The number of cyberattacks is rising alarmingly and the volumes of damages are steadily increasing. In Switzerland, approximately 60% of companies had to respond to cyberattacks in 2022. Cyber fraud, including CEO Fraud, is one of the most common crimes and a significant threat, especially for SMEs. Even individuals have fallen victim to CEO Fraud in the past, resulting in substantial damages. The National Center for Cybersecurity (NCSC) provides recommendations on its website to reduce the risk of successful CEO Fraud.
In CEO Fraud, perpetrators, using a previously hacked email address of a company or an individual, contact a financial institution or financial service provider, stating that an (urgent) payment should be initiated to an account controlled by the fraudster. The perpetrators impersonate the CEO of the account-holding company or the individual to whom the account is legally assigned. Often, absolute discretion and speed in execution are emphasized, warning of various consequences if not followed. Once the payment is received in the fraudster’s account, the fraudster gains access to the money, achieving their goal. After the occurrence of damage, the search for the perpetrator relies on seeking state assistance. However, the clearance rate is exceedingly low. What remains are victims with unanswered questions regarding financial compensation from the contracted financial service provider and financial service providers questioning their own liability risks. Lastly, executive bodies of involved companies must consider personal liability. With the increasing prevalence of AI applications, the number of CEO Fraud cases is expected to rise significantly, making these crimes more challenging to detect.
To illustrate a typical CEO Fraud case, one can refer to a scenario legally assessed by the Federal Court: In 2014, a private customer opened an account with a financial service provider and deposited approximately one-third of their total wealth in cash. The parties entered into an execution-only relationship (no advisory or management mandate). Communication, such as payment approval, was to be done via email without written confirmation. By acknowledging a risk transfer clause, the customer declared that they relieved the financial service provider of any damages resulting from lack of legitimacy or from orders transmitted via email, provided the financial service provider was not grossly negligent. In 2015, hackers took over the customer’s email address and sent emails to the financial service provider, authorizing two payments totaling EUR 34,000 and GBP 357,000 to their advantage from the customer’s account. In the legal dispute, the Federal Court had to decide fundamentally who is liable for (mutually) non-negligent cyber risks in the scenario where “execution only” and a risk transfer clause were agreed upon.
Decision of the Federal Court
In the presented scenario, the Federal Court determined that liability for transaction execution without the actual legitimacy of the account holder occurs through a three-stage examination. The following questions are posed:
- Did a customer order occur without legitimacy?
- Was the financial service provider released from the liability risk through a risk transfer clause?
- If no risk transfer clause was agreed upon – is there contributory negligence and the customer’s duty to mitigate damages?
A customer order without corresponding legitimacy occurred – the emails did not originate from the customer but from cybercriminals. According to established case law, the validity of the agreed risk transfer clause was to be examined based on the liability-modifying provisions of the Swiss Code of Obligations, namely Art. 100, 101 para. 3 OR (applied analogously here since the clause does not concern contractual non-performance under Art. 97 OR ff). Since the agreed risk transfer clause held up, the second step of the examination was to determine whether the financial service provider acted grossly negligently or intentionally. The Federal Court did not find gross negligence, defined as the disregard of elementary precautions that any reasonable person would have followed under the same circumstances, in this case. In particular, the financial service provider was entitled to assume that emails from the customer’s email address originated from the customer himself. Avoiding misuse is thus in the customer’s realm. Even upon closer examination of the individual case, the Federal Court found no different assessment. When assessing potentially different degrees of negligence in the specific case, the Federal Court considered the following aspects:
- Circumstances of the business relationship, such as:
- the length of the business relationship (short duration speaks against misconduct)
- only partial wealth transfer
- the customer’s IT expertise played no role
- The use of previously authorized email addresses. If a different address is used, there is no only slight negligence on the part of the financial service provider.
- The language used showed no peculiarities regarding style, orthography, and formulations in comparison to the language used by the customer.
- Transaction content: The court considered the specified payment reason as well as the location and financial institution of the beneficiary. If no “exotic” recipients or countries or unknown financial institutions are specified, the financial service provider does not act grossly negligently.
- Transaction volume: The intended transaction volume was proportionate compared to the total wealth known to the financial service provider, and the payment purpose was plausible.
- Transaction frequency: Regarding the transaction frequency (in this case, five transactions within a month), the Federal Court found no abnormalities justifying stricter liability for the financial service provider.
The Federal Court makes it clear that financial service providers are not currently liable for cyber damages resulting from the customer’s realm when a risk transfer is agreed upon, as long as there are no clear signals that should have prompted the financial service provider to exercise increased diligence. If a victim of CEO Fraud, working together with the financial service provider to explore all factual avenues to recover lost funds is the first step. If this fails, a detailed legal analysis of contract relationships and all circumstances leading to the unauthorized transaction is unavoidable. Conversely, financial service providers wrongly held accountable for CEO Fraud payments must conscientiously deal with the facts and their own policy. Compliance officers of financial service providers should incorporate the above considerations into their compliance guidelines. On the customer side, the following “red flags” should arise if CEO Fraud is suspected:
- Unknown individuals unexpectedly legitimizing themselves as representatives of executives authorized to instruct payments (e.g., lawyer of the CEO)
- Emails from executives for payment instructions not originating from the business email address
- Incorrect grammar in the order
- Allegedly high urgency
- Threats of liability or employment consequences, including dismissal
- Unusualities in the amount and number of transactions
- Supposedly, a new project requires an immediate and larger investment, but there is neither a history nor prior notice.
It remains to be seen whether and when the multitude of CEO Frauds, which are now significantly more challenging to detect and can be set up much faster with AI applications, will appear in legal disputes and how the judiciary will react to these new technological developments.