AIG says spoofing-related suit isn’t covered, wants lawsuit tossed

It's the latest dispute between an insurer and client over whether a plan can cover losses incurred by online fraud.
AIG cyber insurance lawsuit

Insurance giant AIG argued to a New York federal court on Monday that it is not responsible to cover nearly $6 million in losses incurred by a client that was victimized by suspected Chinese hackers.

The company asked a court in the Southern District of New York to dismiss a lawsuit filed in August by SS&C Technologies, a $6 billion financial technology company, which alleged that AIG violated its contract by failing to cover losses from fraud. Hackers fleeced SS&C out of $5.9 million in 2016 by emailing company employees from spoofed email addresses, and requesting monetary transfers. AIG says its policy stipulates that the insurer will not cover losses stemming from criminal activity.

“SS&C admits that it has filed suit seeking indemnity coverage for its settlement of a breach of contract claim concerning criminals using ‘spoof emails’ to trick SS&C into improperly using its authority over its client’s bank account to send $5.9 million of its client’s funds to bank accounts controlled by criminals in Hong Kong,” AIG said in court documents filed Monday.

“According to SS&C the funds were ‘stolen.’ However, with no apparent basis in law or fact, SS&C is now asking this Court to award insurance coverage that it did not purchase.”


SS&C personnel were accused in 2016 of wiring funds belonging to Tillage Commodities Fund, a commodities investment firm. In its own suit against SS&C, Tillage alleged that SS&C employees failed to “exercise even a modicum of care and responsibility in connection with known and obvious cybersecurity threats.” One email, which requested a $3 million wire transfer, said simply “How was your weekend? Let’s round up business today,” according to the suit.

Scammers also masqueraded as Tillage employees with email addresses that spelled “Tillage” as “Tilllage,” the prior suit stated, per CSO Online. They also used “awkward syntax and grammatical errors.” SS&C’s policy requiring four people to authorize a transfer request should have prevented the fraud, the suit stated.

AIG now argues that, while it covered the cost of SS&C’s two-year legal dispute with Tillage, it is not responsible for the stolen $5.9 million.

Tillage has since suspended business operations as a result of that incident, CNBC reported.

The case is the latest dispute between an insurance provider and client following a cybersecurity incident, which often defies simple legal definitions. The most notable example is an ongoing lawsuit between Mondelez International and Zurich Insurance, which has refused to cover Mondelez’s losses from the NotPetya ransomware attack after the insurer defined the incident as an act of war.


SS&C did not immediately respond to a request for comment.

AIG’s full memo filed in support of the motion to dismiss is available below.

[documentcloud url=”” responsive=true]


Correction: The headline on this article has been updated to reflect the nature of the litigation.

Latest Podcasts