Star Title sued its carrier for breaching the insurance policy, and alleged that the policy’s Cybercrime Endorsement covered the loss. In September 2022, Judge Moody in the Middle District dismissed the lawsuit, finding both that Star Title had failed to verbally authenticate the wire instructions, and that, in any event, the policy excluded coverage for wire fraud that did not directly involve Star Title’s employees, customers, clients or vendors. Judge Moody found that the mortgage company was none of those.
Star Title appealed to the Eleventh Circuit. In its answer brief, as it did in the trial court, the carrier argues that Star Title’s failure to authenticate the wires relieves the carrier of any obligation to cover the loss.
The carrier also argues that the policy excludes losses that result from wires sent to persons purporting to represent “financial institutions.” Specifically, the policy’s Cybercrime Endorsement provides that the carrier will not be responsible for losses that result from persons “purporting to be a representative of any financial institution, asset manager, broker-dealer, armored motor vehicle company, or any similar entity.” Judge Moody’s order did not address this argument because he found that Star Title failed to satisfy its obligations. Should the Eleventh Circuit rule on this argument, however, it could prove critical and costly for unwary purchasers of cyber insurance.
The carrier notes that, generally, “financial institutions” include companies that are engaged in the business of financial and monetary transactions. The carrier also argues that in 2009, after the subprime mortgage crisis, the federal government amended the definition of “financial institution” in federal regulations to include “mortgage lending businesses.” Therefore, the bad actor impersonating the Texas mortgage lender fits squarely within the policy exclusion for those who “purport to represent financial institutions.”
Phishing attack-related funds diversion is, unfortunately, not unusual. It is absolutely critical, therefore, that companies especially those that routinely wire funds to transact their business be aware of the type, extent and limitations of their cyber insurance coverage.