the transfers.

    CFAS submitted a claim to its insurer, Federal Insurance Company (FIC). The policy excluded claims arising from unauthorized access to any computer program, computer, or computer system. Further, the policy provided that the insured could not settle or offer to settle any claim without FIC’s prior written consent. Under these provisions, FIC denied the claim. CFAS filed suit.

    After discovery, cross-motions for summary judgment were filed. The court found in favor of FIC. There was no breach of the policy because it did not cover the loss. The language of the exclusion clearly contemplated losses precipitated by social engineering events such as hacking. Even if the exclusions did not apply, CFAS failed to provide notice of the loss to FIC before settling the claims. Summary judgment was therefore granted to FIC.