Full Coverage for Phishing Scam Not Established
The California Court of Appeal affirmed the trial court's dismissal of the insured's claim for full coverage after suffering from the phishing scam. Door Sys. v. CFC Underwriting Limited, 2024 Cal. App. Unpub. LEXIS 3441 (Cal. Ct. App. June 3, 2024).
Door Systems was a leading distributer of integrated fire doors and fire protection smoke curtains. It alleged that on January 20, 2021, someone impersonating its President sent electronic correspondence to one of its clients, X-Act Finish & Trim, Inc. (X-Act). At the time, X-Act owed Door Systems $395,000. The impersonator demanded $395,000. X-Act made payment, but was later informed by Door Systems that the money had not been deposited into Door System's account. A subsequent investigation recovered $160,419.20, leaving a balance of $234,580 that Door Systems sought to recover from its insurer, CFC Underwriting Limited, under a cybersecurity policy.
The policy had two relevant sections. Section 2E was titled "Corporate Identity Theft" and provided, "We agree to reimburse you for loss first discovered by you during the period of the policy, arising as a direct result of the fraudulent use or misuse of your electronic identity . . . " "Loss" was defined as any direct financial loss sustained by the company. Section 2E provided coverage of $250,000 in excess of a $5000 deductible.
Section 2G of the policy was titled "Push Payment Fraud," and provided,
We agree to reimburse you in the event of fraudulent electronic communications or websites designed to impersonate you or any of your products . . . for . . . the cost of reimbursing you existing customers for their financial loss arising directly from the fraudulent communications, including fraudulent invoices manipulated to impersonate you . . .
Section 2G provided coverage of $50,000 in excess of a $5000 deductible.
Coverage was provided under section 2G, but was denied under section 2E. Door Systems sued. Demurrers were sustained for the original complaint and the First Amended Complaint. The complaints alleged a loss sustained by X-Act, not Door Systems.
To support the Second Amended Complaint, Door Systems argued it shipped $395,000 worth of goods through its business partner X-Act to the ultimate consumer. Door Systems had a direct pecuniary interest in the $395,000 and that amount was also an asset of Door Systems in the form of accounts receivable. Nevertheless, the trial court sustained the demurrer to the Second Amended Complaint without leave to amend. The complaint failed to allege a loss sustained by Door Systems, instead still alleging that X-Act paid the fraudster.
The Court of Appeal affirmed. Coverage under section 2E was triggered only when there was a "direct financial loss sustained by the company." "Direct loss" was defined as "A loss that results immediately and proximately from an event." A direct financial loss sustained by X-Act could not trigger coverage.
X-Act was still obligated to pay its remaining debt to Door Systems. Door Systems had not suffered a direct financial loss from the phasing scam. Without a direct financial loss, coverage under section 2E was not triggered. The trial court properly sustained the demurrer.
