Insurers Not Obligated to Pay $6 Million Phishing Loss

A federal district court in Dallas has ruled that American International Group Inc. and Beazley PLC units are not obligated to compensate a property management software company for money lost in a phishing scheme because it never technically held the funds that were stolen.

Source: Business Insurance | Published on March 1, 2021

Hackers using laptop computers to penetrate security systems to steal big data from the server room

The U.S. District Court in Dallas ruled the funds were held by a third-party payment processor, according to Wednesday’s ruling by in RealPage Inc. v. National Union Fire Insurance Co. of Pittsburgh, PA and Beazley Insurance Co., Inc.

San Francisco-based RealPage provides services for property owners and managers including collecting rental and other payments from residents and transferring them to its clients, the ruling said.

Payments are made through a third-party payment processor, San Francisco-based Stripe Inc. and held in Stripe’s bank account before being passed on.

RealPage’s commercial crime policy with AIG’s National Union Fire Insurance, which provided $5 million in coverage subject to a $50,000 deductible, covered property owned or held by the policyholder. RealPage also had an excess fidelity and crime policy with Beazley that had a $5 million liability limit.

In May 2018, in a phishing scheme, hackers obtained RealPage’s credentials and used them to access funds held by Stripe, diverting more than $10 million that had not yet been dispersed to RealPage’s clients. RealPage recovered a portion of the lost funds but was unable to recover more than $6 million.

AIG denied coverage for the loss on the basis that RealPage had not owned or held the funds, and the company filed suit against it and Beasley. The parties agreed that whether RealPage was entitled to coverage under the Beazley policy depended on whether it was entitled to coverage under the AIG policy.

The court agreed with the insurers. “RealPage’s authority to direct the transfer of the funds does not amount to holding the funds,” the ruling said. “The funds, until diverted to the bad actors’ accounts, remained in an account at Wells Fargo Bank in Stripe’s name — not RealPage’s,” it said.

“RealPage had no rights to the funds in the account and could not withdraw these funds. …Further, the funds were commingled with those of other Stripe users,” it said.

“Under these circumstances, RealPage did not possess the funds in any manner; thus, RealPage did not hold the funds,” the decision said, granting the insurers summary judgment in dismissing the case.

AIG and Beazley attorneys had no comment, while RealPage’s attorneys did not respond to a request for comment.

A federal appeals court affirmed a lower court in holding earlier this month that an Axis Capital Holdings Ltd. unit was not obligated to reimburse a silicon manufacturer for the wire transfer theft of more than $1 million under its policy’s computer transfer fraud provision because company officials had approved the transfer.