Insights Header image
Insights Header image
Insights Header image

Cybercrime Insurance Coverage Caselaw: Welcome to Canada?

August 2017 Cybersecurity Bulletin 4 minute read

Although several high profile cybercrime insurance cases have recently made headlines in the US, Canadian companies have been left wondering whether or not Canadian courts would follow the line of caselaw developing across the border. That wait is now over.

The first decision in Canada with respect to cybercrime insurance coverage was decided by the Alberta Court of Queen’s Bench on June 29, 2017. The case highlights the need for robust cyber coverage, coupled with internal training and cross checks with external parties. In The Brick Warehouse LP v Chubb Insurance Company of Canada[1] the Court held that the Brick’s insurance coverage for ‘funds transfer fraud’ under its crime coverage policy was not enough to protect the company from its losses of just over $200,000 due to social engineering fraud.


In August 2010, the Brick accounts payable department received a series of calls from an individual claiming to represent Toshiba, one of the Brick’s suppliers. The imposter asked for information clarifying the payment process, and an employee helpfully provided the requested information. These calls were followed up by an e-mail, from an account that appeared to come from Toshiba ([email protected]), and an additional call informing the Brick of a change to the account where payments should be directed. The employee proceeded by following the standard internal practice on changing account information, had the paperwork reviewed by another employee, and satisfied the imposter’s request. Ten invoices totalling $338,322.22 were then transferred into the “new” account.

This fraud may have gone on for several months if two things hadn’t happened: the fraudsters got greedy, and Toshiba wondered why it wasn’t being paid. On September 3, 2010 the Brick was contacted by someone claiming to represent Sealy Canada making the same request and asking to have the account information changed to match the same RBC account as Toshiba, with the explanation that Sealy and Toshiba were merging. Fortunately, before this transaction was completed, the Brick was contacted by a real representative of Toshiba inquiring why Toshiba hadn’t been paid for several recent invoices. This call finally set off alarm bells, which prompted the Brick to undertake an investigation that uncovered the fraud.

The fraud was immediately reported to police, and the Brick was able to recover a portion of the fraudulently transferred funds. The Brick then followed up with their insurer, Chubb Insurance, to make a claim for the remainder of the lost funds under its crime coverage policy (as it did not have a cybersecurity insurance policy in place). However, Chubb determined that the loss was not covered by the policy; specifically that it did not fall under the ‘fund transfer fraud’ coverage.


The Court determined that the losses suffered by the Brick as a result of social engineering fraud were not covered under the Chubb insurance policy. The decision hinged on the interpretation of the ‘fund transfer fraud’ clause and the words ‘knowledge’ and ‘consent’. The Court found that under the wording of the clause, unless the fraudsters initiated the transfer themselves, there was no coverage. Absent clear definitions of the words ‘knowledge’ and ‘consent’ in the policy, the plain meaning of the terms prevailed. Based on such plain meanings, it was held that the employee who initiated the transfer had sufficient knowledge and consent to render the clause inoperative. The Court followed the reasoning from many recent decisions out of the United States, that in order for ‘fund transfer fraud’ coverage to apply, the fraudster must use a computer to initiate the transfer themselves. This results in limited coverage for companies manipulated by skilled social engineering fraudsters.

This case however stands in stark contrast to the Medidata decision that was issued less than three weeks later by the New York District Court.[2] In that case, the plaintiff was dealing with a similar situation to the Brick, except that the fraudster posed as the president of the company, rather than a supplier. The fraudster had manipulated emails sent to the employee to make them appear with the president’s picture and contact information, which made it a convincing fake of an internal email. The company lost $4.8 million as a result of this fraud, and were denied coverage because the fraudster had used an employee to initiate the transfer. While the employee did knowingly carry out the transfer in this case, the Court found that the ‘funds transfer fraud’ insurance still applied. In the Court’s opinion, stealing through a trick is still stealing, and the fraudster being a step removed from the actual transfer was not sufficient to deny coverage. Given that cybercoverage caselaw is relatively new, it remains to be seen whether or not the reasoning in Medidata will eventually prevail.

The Brick case highlights the importance of ensuring that risks, such as those stemming from social engineering fraud are mitigated, to the extent possible, through mandated employee training and strong internal policies which include cross-checks of other employees’ decision-making. For example, companies should perform cybersecurity health checks to ensure that they are aware of any existing loss or exposure of sensitive data and have identified and prioritized critical assets.[3] The Brick case also reminds us that even large companies are vulnerable to that one element we can mitigate but never fully control – human error. Given this, it is incumbent upon companies to ensure they have robust cyber insurance coverage which can respond to the various creative and always-evolving cyber threats that continue to plague our daily lives.

by Darcy Ammerman and Bob Bell, Student-at-Law

[1] The Brick Warehouse LP v Chubb Insurance Company of Canada, 2017 ABQB 413.
[2] Medidata Solutions Inc v Federal Ins Co, Case No 15-CV-907 (SDNY July 21, 2017).
[3] Cyber Security in Canada: Practical Solutions to a Growing Problem, by the Canadian Chamber of Commerce, April 2017.

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2017

Insights (5 Posts)View More

Featured Insight

Unpacking Ontario’s Proposed Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024

Unpacking Ontario's Bill 194: Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024. Key changes & compliance strategies detailed.

Read More
May 17, 2024
Featured Insight

Navigating International Student Worker Restrictions: Post-Expiry Guidelines for Employers

On April 30, 2024, Canada’s temporary waiver allowing international students to exceed 20 hours of work per week expired.

Read More
May 14, 2024
Featured Insight

Understanding the Consumer-Driven Banking Framework: Key Insights from the Budget Implementation Act, 2024, No.1

On April 30, the federal government introduced the Budget Implementation Act, 2024, No. 1, which provides the legislative framework for open banking in Canada.

Read More
May 13, 2024
Featured Insight

Legal Risk Assessments – An Essential Risk Management Tool

The best way to address the legal issues that arise in any business is to focus on their identification and resolution before they become legal problems.

Read More
May 9, 2024
Featured Insight

Jury’s Out: Bench Trials Are In

Ontario courts are leaning towards the elimination of civil jury trials, as evidenced in recent decisions out of the Ontario Superior Court of Justice.

Read More
May 8, 2024