WHAT MOST COMPANIES DON’T KNOW
by Sara Skirvin, Hylant Executive Risk Practice
You’ve heard the terms before: phishing, baiting, website spoofing and email impersonation. Those digital scams are skillfully constructed to deceive even the most sophisticated individual. They lull their unwitting prey into a false sense of security in a quest for fraudulent gains.
Cyber criminals continue to target small, medium and large corporations with their sights set on a payday. They coax employees into releasing information, access sensitive information and even move large sums of money.
The real problem lies with certain crime insurance policies that don’t cover this technology-based fraud. Underwriters are contending that the victims “knowingly” surrendered funds and that companies should have implemented preventative measures to mitigate their risks.
It’s a growing problem that even the most sophisticated software systems can’t curtail. Industry insiders call it social engineering or deception fraud. According to Verizon’s 2017 Data Breach Investigations Report, last year 36% of data breaches involved social engineering. Of those breaches, phishing was used as a social tactic 93% of the time.
Standard Crime and Fidelity Insurance May Fall Short
The victims of these crimes often turn to their fidelity-bond or crime-insurance policies. Unfortunately, most insurance carriers don’t automatically cover losses from social engineering. There are exceptions, however: when a company’s employee was directly involved in the scheme, when the attacker hacked the victim’s system, or when the criminal convinced a company’s bank to transfer money.
Typically, if a fraudulent payment instruction enters a company through email and is then acted upon by an employee, there would be no coverage. Traditional computer-fraud insurance pays for losses only when a third party hacks a system, but not when a company’s own employees are conned into releasing funds themselves. Many companies also carry “funds transfer” coverage, but again this may only pay for losses committed by a third party. In most social engineering cases, an employee “voluntarily” consented to the transfer.
Insurance carriers consider the voluntary transfer of money and securities an uninsurable business risk. The voluntary parting exclusion is a key component in nearly every crime policy that eliminates coverage when someone is misled into releasing money, securities or other property.
To address this gap in coverage, many carriers have launched additional coverage (policy extensions) called endorsements, such as social engineering fraud, deception fraud and payment-instruction fraud.
This enhanced coverage includes a range of potential losses, such as impersonation by vendors, suppliers, employees, executives and clients. In many cases the limit of liability is 25 percent of the policy limit, with a maximum of $500,000. For those larger companies seeking additional protection, higher limits are available but with fewer insurers participating. Underwriters may require additional risk-control measures and a supplemental application, depending on the coverage limit requested and the exposure.
Don’t Rely on Cyber Liability
Many companies that purchase cyber liability insurance may believe or assume that all their social engineering and cyber fraud exposures are covered. This is a poor understanding of the intent of this coverage form. Cyber liability insurance was introduced to the market to insure the legal ramifications of the theft or loss of data—not the theft of funds. However, some, insurance carriers are now offering cybercrime endorsements to their cyber liability policies, which may add to the confusion. These coverage extensions are similar to language used by the crime and fidelity underwriters and provide for first-party coverage for loss of funds resulting from a social engineering fraud.
Both crime and cyber underwriters have introduced coverage solutions to address this sophisticated, technology-based fraud. It is important to understand that every policy and coverage endorsement will read differently. It is crucial to review specific language to avoid coverage denials and ensure complete understanding.
Likely, we will continue to see these kinds of losses and the industry will determine how best to respond. In the meantime, review your crime policy to see whether you have this coverage extension, remembering that a traditional policy may not provide coverage automatically.
If you have questions about how cyber fraud and social engineering could impact your company, contact a Hylant Executive Risk team member.