AIG must cover client’s $5.9 million in cyber-related losses, judge rules

AIG had cited multiple clauses in its policy to argue against paying, though the court ruled the tactic did not count as "bad faith."

Insurance giant AIG must cover nearly $6 million in losses for a client that was fleeced by an email scam carried out by suspected Chinese hackers, a federal court has decided.

A judge in the Southern District of New York ruled Wednesday that AIG was in breach of contract when it previously denied a claim from SS&C Technologies, a $6 billion financial technology firm.

In 2016, hackers defrauded SS&C out of $5.9 million by sending spoofed emails that appeared to be from an SS&C client, Tillage Commodities, asking SS&C employees to transfer money. After SS&C carried out the transactions, Tillage took legal action, resulting in a settlement. While AIG covered SS&C’s court dispute with Tillage, SS&C also sought filed a claim seeking to have AIG cover the stolen $5.9 million.

AIG denied the claim. The insurance company had argued its policy included an exclusion stipulating that SS&C was not covered in the case of a loss of a client’s funds. However U.S. District Judge Rakoff determined that, because SS&C employees mistakenly thought they were sending the money at Tillage’s direction, AIG’s policy exclusion did not apply.


In his decision Wednesday, Rakoff wrote that AIG was “erroneously conflating SS&C’s administrative ability to operate Tillage’s account, which undisputedly existed, with SS&C’s authority and discretionary control over that account. Although SS&C had the ability to transfer Tillage’s funds and five SS&C individuals were authorized signatories for Tillage’s bank account for such purpose, SS&C could exercise such authority only with instructions[.]”

Those instructions are at the root of this case. Hackers, apparently based in Hong Kong, emailed SS&C personnel from email addresses that spelled “Tillage” as “Tilllage.” They also sent innocuous messages filled with grammatical errors and unusual syntax like “Let’s round up business today,” according to prior court filings.

Such attacks, known as business email compromise (BEC) scams, cost organizations an average of $301 million every month in 2018, the U.S. Department of Treasury previously determined.

Tillage, which was in the commodities trading business, has ceased operations since the incident.

Rakoff did dismiss an SS&C claim that AIG had violated its responsibility to act in good faith and fair dealing. AIG’s denial of coverage was not “so totally frivolous as to warrant the inference that it was made in bad faith.” Rakoff also said that, while AIG changed its legal position on which policy exclusions applied in this case a number of times, the tactic was closer to “a hard-nosed approach,” than bad faith.


AIG did not immediately respond to a request for comment.

This case is only the latest example of a cyber-related dispute between an insurer and client going to court. A federal judge in Maryland ruled last week that State Auto Property & Casualty Insurance must cover $310,000 in losses one of its clients suffered following a ransomware attack. A number of similar cases are still pending throughout the country.

The ruling is available in full below.

[documentcloud url=”” responsive=true]

Latest Podcasts