Is there a social engineering loophole in your cyber insurance?
Published 05 October 2017
There’s a new kind of criminal operating in the black economy: a smartypants nerd with killer hacking and coding skills who can dupe businesses into paying fraudulent accounts. And because this is done willingly it may be excluded from insurance cover.
Typically the victim receives an email that looks as though it comes from a person of authority within their business, directing them to pay an invoice which may appear to be from a known trading partner, with the figures involved typically between the $25,000 to $50,000 range.
The problem with insurance cover for social engineering cyber crime is that definitions around fraud losses have traditionally been based on a deliberate act of theft from an organisation by a third party, not the voluntary action of an employee who has been tricked.
Look for the loophole
By modern definitions, ‘voluntary’ payments can be induced by fraudulent use of technology, systems hacking or ‘phishing’ for business information, but many crime policies stress that these conditions don’t meet the standard of ‘direct’ fraud.
Without modification cyber insurance policies also are not designed to pay damages in the case of social engineering resulting in an employee of the insured organisation voluntarily paying funds in response to a fraudulent email.
To get around this most insurers will now provide by underwritten endorsement sub limits for social engineered fraud, bearing in mind there is no easy way to underwrite the value of transferred away funds.
Note: Some crime and cyber policies provide cover only if the insured organisation has in place an independent process for verifying funds transfer instructions before payment is made.
Other cyber fraud crimes you may need to be insured against
Telecommunications fraud refers to a third party obtaining access to an organisation’s phone system and making unauthorised use of it. As with social engineering losses, this type of crime is perpetuated by using technology to gain access to systems in combination with a failure of network security.
Note: Insurance cover for this type of financial loss is not usually available under crime policies.
Funds transfer fraud that occurs through fraudulent instructions by a third party to a financial institution to pay money from away from the insured party’s account without their knowledge is covered by typical crime policies.
Electronic theft of money or securities from corporate credit cards or bank accounts are also usually covered by the computer fraud clause of a crime insurance policy.
While cyber insurance addresses the threat of intrusion into an organisation’s computer and information systems, policies may need to be adapted to cover scams enabled by social engineering, impersonation and phishing.
Cyber crime insurance shopping guide:
Seek advice to determine which policy is best for each exposure.
Match the coverage restrictions with policy requirements on internal controls.
Manage ‘other insurance’ clauses to ensure the desired policy addresses the loss and pays first.
How we can help: Gallagher’s team of cyber crime experts can identify your business’s risk exposures and tailor an insurance solution that covers you appropriately.