“Arising out of” or “directly
caused by”: That is the question
By Paul Broussard
In today’s cyber risk landscape, invoice manipulation has emerged as a common exposure that sits at the intersection of cybersecurity, social engineering, and third-party liability. As brokers, risk managers, and policyholders alike strive to understand what is and isn’t covered in a standard cyber policy, one of the murkier areas involves invoice manipulation losses resulting from a breach.
Most industry professionals understand that if an insured falls victim to a phishing attack or social engineering scheme and voluntarily transfers their own funds, this type of loss is typically excluded under standard cyber liability policies. Why? Because nearly all base cyber forms include some version of a “loss of funds” exclusion such as:
“The value of electronic funds, money, securities or wire transfer.”
Without a social engineering or phishing endorsement, there’s generally no coverage for these first-party losses—even if the fraudulent transfer occurred after a legitimate breach.
But the story doesn’t end there. A more nuanced scenario arises when the insured is breached, and a third party (such as a customer or vendor) ends up transferring funds to a cybercriminal posing as the insured. This scheme—commonly referred to as invoice manipulation—raises a pivotal question:
If the insured was breached, and a third party suffered a financial loss as a result, could the third party sue the insured—and would that trigger coverage under the privacy and network security liability section of the cyber policy.
First-party vs. third-party loss
This is where policy wording becomes critical. First-party coverage under a cyber policy typically protects the insured for their own losses (such as data restoration or business interruption). In contrast, third-party coverage—particularly under the Network Security and Privacy Liability insuring agreement—responds to claims made by others who suffer harm due to the insured’s failure to adequately secure systems or data.
A typical insuring clause might read:
“Damages and Defense Expenses which the Insured is legally obligated to pay as a result of a Claim arising from a Security Breach or Privacy Breach.”
Crucially, the use of “arising from” or “arising out of” rather than the more restrictive “directly caused by” creates a broader causal connection between the breach and the loss.
This distinction can make all the difference. Courts and insurers generally interpret “arising out of” language to include claims that are substantially connected to the breach, even if an intervening cause (like a third-party voluntarily transferring funds) is present.
Invoice manipulation: A gray area that could be covered
Consider this scenario: An insured’s email system is compromised. A cybercriminal gains access and sends a fraudulent invoice to a customer, who unknowingly pays the fraudster. Later, when the insured follows up for the real payment, the client says, “We already paid.” The fraud is uncovered, the breach confirmed, and the client—now out funds—blames the insured for their lax cybersecurity.
Even though the insured didn’t suffer a direct financial loss, they now face potential legal liability due to their failure to secure their network. If the client sues, that lawsuit arguably “arises out of a security breach” and may trigger third-party coverage—even without a specific invoice manipulation endorsement.
Of course, if the “value of funds” exclusion is drafted broadly enough to apply to both first-party and third-party insuring agreements, the argument for coverage becomes significantly more difficult—particularly when the third-party claim explicitly ties its damages to the loss of money sent via wire transfer in response to a fraudulent invoice. In such cases, the complaint may clearly allege that the harm stems from the financial transaction itself, rather than from a broader failure to secure systems.
Alternatively, the insurer may require the claimant to break down the damages with specificity, narrowing the focus to the excluded monetary loss and away from any potentially covered negligence-based allegations.
But what about the definition of “Damages”? Many cyber policies define “damages” in ways that exclude:
“Loss of the Insured’s fees or profits, return or offset of the Insured’s fees or charges (invoiced or not).”
This means the insured can’t recover amounts they expected to be paid (such as unpaid invoices). But if a third party sues to recover funds they lost due to a fraudulent transfer stemming from the insured’s breach, that’s an entirely different exposure—and potentially covered under the liability portion of the policy.
Invoice manipulation remains a coverage
gray area in many cyber policies
—but not without opportunity.
The intent behind most policies
It’s important to recognize that most cyber policies are intentionally structured not to pay out invoice manipulation claims under the third-party insuring agreement. This is reflected in the clear wording of insuring agreements, definitions, and exclusions, which are often drafted to ensure that coverage for these types of losses resides—if at all—within specifically endorsed social engineering or funds transfer sections. In other words, most policies aim to prevent invoice manipulation claims from slipping into third-party coverage without explicit underwriting intent.
However, some policies on the market may not be airtight. In certain cases, ambiguities in how “damages” or the scope of a “security breach” is defined, combined with the broader “arising out of” language in the liability insuring agreements, can leave room to argue for coverage. Where a third party brings a claim due to a breach of the insured’s systems, a case can be made—even in the absence of a dedicated endorsement.
And, yes, we’ve seen this argument work.
In one real-world example, despite the absence of a social engineering or invoice manipulation endorsement, we successfully argued for coverage. The key was the third party’s claim, which alleged negligence following a confirmed email compromise. The claim clearly “arose out of” the breach, and the carrier ultimately agreed to resolve the matter—without requiring litigation, preserving the relationship between the insured and their client.
Final thoughts
Invoice manipulation remains a coverage gray area in many cyber policies—but not without opportunity. When the insured suffers a direct loss of funds and no social engineering coverage is in place, that loss is likely excluded.
But if a third party suffers the loss due to the insured’s breach and seeks damages, there is a compelling argument for coverage under the Network Security and Privacy Liability insuring agreement—particularly when “arising out of” language is used.
Insureds and brokers should:
- Review insuring agreements and definitions of “Damages” carefully
- Push for affirmative coverage via social engineering and invoice manipulation endorsements
- Advocate when claims arise—don’t assume the lack of a sub-limit means there’s no path to coverage
In a rapidly evolving cyber risk landscape, coverage advocacy is not optional—it’s essential.
The author
Paul Broussard is a risk advisor at Cavignac in San Diego, California. In addition to strategically structuring and placing insurance programs, he is also actively involved in reviewing client contracts to provide a technical insurance perspective so his clients can make informed business decisions. Paul carries the following professional designations: Certified Insurance Counselor, Certified Risk Manager, Management Liability Specialist, Small Business Coverage Specialist, Professional Workers Compensation Advisor, and Cyber Risk Manager.
