The Alberta Court of Queen’s Bench rendered Canada’s first legal precedent on the applicability of cyber coverage in the case of The Brick Warehouse LP v. Chubb Insurance Company of Canada. The Brick was the victim of a cybercrime. A fraudster contacted the Brick by email and telephone and purported to be one of the Brick’s creditors, Toshiba. The fraudster was able to convince a Brick employee to transfer Toshiba payments to a new account, resulting in over $200,000 being transferred to the fraudster. The Brick sought coverage for the loss from Chubb pursuant to its crime coverage policy. Chubb denied coverage and the Court upheld this decision after careful interpretation of the policy wording.
The manner in which the fraud was carried out played a critical role in the coverage determination. The fraudster contacted the Brick’s accounts payable department claiming that Toshiba was missing payment details. An employee in the accounting department faxed payment documentation to the fraudster.
Shortly thereafter, another Brick employee received an email from an individual purporting to be the controller of Toshiba and indicated that Toshiba had changed banks and that all payments should be made to the new account. The Brick employee then changed Toshiba’s bank information to reflect the new bank account, following the Brick’s standard practice on changing account information. As a result, all payments that should have been sent to Toshiba were sent to a mysterious bank account. The fraud was only discovered when Toshiba called to inquire about unpaid invoices.
The Brick sought coverage for the amount of money lost from Chubb under its crime coverage policy. The Brick relied on coverage under the policy for “funds transfer fraud”. Funds transfer fraud covered:
“…the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent.”
The Court concluded that the circumstances did not fall within funds transfer fraud because the Brick employee knowingly permitted and consented to the transfer. Further the policy wording required that the fraudulent transfer must be performed by a third party.
The insurance policy also contained an exclusion clause which denied coverage if the loss was due to the insured knowingly having given or surrendered money, securities or property in exchange or on purchase to a third party, not in collusion with an employee. As there was no coverage for funds transfer fraud, there was no need for the Court to consider this exclusion.
Arguably, the reasonable expectations of the parties when entering into the contract of insurance were that coverage would extend to circumstances where the fraud was perpetrated completely outside the knowledge of the insured. Coverage would not extend in circumstances where the insured was provided fraudulent information but could have taken steps to verify the information. The Brick could have contacted Toshiba or the banks to confirm the change in banking information. Chubb was not prepared to extend coverage for the Brick’s failure to exercise due diligence.
The decision signifies that cyber crimes in Canada are on the rise and more insureds will be turning to their cyber-liability insurance policies for coverage. Cyber liability is still in its early stages, and because the risks it attempts to mitigate are continually evolving, its policies are too. While more insurers in Canada are now offering these policies, the complexity of claims in this area leaves uncertainty as to how the insurance industry will respond to cybercrime and how insurers and insureds will be safeguarded.