$6 Million Phishing Loss Does not Trigger Coverage Under Crime Policies

March 1, 2021
Insights for Insurers: Cyber Coverage

A federal district court in Dallas, Texas has held that an insured's commercial crime policies were not triggered by a $6 million phishing loss where the insured did not "hold" the stolen funds. The case is RealPage Inc. v. National Union Fire Insurance Company of Pittsburgh, PA, No. 3:19-CV-1350-B (February 24, 2021).

The insured, RealPage, Inc. (RealPage), is a service provider for property owners and property management companies. RealPage used a third-party payment processor (Stripe) to facilitate collection of rental payments from its clients' tenants and then credit those funds to its clients' bank accounts. Pursuant to its contract with RealPage, Stripe would pull money from tenants' bank accounts and place them in Stripe's bank account. Upon instructions from RealPage, those funds—which had been commingled in Stripe's bank account with the funds of other Stripe customers—would then be transferred to RealPage's clients. RealPage had no rights to Stripe's bank account and could not withdraw funds from it. 

In 2018, fraudsters used a phishing scheme to obtain and alter the credentials of a RealPage employee. They then changed RealPage's disbursement instructions to Stripe, resulting in the diversion of more than $10 million. Upon discovery of the fraud, RealPage instructed Stripe to reverse the payments, but only $4 million was recovered. RealPage reimbursed its clients for the lost $6 million and sought coverage under its primary and excess commercial crime policies.

The primary policy contained the following "Ownership of Property, Interests Covered" provision:

The property covered under this policy is limited to property:

(1) That you own or lease; or
(2) That you hold for others whether or not you are legally liable for the loss of such property. 

The central dispute in the case was whether RealPage held the client funds at issue within the meaning of that provision. Among other things, RealPage argued that the term "hold" means to control, direct, and keep under an obligation. The court rejected that argument, ruling that "hold" as used in the policy connotes possession and that "an ability to direct property, without more, is insufficient." The court also rejected the insured's contention that the term "hold" is ambiguous, stating that the parties' disagreement about the scope of the term does not create an ambiguity. Because the client funds were not covered property, the court granted summary judgment for both the primary and excess insurers.*

Although the court's decision in that regard was dispositive of RealPage's claim, the court addressed the parties' extensive briefing concerning whether RealPage suffered a direct loss under the policy's Computer Fraud provision. That clause stated:

We will pay for loss of or damage to "money" ... resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the "premises" or "banking premises":

a. To a person (other than a "messenger") outside those "premises"; or
b. To a place outside those premises. 

The court held that "[t]his language indicates an intent to limit coverage to losses sustained by RealPage, not third parties. Here, since RealPage did not hold the funds, its loss resulted from its decision to reimburse its clients. Accordingly, RealPage did not suffer a direct loss as required by the Policy."

The court also held that because RealPage did not suffer a direct loss, the policy's exclusion for loss that is an indirect result of an occurrence covered by the policy also precluded coverage for the claim.

*Coverage under the excess policy was dependent upon RealPage's entitlement to coverage under the primary policy.