Décision

Future Electronics Inc. (Distribution) Pte Ltd. c. Chubb Insurance Company of Canada							2020 QCCS 3042
SUPERIOR COURT
CANADA
PROVINCE OF QUEBEC
DISTRICT OF					MONTREAL
No:			500-17-100182-172
DATE:		September 29, 2020
_____________________________________________________________________
BY	THE HONOURABLE					SUZANNE COURCHESNE, J.S.C.
_____________________________________________________________________
Future electronics inc. (distribution) pte ltd.
Plaintiff
v.
chubb insurance company of canada
Defendant
_____________________________________________________________________
JUDGMENT
_____________________________________________________________________

OVERVIEW

[1]       The issue before the Court is to determine whether an insurance company must fully indemnify its insured for the loss caused by a fraudulent email scheme related to legitimate invoice payments.

[2]       Between October 21, 2016 and January 25, 2017, Future Electronics Inc. (Distribution) PTE ltd. was the victim of a fraud which resulted in a loss of nearly US$2.7 million.

[3]      In effect, during that period, parties unknown, masquerading as representatives of Exar, a California-based supplier of Future (the Perpetrators), caused employees of Future’s accounting department to transfer a total of US$2,693,950.77 to accounts that the Perpetrators maintained with various Asian banks rather than to the account of the rightful supplier.

[4]      All communications between Future’s employees and the Perpetrators, except for one or two telephone conversations, occurred by email.

[5]       In February 2017, Future submitted a claim to its insurer, Chubb Insurance Company of Canada, in virtue of coverage under its crime insurance policy issued by Chubb.

[6]       Chubb refuses to fully indemnify Future. It asserts that the loss Future sustained is only covered by the very limited coverage afforded under a Social Engineering Fraud endorsement of its policy and agrees to pay the $50,000 limit it provides.

[7]       Future disagrees. It contends that the loss is covered under the Computer Fraud Insurance Agreement of the Policy. Alternatively, it pleads that it has a right to coverage for Funds Transfer Fraud by a Third Party. These provisions provide for coverage of up to US$25,000,000 for each loss and a deductible of US$175,000 for each loss. Chubb disagrees and points to a specific exclusion.

[8]       Before deciding who is right, the Court must first decide an objection made by Future to the production of a draft memo on factual findings dated February 21, 2017 and prepared by Ernst & Young at the request of Future’s parent company that Chubb wishes to produce into the court record.

1.     the admitted facts

[9]       The following facts are admitted by the parties as per their Agreed Statement of facts signed on March 4, 2020.

-        Future’s payment process

[10]    At all relevant times, the personnel of Future who dealt with the Perpetrators were as follows:

Ø  Boey Seow Kin (Mr. Boey):                Asia-Pacific Financial Controller;

Ø Peh Meng Choo (Ms. Peh):                 Finance Manager;

Ø Ivy Lim (Ms. Lim):                                 Trade Payables Supervisor;

Ø Jessica Soh (Ms. Soh):                       Trade Payables Executive;

Ø Serena Tan (Ms. Tan):                        Trade Payables Executive;

Ø Agnes Chew (Ms. Chew):                   Treasurer

[11]    As part of Future’s Trade Payables Team in Singapore, Ms. Lim, Ms. Soh and Ms. Tan were each responsible for a group of vendors consisting of both electronic digital invoice (EDI) and manual invoice vendors. Ms. Soh and Ms. Tan reported to Ms. Lim, who in turn reported to Ms. Peh. She reported to Mr. Boey[1].

[12]    Following receipt of an invoice, either through the EDI system or hard copy invoice, the Trade Payables Team would match the invoice, goods, receipt note and purchase order, resolve discrepancies if any, and take into account any credit notes and discounts before preparing payment.

[13]    The payment amount and date would then be keyed into Future’s HSBC bank portal (HSBCnet) of their USD bank account based on a summary of payments generated from Future’s accounting system, Oracle.

[14]    For bank account modifications, an “official letter” from the vendors was required[2].

[15]    The Trade Payables team would insert the details of any change in the bank account relating to the vendors into HSBCnet and Ms. Lim would then approve the changes made.

[16]    Ms. Soh confirmed that Ms. Lim received a copy of “official letters” sent by the Perpetrators in connection with the changes made to Exar’s banking details and the instructions to pay a third party[3].

-        The Perpetrators’ initial overture

[17]    On October 21, 2016, Ms. Soh received an email[4] from “Keith_Tainsky@exar.com”, bearing the following subject: “Addressed to Accounts Payable: New Banking Details”.

[18]    It read as follows:

Dear Customer,

We recently changed our banking details concerning our Asian customers. We will need you to update our wire information for the outstanding and future invoices.

Please confirm receipt of this email so I can forward you the new wire instructions.

Thank you

Keith Tainsky CFO/Chief Financial Officer Exar Headquarters

 

[19]    Unbeknownst to Ms. Soh, this email had not been sent by Exar’s CFO, Keith Tainsky, nor did it bear his correct email address. Rather, the Perpetrators masquerading as Mr. Tainsky sent the email.

[20]    It was the first time Ms. Soh received an email from the "CFO" of Exar.

 

[21]       In effect, Ms. Soh’s usual contact person at Exar was an Accounts Receivable Accountant by the name of Donna Cash. Further and while the fraud was being perpetrated, Ms. Soh continued to communicate with Ms. Cash concerning Exar’s credit notes and invoices being uploaded^[5].

-     The first modification to Exar’s vendor banking details

[22]       By email dated October 21[6], Ms. Soh responded to the Perpetrators and asked for the wire details.

[23]       By email dated November 7[7], the Perpetrators provided Ms. Soh with new wire instructions that were to be used for coming payment of invoice amounts owed by Future to Exar: both the beneficiary of the payment (changed from Exar to Golden Forest World Company Limited) and the bank wire instructions (bank name, address and account number) were modified[8].

[24]       In her follow-up email dated the next day[9], Ms. Soh advised the Perpetrators that Future’s practice was to issue payments to the entity named on the invoice, and requested a letter from Exar confirming the identity of the beneficiary of the wire transfer.

[25]       By reply email[10], the Perpetrators sent Ms. Soh the requested “official letter[11].

-     The November 10, 2016 US$347,426.46 transfer

[26]       Between November 9 and 10, further communications ensued between the Perpetrators and Ms. Soh, as well as with Ms. Peh and Mr. Boey, regarding the approval of the payment instructions prepared by Ms. Soh.

[27]       On November 9, Ms. Soh sent a list of invoices for the period from October 3 to October 10, amounting to US$347,426.46 to “Keith Tainsky”. The listing of invoices was resent to “Keith Tainsky” on November 10[12].

[28]       The first bank transfer of US$347,426.46 was made on that day[13].

[29]       The payment was prepared by Ms. Soh, and was subsequently authorized by Mr. Boey and then by Ms. Peh. A copy of the remittance advice was sent to “Keith Tainsky” subsequent to the payment[14].

 

 

-     The November 23, 2016, US$406,027.41 transfer

[30]       On November 11, the Perpetrators sent an email to Ms. Soh stating that they had tried to reach her and asked when they could discuss. Ms. Soh called the Perpetrators and believes that the discussion was about “payment inquiries”, i.e. payment date or amount[15].

[31]       On November 17, a listing of invoices for the period from October 11 to November 3, 2016, amounting to US$406,027.41 was sent to “Keith Tainsky”.

[32]       On November 23, US$406,027.41 was paid to Golden Forest[16]. Again, the payment was prepared by Ms. Soh and authorized by her superiors. A copy of the remittance advice was sent to “Keith Tainsky” subsequent to the payment[17].

-     The December 23, 2016, US$533,577.96 transfer

[33]        On December 5, the Perpetrators wrote to Ms. Soh stating that Mr Tainsky had tried to reach her and asking for her direct phone number. She obliged[18].

[34]        On December 21, Ms. Soh sent “Keith Tainsky” a list of invoices for the period from November 11 to December 1, of the total amount of US$533,577.96[19].

[35]        On December 23, US$533,577.96 was paid to Golden Forest. Like the November 23^rd payment, it was prepared by Ms. Soh and authorized by her superiors.

[36]        A copy of the remittance advice was sent to “Keith Tainsky” on December 29[20].

-     The second modification to Exar’s vendor banking details

[37]        At the beginning of January 2017, the Perpetrators communicated with Ms. Soh to “track” the December 23 payment and provide the SWIFT payment confirmation[21].

[38]        Ms. Soh asked Ms. Chew, Future’s treasuror, to get in touch with “Keith Tainsky” and help liaise with the bank.

[39]        On January 4, Ms. Chew forwarded to the Perpetrators a screen shot of the SWIFT payment confirmation[22].

[40]        By email dated January 9[23], the Perpetrators advised Ms. Soh that, per the attached “official letter”[24], Exar was ending its relationship with Chiyu Banking Corp., and would be providing Future with wire instructions for the new bank. The Perpetrators mentioned that they had requested Chiyu Banking Corp. to proceed with the refund of US$533, 577, 96 to Future’s account.

[41]        On January 11, Ms. Soh followed-up on the US$533, 577, 96 refund, stating that Future had not received anything. “Keith Tainsky” replied that it could take up to 5 days to reach their account[25].

[42]        Between January 13 and 15, Ms. Soh and the Perpetrators exchanged emails regarding the refund that had not yet been received[26].

[43]        By email dated January 22,[27] Ms. Soh informed the Perpetrators that Future’s upcoming payment would be effected pursuant to the new wire instructions.

-     The third change to Exar’s vendor banking details

[44]        By emails dated January 23 and 24,[28] the Perpetrators advised Ms. Soh that the beneficiary referenced in the new wire instructions needed to be modified and requested a screenshot of the pending payment.

[45]        By an “official letter” dated January 23, the Perpetrators changed, once again, the beneficiary (from Golden Forest to Star Fortune Asia Ltd) and the banking details for the payment of Exar’s upcoming invoices[29].

[46]        That “official letter” was given to Ms. Lim who approved the change to Exar banking details and payee[30].

-     The January 25, 2017 US$1,406,918.94 transfer

[47]        Ms. Soh’s email of January 25,[31] advised the Perpetrators that Future’s US$1,406,918.94 wire transfer had been processed by its Bank and attached a copy of the bank payment document.

[48]        A payment of US$1,406,918.94 was made on January 25.[32] It was prepared by Ms. Soh and authorized by Ms. Peh, and then by Mr. Boey[33].

[49]        At that time, the US$533,577.96 had not been refunded to Future[34].

-     The discovery of the fraud

[50]        By email dated January 28[35], Exar’s Donna Cash complained to Ms. Soh that a number of invoices were more than 90 days overdue.

[51]        On January 30[36], Ms. Soh advised Ms. Cash that a payment had been effected on November 23, 2016, as per instructions received from “Keith Tainsky”.

[52]        The same day Ms. Cash informed Ms. Soh that the email address she had for Keith Tainsky was incorrect.

[53]        On February 2, Exar notified Ms. Soh that none of the emails and “official letters” sent by the Perpetrators had been issued by the real Keith Tainsky, nor had these emails used Mr. Tainsky’s correct email address[37].

[54]        Exar further apprised Ms. Soh that it had not received the wire transfer payments that had been authorized by Future’s Trade Payables employees and demanded prompt payment of the outstanding invoices.

[55]        On February 20, Future submitted a proof of loss to Chubb[38] under its Executive Protection Policy issued by Chubb for the November 1, 2016 to November 1, 2017 policy period (the Policy)[39].

-     Chubb’s denial of coverage

[56]        On June 7, 2017, Chubb notified Future[40] that the claim was not covered under the Policy for Funds Transfer Fraud by a Third Party Coverage or the Computer Fraud by a Third Party Coverage insuring agreements forming part of the Policy.

[57]        Chubb asserted that the loss was only covered under the Policy Social Engineering Fraud insuring agreement, which has a sublimit of US$50,000.

[58]        Notwithstanding the fact that Future disagreed[41], Chubb tendered a US$50,000 under the Policy’s Social Engineering insuring agreement in respect of the claim. Future refused to accept it.

 

2.      ANALYSIS

2.1. Objection on Exhibit D-1

[59]       Future raises an objection as to the admission into evidence of Exhibit D-1, a draft memo on factual findings dated February 21, 2017 and prepared by Ernst & Young at the request of Future Electronics Inc., a parent company of Future.

[60]       This memo contains findings and observations of its authors in relation to Future’s policies and standard operating procedures for payment and vendor bank account modifications (phase 1) and on the circumstances surrounding the four monetary transfers to the Perpetrators (phase 2).

[61]       Exhibit D-1 is not admissible for the following three reasons.

[62]       First, its authors expressly mention that no reliance should be placed on such draft memos issued by them for discussion purposes only and stress that the people they interviewed were not under oath[42].

[63]       Second, Exhibit D-1 is an out-of-court statement. Its authors did not testify and its content constitutes hearsay, observations and opinion. Such a report is akin to an auditor general’s report. The Court of appeal has found that such a report is inadmissible under art. 2870 CCQ[43].

[30] En l'espèce, il n'est pas nécessaire de décider si les deux premières conditions sont remplies puisque la troisième n'est pas satisfaite. En effet, les rapports du Vérificateur ne se limitent pas à l'énumération de «faits» au sujet desquels il aurait pu «légalement» témoigner. Certes, dans une infime portion, les rapports énoncent de tels faits, mais ils contiennent également, dans une portion appréciable, des éléments de ouï-dire, des conclusions, des recommandations, des interprétations de la réglementation, des opinions, etc. qui ne peuvent être introduits en preuve par la déclaration dont traite l'article 2870 C.c.Q. Cette disposition n'a pas pour objectif de permettre le dépôt en preuve d'un rapport d'expert ni celui d'un enquêteur, parce que, en principe, ceux-ci ne peuvent être considérés comme des témoins de «faits».

(The Court underlines)

 

[64]       Third, the parties agreed on a statement of relevant facts and Chubb did not refer the Court to any additional findings contained in D-1 that would be relevant and of probative force in support of its defence.

 

2.2. The applicable principles of law on interpretation of insurance contracts

[65]       The rules governing the interpretation of insurance policies are well established and summarized by the Supreme Court of Canada in Progressive Homes[44] and more recently, in Ledcor :

[49]   The parties agree that the governing principles of interpretation applicable to insurance policies are those summarized by Rothstein J. in Progressive Homes. The primary interpretive principle is that where the language of the insurance policy is unambiguous, effect should be given to that clear language, reading the contract as a whole: para. 22, citing Non-Marine Underwriters, Lloyd’s of London v. Scalera, 2000 SCC 24, [2000] 1 S.C.R. 551, at para. 71.

[50]   Where, however, the policy’s language is ambiguous, general rules of contract construction must be employed to resolve that ambiguity. These rules include that the interpretation should be consistent with the reasonable expectations of the parties, as long as that interpretation is supported by the language of the policy; it should not give rise to results that are unrealistic or that the parties would not have contemplated in the commercial atmosphere in which the insurance policy was contracted, and it should be consistent with the interpretations of similar insurance policies. See Progressive Homes, at para. 23, citing Scalera, at para. 71; Gibbens, at paras. 26-27; and Consolidated-Bathurst Export Ltd. v. Mutual Boiler and Machinery Insurance Co., [1980] 1 S.C.R. 888, at pp. 900-902.

[51]   Only if ambiguity still remains after the above principles are applied can the contra proferentem rule be employed to construe the policy against the insurer: Progressive Homes, at para. 24, citing Scalera, at para. 70; Gibbens, at para. 25; and Consolidated-Bathurst, at pp. 899-901. Progressive Homes provides that a corollary of this rule is that coverage provisions in insurance policies are interpreted broadly, and exclusion clauses narrowly.

[52]   It is also important to bear in mind this Court’s guidance in Progressive Homes on the “generally advisable” order in which to interpret insurance policies (para. 28). Although that case involved commercial general liability policies and not builders’ risk policies, the two types of policies share a similar alternating structure: they set out the type of coverage followed by specific exclusions, with some exclusions containing exceptions. As such, the insured has the onus of first establishing that the damage or loss claimed falls within the initial grant of coverage. The parties in these appeals have conceded that this particular onus has been met: trial judge’s reasons, at para. 9. The onus then shifts to the insurer to establish that one of the exclusions to coverage applies. If the insurer is successful at this stage, the onus then shifts back to the insured to prove that an exception to the exclusion applies: see Progressive Homes, at paras. 26-29 and 51. Contrary to the Court of Appeal’s statement at para. 26 of its reasons that the exclusion and exception in this case must be interpreted “symbiotically”, I see no reason to depart from the generally accepted order of interpretation in analyzing the Policy and the Exclusion Clause.[45]

(Emphasis added)

[66]        In sum, an insurance contract must be read as a whole and its various provisions must be harmonized in order to give effect to the policy’s terms.

[67]        Both parties argue that the terms of the Policy are clear, although they arrive at different conclusions as to the meaning of its provisions. Should the Court find ambiguity in the terminology employed in the contract, the interpretation rules, taking into consideration the reasonable expectations of the parties and the commercial reality, must be applied.

2.3. Is Future’s claim covered by the Computer Fraud Insuring Agreement?

[68]       Under the "Crime - Loss sustained Coverage Section", the Policy provides coverage for Computer Fraud by a Third Party as follows[46]:

The Company shall pay for direct loss sustained by an Insured resulting from:

[…]

(H)       Computer Fraud by a Third Party

[…]

Computer Fraud means the unlawful taking of Money, Securities or Merchandise through the use of any Computer System.

[…]

Computer System means a computer or network with its input, output, processing, storage and communication facilities, and shall include off-line media libraries.

(Emphasis original; the Court underlines)

[69]       The Computer Fraud coverage therefore essentially requires that two conditions be met it order for it to be triggered:

1.             the unlawful taking of money;

2.             through the use of a Computer System.

[70]       According to Future, the loss is covered under this insuring clause because the Perpetrators executed their criminal scheme through the use of computer systems:

-        the instructions for the fraudulent funds transfers were communicated to Future’s employees by means of emails that were transmitted through and received via computers;

-        the funds transfers were effected electronically through computer systems, including communications facilities, maintained by Future and its bank.

[71]       Future argues that but for the use of a computer, there would not have been a loss, and that the wording of the Policy, read as a whole, establishes coverage under this clause.

[72]       Chubb retorts that coverage under the Computer Fraud Insuring Agreement requires that the third-party fraudsters actually uses a computer system to directly steal money that belongs to the insured. Essentially, Chubb asserts that Computer Fraud Coverage implies a direct computer attack on an insured’s technological systems in order to take money whereas, in this case, the computer system was simply a passive instrument used by the Perpetrators to exchange emails for the purpose of manipulating Future’s employees.

[73]       The language of this insuring clause must be examined in conjunction with the other provisions of the Policy, read as a whole.

[74]       The Policy does not provide specific meaning to the expression "unlawful taking" contained in the provision. However, this expression is used to define other terms in the Policy, more specifically Robbery and Safe Burglary[47], that imply the act of seizing or stealing the victim’s property.

[75]       Both parties refer to dictionary definitions to interpret this term and a United States District Court decision quotes definitions of taking as follows [48]:

Here, the policy defines "theft" as "the unlawful taking of property to the deprivation of the insured." (Policy F.20.) The term "unlawful taking" is not defined in the policy. The Oxford English Dictionary defines "taking" as "[t]he physical act of possessing oneself of anything," with reference to the verb "take," meaning "to transfer to oneself by one's own physical act." Oxford English Dictionary Vol. XVII, 576 (2d ed.1989). Black's Law Dictionary defines a "taking" as "[t]he act of seizing an article, with or without removing it, but with an implicit transfer of possession or control." Black's Law Dictionary 1682 (2014). This definition does not require physical possession of the seized article, but does require, at minimum, that the actor exert control over the article such that possession or control is transferred.

(The Court underlines)

[76]        As such, the terms "unlawful taking", on their plain, ordinary meaning, are construed as illegally seizing. The act of unlawful taking must be perpetrated by a Third Party (a person other than the Insured or Employee), in this case by the Perpetrators, through the use of any computer system.

[77]        Most of the authorities referred to by the parties with respect to Computer Fraud coverage provisions involve a different and broader wording than the term "unlawful taking", to wit the use of any computer to fraudulently cause a transfer of money or property[49], or the fraudulently induced transfer of money resulting from a computer violation[50]. In the Court’s view, the language chosen in the Policy requires a direct act performed by the Perpetrators, the unlawful taking of money and a specific mode of operation to achieve it, the use of a computer system, whereas to fraudulently cause or induce a transfer of funds may involve the intermediary act of the insured or its employees, duped by the fraudster. The language used in the Policy differs from the insuring agreements’ analyzed in the US cases submitted by both parties.

[78]        The Court concludes that the unlawful taking of money requires a direct act of stealing perpetrated by the fraudster, through the use of a computer.

[79]        Future further argues that the Policy uses specific terminology to define a breach or intrusion into a computer system:

Computer Violation means an intentional, unauthorized and malicious:

(A)         entry of data into a Computer System;

(B)         change to data elements or program logic which is kept in machine readable format; or

(C)         introduction of instructions, programmatic or otherwise, which propagate themselves through a Computer System.

directed solely against any Insured.

[80]       In other crime coverage policies, Chubb has used specific language to define coverage for "Computer Fraud" by the use of "Computer Violation" [51]:

Computer Fraud means the unlawful taking of Money, Securities or Property resulting from a Computer Violation.

(Emphasis original; the Court underlines)

 

 

[81]        Such specification is not made in the wording of the Policy. Nevertheless, the use of a computer system to perform unlawful taking of money or property cannot be construed as being so broad as to cover any loss caused by a fraud that involves the simple operation of a computer in an incidental or minor way, to wit as a mode of communication for the transmission of fraudulent instructions.

[82]        In this case, but for the insured’s employees acting on the information and instructions received from the Perpetrators, the money would not have been transferred. The computer, more specifically the emails, were the communication mode used by the fraudsters for their operation. The Perpetrators did not unlawfully take any funds from Future by the means of their computer system. Rather, they unlawfully caused a transfer of Future’s money, through the intentional misleading of Future’s employees, during communications held by email and, on one or two occasions, by phone. This misleading, not the technology, was the agency they used.

[83]        The Court agrees with the following comments of the Fifth Circuit United States Court of Appeal that concluded that a loss, which had occurred under similar circumstances, was not covered under the insurance policy’s computer fraud provision:

 

The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster II, convert the computer-fraud provision to one for general fraud. See 2016 WL 4056068, at *1. We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred. In short, few—if any—fraudulent schemes would not involve some form of computer-facilitated communication.[52]

 

(The Court underlines)

[84]       Finally, the Computer Fraud Insuring Agreement must be considered in the context of the Policy as a whole, including the Social Engineering Fraud Endorsement.

[85]       As more fully stated in Section 2.6, this endorsement clearly provides coverage for the specific situation established by the facts, in which the Perpetrators duped Future’s employees into believing they were the CEO of Exar and caused the transfer of money in result of this intentional misleading.

[86]       For all these reasons, Future’s claim under the Computer Fraud provision must fail.

 

2.4.        Is Future’s claim covered by the Funds Transfer Fraud Insuring Agreement?

 

[87]       Future submits that alternatively, the loss is covered by the Funds Transfer Fraud Insuring Agreement.

[88]       The relevant Policy provisions are the following[53]:

The Company shall pay for direct loss sustained by an Insured resulting from:

[…]

(E) Funds Transfer Fraud by a Third Party,

[…]

Funds Transfer Fraud means the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver Money or Securities from any account maintained by an Insured at such institution, without an Insured's knowledge or consent.

 

(Emphasis original; the Court underlines)

[89]       According to Future, the Perpetrators executed their criminal scheme entirely through the use of fraudulent written instructions to direct the transfer of funds by Future’s financial institution to the Perpetrators, unbeknownst to Future. Future could not be said to have knowingly agreed or otherwise consented to the payments.

[90]       Chubb replies that, under the Funds Transfer Fraud Insuring Agreement, coverage is not afforded for swindles whereby the third-party fraudster dupes the insured’s employee as to the fraudster’s identity, and said employee voluntarily issues genuine, authorized, bank payment instructions to the insured’s bank that are implemented as the per the employee’s instructions.

[91]       Chubb’s interpretation of the clear unambiguous language of this provision is correct. The coverage under the Funds Transfer Fraud provision is triggered when the insured’s bank is tricked into transferring money following instructions that were not the insured’s, and which the insured neither had knowledge of nor consented to[54].

[92]        In the present case, the Perpetrators never issued fraudulent wire transfer instructions to Future’s financial institution, HSBC, without Future’s knowledge or consent. On the contrary, HSBC made the payments in question in accordance with expressly authorized instructions it had received from Future that had been prepared by one of Future Trade Payables employees and reviewed and approved by both her superiors.

[93]        Although Future’s employees did not know that the Perpetrators’ instructions were fraudulent, they were aware and informed of the payments made from Future’s bank account since they expressly authorized and consented to such monetary transfers.

[94]        Future’s interpretation of this provision, as covering for the insured’s employees being tricked into giving their consent to the bank transfers, circumvents the clear wording used in the Policy.

[95]        Furthermore, Future’s interpretation of the Funds Transfer Fraud coverage renders the Social Engineering Fraud Endorsement meaningless, as more specifically discussed under Section 4.6.

 

2.5.        Is Future’s claim captured by Exclusion M?

[96]       Had the Court held that the claim is covered either by the Computer Fraud or by the Funds Transfer Fraud Insuring Agreements, an exclusion contained in the Policy specifically precludes coverage for voluntary parting of money.

[97]       Exclusion M is worded as follows[55]:

Exclusions

6.       Coverage hereunder does not apply to:

[…]

(M)             loss due to an Insured knowingly having given or surrendered Money, Securities or Property in exchange or purchase to a Third Party, not in collusion with an Employee. This exclusion shall not apply to Money Orders and Counterfeit Currency Fraud;

(Emphasis original; the Court underlines)

[98]       Future contests the application of Exclusion M, which is drafted narrowly to address a specific risk. According to Future, this exclusion applies only to knowingly giving or surrendering money, securities or property to third party, such as the actual vendor or client.

[99]       The language of the Exclusion M is unambiguous and applies to any voluntary parting of property by the insured, in exchange or purchase, to a third party. In the present case, it is undisputed that the payments of outstanding invoices were made to the Perpetrators, in respect of products delivered by Future’s legitimate supplier Exar. Future’s employees knowingly instructed HSBC to make such payments to the Perpetrators, in satisfaction of debts Future owed to Exar.

[100]     Thus, Exclusion M would have excluded coverage under the previously analyzed insuring agreements, had it been triggered.

 

2.6.        Is Future’s claim covered by the Social Engineering Fraud Endorsement?

[101]     The Policy includes an endorsement for Social Engineering Frauds.

[102]     The relevant policy language is as follows[56]:

The Company shall pay the Insured for loss resulting from an Insured having transferred, paid or delivered any Money or Securities as the direct result of Social Engineering Fraud committed by a person purporting to be a Vendor, Client, or an Employee who was authorized by the Insured to instruct other Employees to transfer Money or Securities.

[…]

Social Engineering Fraud means the intentional misleading of an Employee, through misrepresentation of a material fact which is relied upon by an Employee, believing it be genuine.

(Emphasis original; the Court underlines)

[103]     This endorsement was added to Future’s crime insurance policy in 2015[57]. It was presented to Future by its previous broker Marsh in 2014 as a new endorsement that broadened the cover afforded under the policy[58]. Social engineering fraud loss scenarios, similar to the admitted facts, were described in the brochure provided to Future.

[104]     This endorsement explicitly covers an insured’s volitional transfer of funds resulting from a fraudulent scheme perpetrated by a third party who impersonates a legitimate vendor. More specifically, it requires that:

-     A loss result from the Insured having transferred, paid or delivered any Money or Securities;

-     The transfer, payment and/or delivery of Money or Securities be the direct result of an Employee having relied upon a misrepresentation of a material fact which the Employee believed was genuine;

-     The Employee be intentionally misled by material misrepresentation;

-     The material misrepresentation be made by someone who purports to be a Vendor (in Future’s case), defined as an entity or natural person that has provided goods or services to an Insured under a legitimate pre-existing arrangement or written agreement.

[105]    In light of the precise language used in the endorsement, Future’s loss corresponds precisely to the type of “social engineering fraud” scenario contemplated by such coverage: Future’s accounts-payable employees were duped by the Perpetrators, purporting to be a legitimate vendor, who both wrote to them (via email) and spoke to them (via telephone), into changing the banking information for the existing vendor. Future’s employees believed the request for change of the vendor’s banking information to be genuine. The wire payment instructions were prepared by Future’s employees; the instructions were then approved by Future’s Finance Manager, as well as its Asia Pacific Financial Controller, and were executed as approved. The payments were made to bank accounts controlled by the Perpetrators.

[106]    Finally, Future’s assertion that the Policy can be reasonably construed to afford double coverage must be rejected because it renders exclusion 10 of the Endorsement meaningless. Said exclusion expressly stipulates that the Social Engineering Fraud Insuring Agreement does not afford coverage for loss covered under, inter alia, the Computer Fraud and Funds Transfer Fraud Insuring Agreements:

No coverage will be available under Social Engineering Fraud Coverage lnsuring Clause for

(a) Cause(s) of loss:

Loss or damage due to Crime by an Employee Forgery, Computer Fraud, Funds Transfer Fraud, Money Orders and Counterfeit Currency Fraud or Credit Card Fraud;  

 (Emphasis original; the Court underlines)

[107]     In light of this provision, the risks covered by the Funds Transfer Fraud and Computer Fraud Insuring Agreements and those covered by the Social Engineering Fraud endorsement are mutually exclusive.

3.      Conclusion

[108]     Considering the Court’s conclusions and the clear language of the Policy’s provisions, the evidence adduced by both parties in support of their respective views of the parties’ intention is not taken into consideration. The Court considers that there were no ambiguity to be resolved in light of the reasonable expectations and the common intention of the parties.[59]

WHEREFORE, THE COURT:

[109]     DISMISSES Plaintiff’s Amended judicial application;

[110]     THE WHOLE with judicial costs.

		__________________________________ SUZANNE COURCHESNE, S.C.J.
Me George J. Pollack
Me Faiz Munir Lalani
davies ward phillips & vineberg
Attorneys for the Plaintiff
Me Nicholas Krnjevic
Me Elisabeth Laroche
robinson sheppard shapiro
Attorneys for the Defendant
Hearing dates:	March 4 and 5, 2020