Cyber Law Blog
November 20, 2019

“Fraudulent Acts” Exclusion Does Not Apply to Fraudulent Business Email Scheme Perpetrated by Third Party

BY: Jason Taylor

Plenty of cases in recent years have addressed coverage provided for social engineering fraud or email “spoofing” scams under first-party crime or computer fraud policies. Such fraudulent schemes often get less attention in the third-party context. In SS&C Technology Holdings, Inc. v. AIG Specialty Insurance Company, No. 19-cv-7859 (S.D.N.Y. Nov. 5, 2019), however, the District Court for the Southern District of New York recently addressed whether a professional liability policy containing a “fraudulent acts” exclusion precluded coverage for a fraudulent business email scheme carried out by third party fraudsters. The short answer was “no,” at least based upon the specific policy exclusion at issue in the case.

SS&C Technologies Holdings, Inc. (“SS&C”) is a global provider software-enabled services to thousands of clients, including Tillage Commodities Fund, L.P. (“Tillage”). In March 2016, unknown third parties used stolen credentials to send transfer requests via e-mail to SS&C, fraudulently claiming to be acting on behalf of Tillage. SS&C, believing the requests to be from Tillage, processed the requests, resulting in the transfer of over $5.9 million from Tillage’s accounts to the fraudsters’ bank accounts in Hong Kong over the course of three weeks. In September 2016, Tillage filed suit against SS&C, alleging that SS&C was grossly negligent in managing Tillage’s funds, breached its services contracts, breached the implied covenant of good faith and fair dealing, and violated certain provisions of the New York General Business Law regarding deceptive trade practices. Two weeks before trial, the underlying Tillage lawsuit was settled without any admission of liability or wrongdoing by either party.

SS&C sought coverage for the loss from AIG Specialty Insurance Company (“AIG”), which issued a professional liability policy providing coverage for SS&C’s negligence, errors, or omissions related to the performance of its professional services for others. Four days after the fraudulent scheme was uncovered, SS&C timely notified AIG of the incident and specified that the incident might give rise to a covered loss under the Policy. AIG acknowledged that the Tillage action fell within the Specialty Professional Liability Insurance provisions and agreed to cover SS&C’s defense costs related to the matter. In the same letter, however, AIG denied indemnity coverage for any settlement relating to the underlying suit asserting that the allegations implicated a number of coverage exclusions. After mediation failed, SS&C filed suit against AIG in August 2019 asserting causes of action for breach of contract, declaratory judgment, and breach of the implied covenant of good faith and fair dealing.

AIG moved to dismiss the SS&C complaint arguing, in part, that coverage for the settlement was barred by Exclusion 3(a) of the AIG policy. Exclusion 3(a) excludes coverage for losses in connection with claims:

alleging, arising out of, based upon or attributable to a dishonest, fraudulent, criminal or malicious act, error or omission, or any intentional or knowing violation of the law; provided, however, [AIG] will defend Suits that allege any of the foregoing conduct, and that are not otherwise excluded, until there is a final judgment or final adjudication against an Insured in a Suit, adverse finding of fact against an Insured in a binding arbitration proceeding or plea of guilty or no contest by an Insured as to such conduct, at which time the Insureds shall reimburse [AIG] for Defense Costs.

 AIG argued that the plain reading of the first clause of the exclusion (before the “provided, however” clause) demonstrated that Exclusion 3(a) applied not only to a “dishonest, fraudulent, criminal or malicious act” committed by SS&C, but also broadly to such acts committed by third-party fraudsters, as was the case here. However, while the first clause of the exclusion did not specifically refer to dishonest or fraudulent acts of the insured, the District Court held that those first lines of the exclusion cannot be read in isolation.

The District Court reasoned that coupling the first clause with the “provided, however” clause of the same sentence undoubtedly indicated that Exclusion 3(a) applied only to dishonest, fraudulent, criminal, or malicious acts committed by SS&C, and not to acts committed by the third-party fraudsters. For example, the “provided, however” clause modified the first clause of the exclusion and specifically refers to “Suits that allege any of the foregoing conduct” against “an Insured” (i.e., SS&C). According to the District Court, the rationale of such exclusionary provisions is that “a tortfeasor may not protect himself from liability by seeking indemnity from his insurer for damages, punitive in nature, that were imposed on him for his own intentional or reckless wrongdoing.” SS&C, No. 19-cv-7859 at *8. Thus, the District Court reasoned that this reading of the exclusion comported with what the parties likely intended when they entered into the Policy, namely, that the intent of the exclusion was to only apply to acts of the insured, not third parties. Alternatively, the District Court found at the very least an ambiguity as to whether the exclusion applied to the acts of third-party fraudsters, which required the District Court to construe the exclusion in favor of coverage.

For its part, AIG argued that other coverage sections in the Policy, such as the Cyber Extortion Coverage section, contained nearly identical language with respect to the first clause, but the qualifier “if committed by any of the Insured’s [directors, officers, etc.],” whereas Exclusion 3(a) did not contain any such qualifier. Presumably, because Exclusion 3(a) did not include the limitation “if committed by any of the Insured’s [directors, officer, etc.]”, the exclusion was not limited to those acts committed by the Insured. The District Court, however, was not persuaded finding that the policy includes language to specifically avoid such an argument: “The terms and conditions set forth in each Coverage Section shall only apply to that particular Coverage Section and shall in no way be construed to apply to any other Coverage Section of this policy.” In the end, AIG’s motion to dismiss based on its interpretation of Exclusion 3(a) was denied, likely meaning that SS&C is entitled to coverage for its liability resulting from the fraudulent business email scheme.