Medidata Solutions, Inc. — Social Engineering + Wire Transfer Loss (~US $4.8 m)
Background:
Medidata Solutions, a software platform company, experienced a sophisticated social engineering/phishing event in 2014. Someone impersonated senior management via spoofed emails and persuaded an accounts-payable employee to transfer nearly US $4.8 million. (Hassett & Donnelly, P.C., Hunton Andrews Kurth)
The company held a commercial crime/cyber policy (including computer fraud/funds transfer fraud clauses) issued by Federal Insurance Company (a subsidiary of Chubb).
Coverage Issue:
The insurer initially denied the claim on the grounds that (i) there was no “fraudulent entry” into Medidata’s computer system (emails were received in an open inbox) and (ii) the funds transfer was initiated “voluntarily” by a Medidata employee (even if misled). (Holland & Knight)
After litigation, a court found in favour of Medidata: it determined that the spoofed emails constituted a “computer violation” (i.e., unauthorized deceitful access) and that the fraudsters’ manipulation triggered the funds transfer—which qualified as “direct loss” under the policy’s computer-fraud clause. (Hunton Andrews Kurth)
Why the “Standard” Program Fell Short (or Nearly):
While there was a policy in place (crime/fraud), the insurer attempted to deny coverage based on narrow wording (authorized entry vs unauthorized, voluntary payment vs coerced)
The business was a tech/service model (software, accounts-payable processes), but the policy was not explicitly tailored for “social-engineering/funds-transfer fraud via spoofing” as distinct from classic hacking or direct theft
Many startups might assume “cyber/crime” cover includes phishing/fake-wire transfers, but definitions and triggers vary significantly
The details of how the attack occurred (spoofed email “From” field, manipulation of code, employee action) mattered greatly in the legal outcome
What a Custom Program Would Have Improved:
A tailored “Funds Transfer Fraud / Social Engineering Fraud” endorsement or coverage that explicitly lists phishing, spoofing, impersonation, fake invoice/wire instructions as covered risk events
Ensuring the cyber/crime policy wording aligns with the startup’s operational model (for example, that employee-initiated wire transfers triggered by fake instructions are specifically covered)
Clear monitoring and internal control practices aligned with the policy, so in underwriting the insurer understands the risk exposure and the mitigation efforts (e.g., wire-transfer protocols, two-person sign-offs)
Coordination between cyber/crime coverage and broader E&O/Tech coverage so that if the phishing event also triggered software/data issues, the coverage stack is aligned.
Key Take-away for Tech/Startup Founders:
Even when you have a crime or cyber policy in place, the specific wording and trigger definitions (e.g., what counts as “fraudulent entry”, what qualifies as “funds transfer fraud”) can determine coverage. If your business model involves frequent wire transfers, vendor pay-outs, or large customer funds flows, you want that risk explicitly addressed, not assumed.
NOTE: This case study is for informational purposes only. Execurisk was in no way involved in the brokering or advising of insurance in the case described above.
