Do D&O Policies Cover Computer Fraud Claims?

In March 2024, the Southern District Court for California, in Bridlewood Estates Prop. Owners Assoc. v. State Farm General Ins. Co., 2024 U.S. Dist. LEXIS 47593 (S.D. Cal. Mar. 18, 2024), denied an insurer’s motion to dismiss, finding that an insurance carrier must defend its insured against a claim involving a fraudulent payment made to a scammer. The district court’s decision suggests that Directors & Officers (D&O) policies may afford coverage for losses arising from cyber fraud and exemplifies California courts’ tendency to find coverage in favor of insureds absent explicit policy language precluding coverage. 

The Case

In Bridlewood, plaintiff Bridlewood Estates Property Owners Association (HOA) received a six-figure invoice for asphalt and paving work completed by Aztec Paving, Inc. (Aztec). Shortly after receiving the invoice, a fraudster sent false payment wiring instructions to the HOA using a spoofed email address that appeared to come from Aztec. The treasurer for the HOA ultimately sent payment totaling $123,617 to the spoofed email address rather than Aztec. Aztec subsequently filed a mechanic’s lien against the HOA’s property and filed suit for damages. The HOA tendered the lien and suit to State Farm, seeking coverage under its D&O policy.  

The policy’s D&O endorsement specified that the insurer would ”pay those sums that the insured becomes legally obligated to pay as damages because of a ‘wrongful act,’” and defined “wrongful act” as “any real or alleged error, misstatement, misleading statement, act, omission, neglect, or breach of duty committed, attempted or allegedly committed or attempted by an insured.” State Farm denied coverage for the claim, arguing that the lien and suit resulted from the HOA’s failure to fulfill a contractual obligation to Aztec, rather than from any “wrongful act” as defined in the policy. 

The HOA filed a lawsuit against State Farm in federal court, claiming that the denial of coverage was unjustified because it overlooked extrinsic facts that could have triggered coverage. State Farm responded by moving to dismiss, contending that the HOA had failed to demonstrate that any “wrongful acts” had occurred to warrant coverage. 

The district court denied State Farm’s motion, holding that Aztec’s breach of contract claim was not “necessarily disqualified from coverage” because the D&O endorsement did not expressly exclude contractual liabilities from coverage. The court found that the extrinsic evidence known to the insurer suggested that the HOA’s treasurer “committed an error, omission, neglect, or breach of duty arising out of his official capacity to process payments,” which constituted a “wrongful act,” in failing to recognize the spoofed email address and transmitting payment to the wrong bank account. But for that mistake, the court reasoned, Aztec would have received payment and the HOA would not have incurred the claimed losses.   

The court took a nuanced approach in Bridlewood. While it did not determine that there was coverage under the D&O endorsement, it concluded that the facts at hand could not definitively rule it out. In making this determination, the court considered not only the accusations in the underlying complaint but also external facts within State Farm’s purview. These included the contents of an email chain between the fraudster and the treasurer, submitted with the policyholder’s tender letter, as well as various “discovery exchanges” in the underlying action regarding the cause of the treasurer’s erroneous payment. The court also differentiated the HOA’s conduct from Aug. Ent., Inc. v. Philadelphia Indemnity Insurance Company, Co., 146 Cal.App. 4th 565 (2nd Dist. 2007) and other similar cases where the insured “intentionally entered into a contract, decided not to make payment on it, and looked to its D&O insurer for a bailout.” 

Presently, most California cases evaluating coverage for cyber fraud claims involve policies with “computer fraud” provisions. See e.g. Earnst and Haas Mgmt. Co., Inc. v. Hiscox, Inc., 23 F.4th 1195 (9th Cir. 2022). The Bridlewood decision may indicate that such claims could also be covered under D&O policies and serves as yet another example that, under California law, an insurer’s duty to defend is not solely determined by the allegations in the underlying complaint but may also hinge on additional “extrinsic facts known to the insurer.”   

This article originally appeared on Freeman Mathis & Gary LLP. 

Nicholas Directo is an associate at Freeman Mathis & Gary LLP.

William A. Hadikusumo is an associate at Freeman Mathis & Gary LLP.