Contractor B is a sub-contractor of Contractor A. Both businesses are agency clients. Contractor B received a phishing email from a cybercriminal claiming to be Contractor A, along with a fraudulent invoice for $26,000. Contractor B paid the bill. The two businesses have never conducted business by email and have never used wire transfers as a method of payment between each other.

Now Contractor B doesn't want to pay the legitimate bill because it says the “hack" came from Contractor A. Contractor A wants the bill paid and believes it wasn't its fault that someone sent a fraudulent bill requesting payment with a method it's never used before.

Contractor A has a cyber endorsement that includes some first-party coverage. The policy has a $10,000 funds transfer fraud (FTF) sublimit. The agent is turning in a claim on that policy. Contractor B has no cyber coverage.

Q: Which party is responsible for paying the bill? Which one would the courts say is responsible? 

Response 1: If the email was not sent from within Contractor A's email system, I see no liability on the part of Contractor A. Contractor B paid a fraudulent invoice and the fraudulent invoice could have been generated using information that the bad actors obtained from infiltration of Contractor B's network systems, or the network system of some other party who has relevant information in their network system for both Contractor A and Contractor B.

If the email was sent from within Contractor A's email system, then Contractor A might be held responsible, but that is a matter that courts would need to decide.

Regarding Contractor A's cyber coverage, the coverage afforded by the cyber liability endorsement is very limited in scope. I don't think any of the provisions would apply to a claim made by Contractor B for Contractor B paying a fraudulent invoice that appeared to have been sent by Contractor A.

Response 2: Regarding what the courts say, that is a question for the courts or an attorney.

If there is coverage, Company A who has the cyber policy, will be reimbursed $10,000—the amount of the funds transfer fraud sublimit. This does leave $16,000. 

Cyber loss adjusters should be familiar with contacting the banks involved and alerting the banks' fraud departments. I have known field adjusters who are able to discover the address of the alleged thief and go to the home to investigate further. 

As to who is responsible, that will be the person who stole the money. Company A's carrier will seek subrogation—reimbursement—from the at-fault party. Unfortunately, that might be a fruitless task. 

Response 3: Was Contractor A negligent in some manner? Was Contractor A's system compromised? Did Contractor A do something wrong? 

Contractor B should have had a due diligence protocol in place to confirm the authenticity of the wire transfer request prior to sending the funds. 

Response 4: We are seeing this social engineering claim scenario every day, and contractors are a primary target for these scams.

The determination of liability in these cases is challenging, and disputes between the parties are common. How did the bad actor mimic Contractor A's email? Business email compromise (BEC) of Contractor A's email credentials or systems could occur after Contractor A was tricked into giving the cybercriminal access to their email. Or the cybercriminal could have just started communicating with Contractor B with an address that just looked like Contractor A's email address without any negligence or participation by Contractor A. 

Contractor B's actions could also play a part. It may be negligent for failing to use a separate and established communication method before accepting any new or updated payment instructions. 

Note that the coverage afforded by these throw-in cyber endorsements can be very limited. In addition to the $10,000 FTF sublimit in the policy, other limitations and exclusions may apply.

Response 5: In my view, unless Contractor B can demonstrate the payment was received by Contractor A, then it still owes the payment to Contractor A. Failing to pay a bill owed because you paid someone else would not be a discharge of the obligation—even if it was not your fault you paid the wrong person. You still owe them the payment.

If Contractor B was traveling to Contractor A with a bag of cash to pay the bill, but was robbed on the way and lost the money, that would certainly not allow Contractor B to avoid payment to Contractor A. I don't see that electronic payment would change that.

This question was originally submitted by an agent through the Big “I" Virtual University's (VU) Ask an Expert service, with responses curated from multiple VU faculty members. Answers to other coverage questions are available on the VU website. If you need help accessing the website, request login information.

This article is intended for general informational purposes only, and any opinions expressed are solely those of the author(s). The article is provided “as is" with no warranties or representations of any kind, and any liability is disclaimed that is in any way connected to reliance on or use of the information contained therein. The article is not intended to constitute and should not be considered legal or other professional advice, nor shall it serve as a substitute for obtaining such advice. If specific expert advice is required or desired, the services of an appropriate, competent professional, such as an attorney or accountant, should be sought.