Fraud-related payment initiation – who bears the risk?

Companies are often indirect victims of hacker attacks in which emails and account data are manipulated. The Hagen Regional Court has now ruled that such attacks on third-party IT systems are not covered by a company's cyber insurance. Nevertheless, it is worthwhile for companies to analyse this carefully.

Old scams in the digital age

Nowadays, companies are faced with increasingly sophisticated scams in which criminals manipulate email communication and payment transactions. The approach has now become more professional, whereas in the past it was often only individual employees who seized "favourable opportunities" to replace invoice issuers' account data with their own. Hackers gain access to invoice issuers' email inboxes and falsify information in order to change bank details. The aim is for the recipients to make payments to the fraudsters' accounts without anyone initially suspecting anything. By the time the biller sends a reminder, the fraudulent payment account has long since been "emptied". Claims against the often unsuspecting holders of the account used for the activity are usually not very promising and so companies affected look around for further recourse.

Cyber insurance as supposed protection

The question of potential cover under the companies cyber insurance quickly raises. Many companies have taken out cyber policies promising protection against damage in connection with hacking, phishing, ransomware or other forms of cybercrime. Ideally, these policies cover financial losses caused by attacks on the IT infrastructure or other forms of manipulation. However, insurance cover often requires that a company's own IT systems are directly affected. The Hagen Regional Court has now ruled on this for the first time.

Manipulated supplier emails

In the case decided by Hagen Regional Court (judgement dated 15 October 2024, 9 O 258/23), a company received an email that appeared to originate from a long-standing supplier. It referred to a change in bank details. The supplier's domain and signature were probably actually used and not just "deceptively genuine". In good faith, the policyholder then changed the supplier's bank details in the system and transferred a large sum to the new account. The fraud only came to light when the actual supplier sent a reminder for outstanding invoices. It turned out that the account used did not belong to the supplier at all. Rather, hackers had probably compromised the supplier's e-mail inbox and acted in his name.

The decision of the Hagen Regional Court

The legal dispute centred on the question of whether the plaintiff's cyber insurance was liable for the damage incurred. The insurance conditions stipulated that the insured event only occurred if there was an "information security breach" in the company's own network. This was defined in the terms and conditions as a "network security breach" and required direct impairment of the availability, integrity and confidentiality of the policyholder's IT systems.

The Hagen Regional Court denied an insurance claim. In the eyes of the court, it was solely an act of deception in which neither the plaintiff's IT systems were directly attacked nor their data manipulated. The policyholder was still able to receive and send its emails despite everything; there was therefore no disruption to its infrastructure. In the court's view, this was not an insured cyberattack on the plaintiff's system, but rather an indirect consequence of an attack on a third-party system (the supplier's email account).

Another reason for the rejection of the insurance cover: According to the court, companies would unreasonably extend their insurance cover if every type of fraudulent email communication were to be categorised as a cyber attack on their own system. Criminal emails, phishing attempts and spam are sent millions of times today. If every form of "falling for" such emails were automatically insured, the insurance risk would extend to all email-related fraud attempts.

In the opinion of the court, the clause in the standard policy conditions (AVB), which limits the insurance cover to breaches of the company's own network, is also not invalid within the meaning of Section 307 BGB (control of standard policy conditions). Rather, it is a service description for the core area of cyber insurance. Such clauses are only subject to a transparency check, which was not lacking in this case. An average policyholder would certainly understand that only attacks on their own IT landscape and not attacks on a third-party system are covered by the insurance.

The decision is significant as it addresses the issue of insured events in the context of cyber insurance for the first time and many providers operating in the German market use comparable definitions. However, there are also policies on the market that cover such cases, so it is still worthwhile for companies to analyse their cyber insurance conditions more closely. 

Defence against the supplier's renewed claim

A defence against the renewed claim by the invoicing party is usually more promising for companies than taking action against the insurer or the banks involved. If a company is confronted with such a "double claim", it should be carefully analysed whether the payment to the - objectively incorrect - account had a fulfillment effect or whether the dolo agit objection can be raised against the invoicing party's request for payment (Higher Regional Court Karlsruhe, judgement dated  27 July 2023 - 19 U 83/22).

Conclusion and recommendations for action

The Hagen Regional Court case makes it clear that companies are taking a considerable risk if they rely solely on the protection provided by their cyber insurance and do not take any further precautions. This means that companies should establish preventative control mechanisms when changing account details and sensitise employees through continuous training. 
However, if a dispute actually arises, no "double payments" should be made and legal advice should be sought at an early stage.