A company has lost its bid for a payout after customer funds were stolen in an email hack.  

The business was targeted by cybercriminals who emailed invoices to clients asking for payments to an alternative bank account. Two customers sent a total of $66,148, which was not recovered.  

After the attack, the customers refused to make other payments owed to the company.  

The business held a management liability insurance policy and lodged a claim under its third-party crime section to cover the customers’ unpaid bills.  

But AIG Australia denied the claim, saying the policy responded only to “direct financial loss” caused by a theft or fraudulent act by a third party.  

The insurer said the claimant had not suffered a direct loss, because it was the customers’ money that was taken.  

In a dispute ruling, the Australian Financial Complaints Authority says the complainant suffered a loss, but it did not meet the policy’s definition.

“The complainant says it suffered direct financial loss, but it has not explained why the loss was direct,” an authority ombudsman said.

“In my view, only the complainant’s customers suffered direct financial loss. The complainant suffered indirect financial loss because the customers subsequently refused to pay the complainant.”  

The ruling also notes the hack did not meet the policy’s definition of theft, again because the customers’ money was stolen, not the company’s. Therefore, the policy’s electronic and computer crime cover did not apply.

The authority adds that the policy’s definition of “fraudulent act” – which refers to forgery and counterfeiting “upon which the insured has acted or relied” – did not apply because the complainant was unaware of the fake invoices.  

Click here for the ruling.