An Axis Capital Holdings Ltd. unit was not obligated to reimburse a silicon manufacturer for the wire transfer theft of more than $1 million under its coverage’s computer transfer fraud provision because company officials had approved the transfer, said a federal appeals court, in affirming a lower court ruling.

In October 2017, the chief financial officer of Burnside, Mississippi-based Mississippi Silicon Holdings LLC received an email from a regular vendor advising that future payments should be routed to a new bank account, according to Thursday’s ruling by the 5th U.S. Circuit Court of Appeals in New Orleans in Mississippi Silicon Holdings LLC v. Axis Insurance Co.

A letter relaying the same instructions, written on the vendor’s letterhead and signed by a vendor executive, was attached to the email, the ruling said. The email’s body also contained previous emails between the MSH’s chief financial officer and vendor personnel concerning invoices and shipment detail.

The official then authorized two wire transfers to the vendor’s new bank account, totaling about $1.025 million, the ruling said. The payments were made in accordance with the company’s three-step verification process for large transfers: the chief financial officer initiated the transfer; another company employee confirmed it on the bank’s website; and the company’s chief operating officer orally authorized the transfer on a phone call with a bank representative.

The company realized it was a cyber fraud victim two months later, when the vendor called to discuss outstanding payments – which MSH thought it had already made, the ruling said.

MSH then filed a claim for $1,025,881.13 under provisions of its commercial crime insurance policy with Axis Holdings unit Axis Insurance Co.

Axis sent MSH a check for $100,000, the limit for its policy’s social engineering fraud provision, but refused to pay for the claim under its policy’s computer transfer fraud provision, which has a $1 million limit.

MSH filed suit against Axis in U.S. District Court in Amory, Mississippi, which ruled in the insurer’s favor. It was affirmed by a unanimous three-judge appeals court panel.

“This dispute boils down to a disagreement over the interpretation of the policy’s Computer Transfer Fraud provision,” the ruling said.

“The policy means what it says: Coverage under the Computer Transfer Fraud provision is available only when a computer-based fraud scheme causes a transfer of funds without the Insured’s knowledge or consent.

“Here, three MSH employees affirmatively authorized the transfer; it therefore cannot be said that the fraud caused a transfer without the company’s knowledge,” it said.

The agreement “plainly limits coverage to instances in which the transfer is made without knowledge or consent,” it said, in affirming the lower court’s ruling.

Attorneys in the case did not respond to requests for comment.

In December, a divided appeals court affirmed a lower court ruling and held a Liberty Mutual Insurance Group unit must indemnify a company scammed out of more than $1.7 million in a phishing incident under its commercial crime insurance policy.