AIG ordered to pay cyber fraud claim
AIG has been ordered to pay a claim for $50,000 after a client’s funds went missing when an unknown third party intercepted an emailed invoice and changed the banking details.
The invoice was intercepted and altered when it was emailed between directors internally and before it was sent to the intended recipient. The money was then misdirected to another account, transferred offshore and never recovered.
The Australian Financial Complaints Authority (AFCA) ruled AIG had incorrectly denied a claim lodged under the policy’s Crime Protection cover.
AIG said the claim did not meet the criteria for computer or funds transfer fraud under the Electronic and Computer Crime policy terms.
Other requirements in the policy for “third party crime” were also not met, it said, as the insured did not suffer a direct financial loss due to acting or relying on a fraudulent instruction. The invoice recipient had instead suffered the loss, and still had a debt to pay, and the insured could seek damages for breach of contract.
AFCA agreed the policy’s Electronic and Computer Crime definition was not met, as the debt was not an asset under the control of a computer and also didn’t meet the funds transfer fraud criteria.
“The policy definition of funds transfer fraud says ‘it means the theft of the insured’s funds from an account maintained by the insured at a financial institution’.”
But it ruled the claim fell within the “Third Party Crime” terms that provide cover for “direct financial loss resulting from any theft or fraudulent act committed by any third party”.
AFCA did not identify any conduct issues on the part of the recipient, noting they had paid the invoice received and the details had matched those in the sent document.
There was no information available to show an obligation on the recipient to verify the bank account, nor any obligation on the senders to check internal emails for potential fraudulent alteration.
AFCA accepted the insured had “directly” suffered a financial loss due to the unpaid debt as a result of a “fraudulent act”.
The invoice was an instruction relied upon as part of the payment process, and the changing of it fell within the fraudulent alteration definition.
“While the policy definition of theft has not been met, there has been a fraudulent act as defined by the policy,” the decision says.
AFCA dismissed an argument that the matter should be outside its small business jurisdiction given the complainant is part of a global network of companies with 125 employees worldwide.
While the complainant is registered in Australia, it has only four employees and its only relationship with the global network is through the licensing of the name and intellectual property.
AFCA determined AIG should pay the complainant the $50,000 plus interest, as well as GST if required.
The case can be found here.