In AIMS Insurance v. National Fire, et al, the Arizona Court of Appeals held a Forgery Endorsement did not provide coverage for a “spoofing” attack based upon the interpretation of the endorsement.[i]
When AIMS Insurance Programs Managers (“AIMS”) was victim of a “spoofing” attack, which defrauded it of more than $300,000, it made a claim with its insurer, National Fire Insurance Company of Hartford (“National”). National declined coverage under the forgery endorsement but paid the $10,000 per occurrence policy limit for computer fraud.
The “spoofing” attack in question occurred when thieves gained access to an AIMS employee’s email account and intercepted payments from AIMS to its vendor, AmWINS Brokerage of Arizona (“AmWINS”). The thieves created nearly identical domain names for AmWINS employees and opened accounts at the bank that served AMWINS. They were then able to intercept insurance binders and invoices which were sent from AMWINS to AIM and replace them with fraudulent emails. These fraudulent emails attached the intercepted insurance binders and invoices, which had been altered to direct AIMS to wire payments to the thieves’ accounts.
AIMS made three wire transfers to the counterfeit emails totaling $357,711.64. Twenty days after the initial breach, AmWINS notified AIMS it did not receive payment on the invoices. AIMS immediately notified its bank and AmWINS’ bank of suspected fraud.
AIMS made a claim to National under its business proprietary insurance. Although National agreed to pay $10,000 to AIMS under the “Computer Fraud” endorsement, National declined coverage under the “Forgery and Alteration” endorsement. AIMS filed a complaint seeking declaratory judgment the policy covered the entire loss, and National breached the parties’ contract and acted in bad faith.
Ultimately, the parties stipulated to dismiss the claim for bad faith but cross-moved for summary judgment on the coverage claims. The superior court granted summary judgment in favor of National, and AIMS appealed.
The Forgery Endorsement
Under Arizona law, a court must read an insurance policy’s provisions as a whole, giving effect to all provisions. Absent a specific definition, courts construe the terms of a policy according to their plain and ordinary meaning. After analysis, if the term remains ambiguous, then courts may construe the term in favor of coverage because the insurer is in the best position to prevent ambiguity in a form contract. Nevertheless, the insurer bears the burden to establish coverage under the insuring agreement.
The Arizona Court of Appeals found the policy’s Forgery Endorsement did not cover the fraudulently induced wire transfers. The policy insured against, “loss resulting directly from ‘forgery’ or alterations of, on, or in any check, draft, promissory note, bill of exchange, or similar written promise, order or direction to pay a sum certain money, made or drawn by or drawn upon” by AIMS or its agent.[ii] The policy defined “forgery” as “the signing of the name of another person or organization with intent to deceive.”[iii]
Similarly, AIMS also contended the policy defined “securities” as negotiable and nonnegotiable instruments. However, this argument also failed because the Forgery Endorsement did not implicate the policy’s definition of “securities.”[v]
How Many Occurrences?
In contrast to the superior court, the Arizona Court of Appeals held the three fraudulent emails and wire transfers constituted three separate occurrences; therefore, AIMS was entitled to recover the per-occurrence limit of $10,000 for each wire transfer. The Computer Fraud Endorsement insured against, “loss…resulting directly from the use of any computer to fraudulently cause a transfer” from inside an AIMS’ building or its bank to a person or place “outside those premises.”[vi] The policy limited recovery to $10,000 per one occurrence, but did not define “occurrence” for purposes of the endorsement.
National contended there was only one occurrence under the policy because the cause of AIMS’ loss was a single fraudulent scheme. The Court disagreed.
Since the policy used the term “occurrence” without defining it, the Court applied the Helme standard to determine, “whether there was one proximate, uninterrupted, and continuing cause which resulted in all of the injuries and damages.”[vii] Here, the Court found each email represented a separate demand for payment, which resulted in a separate wire transfer by AIMS. Thus, the three separate emails were not one proximate, uninterrupted, and continuing cause resulting in the injuries suffered by AIMS. Rather, each demand for payment of one of the invoices was a distinct “causative act” which constituted a separate occurrence.
Further, the Court noted the construction and application of the term “occurrence” was in accordance with the rule that courts interpret the terms of an insurance policy according to their plain and ordinary meaning. Furthermore, even if the term “occurrence” as used in the policy is ambiguous, the court is to construe ambiguity in favor of coverage.
Under this holding, insurers may have standing to deny coverage to an insured for a “spoofing” claim made under a forgery endorsement. However, insurers should ensure the language of the policy is unambiguous, and the policy will be interpreted fairly according to the insurer’s intent.
[i] AIMS Insurance Program Managers Inc. v. National Fire Insurance Company of Hartford, et al, 1 CA-CV 20-0032, 2021 WL 408874 (App. Feb. 4, 2021).
[ii] Id. at *2.
[v] Id. at *3.
[vii] Ariz. Prop. And Cas. Ins. Guar. Fund v. Helme, 153 Ariz. 129, 134, (1987). Under the Helme standard, in interpreting insurance policy which uses term “occurrence” without defining such term, courts ordinarily inquire whether there was but one proximate, uninterrupted, and continuing cause which resulted in all injuries and damages.