Cyber security has been the talk of the town for quite a while now. Organizations today flooded with statistics and mentions of the importance of proper security measures and cyber liability programs. Some companies understand the risk, other do not. Yes, cyber security is extremely important, as is a well structured cyber insurance policy. But there is often a missing ingredient to that recipe that can be easily overlooked. Crime insurance – specifically important for those seeking social engineering insurance.
Social engineering attacks wear many masks. One such fraud known as funds transfer fraud (otherwise known as CEO Fraud and business email compromise), has gained significant attention over the past 2 years, and are only on course to grow. One look at the numbers speaks volumes about the direction these attacks are headed. In January of 2015, XOOM suffered a 30 Mill loss. Six months later, in August 2015, Ubiquiti suffered a 45 Mill loss. Then came the fraud against FACC for roughly 55 Mill, followed by Crelan Bank for almost 75 Mill. The record losses growing with each incident. In social engineering attacks, intruders will imposter a senior manager, executive, supplier or vendor, requesting funds to be transferred to a fraudulent account. Often these request/orders will mimic the tone and format of a normal request with the one caveat being the account for which funds are to be transferred. These frauds can be deployed a number of different ways, from phishing attacks to telephone impersonation. They are also extremely sophisticated. For example, fraudsters will often study their subjects and may wait until the CFO is away on vacation before using their email to request a transfer funds (thus reducing the possibility of verbal confirmation). It is important to note that, while larger companies may be the prime target, these frauds are also perpetrated against smaller and mid sized companies. As the larger companies begin to catch on and implement stronger internal controls and verification, it is only fair to assume that they will trickle down, with greater frequency, to smaller and mid sized companies.
With many companies purchasing cyber liability or data breach insurance today, it is understandable that these organizations would assume social engineering coverage is properly in place to respond to such a claim. After all, it is a cyber related crime for which coverage is intended. However, it may come as a shock to many, to discover that cyber insurance policies generally do not provide coverage for such fraud. When it comes to social engineering fraud and funds transfer fraud, many insurers have been a bit slow to adopt new language sufficient enough to provide coverage for such losses, and many carriers do not consider social engineering a cyber risk at all. Organizations actively seeking funds transfer fraud insurance may be surprised to learn that crime insurance (not cyber insurance) may be their most likely tool for risk mitigation. It should be noted though, that crime policies differ. Whether purchasing crime insurance as a stand alone policy or as part of a D&O insurance program, purchasing coverage as-is, will often provide little to no coverage against social engineering attacks. There are often separate endorsements that need to be added manually, and even these endorsements should be reviewed carefully! As we already mentioned above, coverage can differ greatly. When reviewing social engineering coverage, the following must be considered:
- Avoid policy clauses that require the organization to verify all transfer requests (prior to transfer) in order to trigger coverage - such a requirement can nullify coverage.
- Beware of any policies that maintain a definition requiring “direct fraud” or include a “Voluntary Parting Exclusion” – both of which significantly narrow (or nullify) coverage.
- Ensure that coverage is included for any social engineering attacks carried out over the phone, as well as email and computer.
- Ensure that definitions are not restrictive. Definitions should be broad and inclusive of: impersonation by vendors, executives, suppliers, clients, etc. It is also important to ensure there is no requirement for such parties to have their own crime/fidelity insurance in order for coverage to be triggered.
- Beware any hidden exclusions that may preclude coverage for phishing attacks.
- Many policies have sub-limits ranging from 100k and up. Ensure the organization is familiar and comfortable with the sublimit.
- Ensure that the policy’s boundaries are understood. For example, theft of IP and source code is almost always excluded - insurers only provide coverage for (theft of) tangible property, and IP is simply intangible. Companies primarily concerned with social engineering attacks targeting their IP will be better served by implementing strong internal controls due to the lack of availability of coverage in the insurance marketplace.
Lastly, it should also be noted that, while purchasing social engineering coverage may be wise, it should not serve as a substitute for strong internal controls which can prevent such fraud altogether. Having proper controls in place will also likely help keep associated premiums lower.