Addressing Insurance Coverage Pitfalls in Tech-Enabled Fraud Attacks

Bad actors are continuously looking for weak links to exploit in financial ecosystems. With cybercrime on the rise and attacks on third parties a reality that financial entities must prepare for, finding ways to protect their assets from insurance coverage pitfalls is essential.

But it’s not always easy or straightforward. Financial institutions and vendors that provide financial services to these institutions often have interdependent business operations, which can make it challenging to determine whose insurance and what type of coverage will respond to an impersonation fraud event targeted at asset managers, custodians, administrators, and their clients.

This challenge has been brought to the forefront as a fund administrator seeks indemnification in a declaratory action against its insurer. The case stems from recently settled litigation between SS&C Technologies, a fund administrator, and Tillage Commodities Fund, a hedge fund client, involving a $5.9 million impersonation fraud scam. In June of 2019, Tillage and SS&C settled these claims on a confidential basis with no admission of wrongdoing by either party.

SS&C’s cyber/errors and omissions (E&O) policy contained a professional liability insuring agreement that provided coverage for losses resulting from claims against the fund administrator due to any negligent act, error or omission, misstatement, or misleading statement in its performance of professional services. As such, SS&C tendered the Tillage lawsuit to its insurer for defense and indemnity.

While the insurer acknowledged that the suit falls within the provisions of the professional liability coverage section and has agreed to pay related defense costs, it has denied coverage for indemnification, citing several exclusions. These include:

• A conduct exclusion, which is being disputed by SS&C because it requires final adjudication by the court, which has not yet occurred.
• An exclusion for the monetary value of a transaction from an insured’s account. SS&C is arguing that this exclusion is not applicable since the funds were wired from Tillage’s account, and not SS&C’s.
• An exclusion for loss arising out of SS&C exercising authority or discretionary control over client funds. SS&C is arguing that this exclusion is inapplicable for two reasons: because SS&C did not have discretionary authority over Tillage’s funds, and because a provision within the exclusion states that it does not apply to any claim arising out of SS&C’s performance of professional services. This article examines the pitfalls insurance coverage that can lead to these disputes and offers ways for companies to make sure they don’t hit similar pitfalls.

Losses from technology-enabled fraud can be substantial and involve more than one organization. Financial institutions should take a close look at any relevant policies they and their vendors purchase, paying close attention to their language to ensure they provide appropriate coverage for otherwise covered losses caused by technology-enabled fraud. Risk professionals should also work closely with their brokers and insurers to identify – and address – potential coverage gaps and exclusions and make certain that all relevant policies are aligned.