News & Insights

Is there a social engineering loophole in your cyber insurance?

Published 05 October 2017

There’s a new kind of criminal operating in the black economy: a smartypants nerd with killer hacking and coding skills who can dupe businesses into paying fraudulent accounts. And because this is done willingly it may be excluded from insurance cover.

 

Cyber criminals manipulate business people into voluntarily depositing company funds to pay invoices under instructions that purport to come from their senior manager, through exploiting human factors such as curiosity or diligence, rather than technical weaknesses. This technique uses what has been dubbed social engineering to perpetuate a business email compromise, or BEC, and according to a 2017 Forbes report it accounts for two-thirds of all hackings.

Typically the victim receives an email that looks as though it comes from a person of authority within their business, directing them to pay an invoice which may appear to be from a known trading partner, with the figures involved typically between the $25,000 to $50,000 range.

The problem with insurance cover for social engineering cyber crime is that definitions around fraud losses have traditionally been based on a deliberate act of theft from an organisation by a third party, not the voluntary action of an employee who has been tricked.

Look for the loophole

By modern definitions, ‘voluntary’ payments can be induced by fraudulent use of technology, systems hacking or ‘phishing’ for business information, but many crime policies stress that these conditions don’t meet the standard of ‘direct’ fraud.

Without modification cyber insurance policies also are not designed to pay damages in the case of social engineering resulting in an employee of the insured organisation voluntarily paying funds in response to a fraudulent email.

To get around this most insurers will now provide by underwritten endorsement sub limits for social engineered fraud, bearing in mind there is no easy way to underwrite the value of transferred away funds.

Note: Some crime and cyber policies provide cover only if the insured organisation has in place an independent process for verifying funds transfer instructions before payment is made.

Other cyber fraud crimes you may need to be insured against

Telecommunications fraud refers to a third party obtaining access to an organisation’s phone system and making unauthorised use of it. As with social engineering losses, this type of crime is perpetuated by using technology to gain access to systems in combination with a failure of network security.

Note: Insurance cover for this type of financial loss is not usually available under crime policies.

Funds transfer fraud that occurs through fraudulent instructions by a third party to a financial institution to pay money from away from the insured party’s account without their knowledge is covered by typical crime policies.

 Electronic theft of money or securities from corporate credit cards or bank accounts are also usually covered by the computer fraud clause of a crime insurance policy.

In summary

While cyber insurance addresses the threat of intrusion into an organisation’s computer and information systems, policies may need to be adapted to cover scams enabled by social engineering, impersonation and phishing.

Cyber crime insurance shopping guide:

  • Seek advice to determine which policy is best for each exposure.
  • Match the coverage restrictions with policy requirements on internal controls.
  • Manage ‘other insurance’ clauses to ensure the desired policy addresses the loss and pays first.

How we can help: Gallagher’s team of cyber crime experts can identify your business’s risk exposures and tailor an insurance solution that covers you appropriately. 

 

Connect with an expertchevron-right

 

Further reading

Cyber insurance

Do I need cyber-liability insurance?


Top Underwriting Concerns for Cyber Insurance Renewals
Cyber | Webinar

Top Underwriting Concerns for Cyber Insurance Renewals

23 September 2021
DeepFake Technology: The Frightening Evolution of Social Engineering Schemes
Cyber | Webinar

DeepFake Technology: The Frightening Evolution of Social Engineering Schemes

23 September 2021
Global Cyber Market Update Mid-Year 2021
Cyber | Report

Global Cyber Market Update Mid-Year 2021

23 August 2021