Social Engineering is the non-technical cyber strategy that relies on tricking people into breaking standard security practices by manipulating victims into performing various actions or providing confidential information. Social engineering fraud (SEF) is a type of fraud that’s become increasingly common over the last several years, with a large majority of this fraud transpiring over email communications.
Coverage against Social Engineering Fraud can be covered under two different areas, that being your Crime Policy and Cyber Liability Policy. It’s especially important to understand each policy, how it might cover SEF, why it might not, and what endorsements you might want to obtain to make sure SEF doesn’t leave your company exposed.
Cyber Policy vs. Crime Policy
It may seem counterintuitive, but SEF is not always covered by a cyber-policy. Even though this fraud often involves emails and wire transfers, cyber policies are not designed to cover them:
· Cyber policies cover losses that result from unauthorized data breaches or system failures. SEF actually depends on these systems working correctly in order to communicate with an organization’s employees and transfer information or funds.
· Crime policies cover losses that result from theft, fraud or deception. Because the underlying cause of a loss in SEF is fraud, a company could claim a loss under its crime policy rather than its cyber policy.
Areas of Risk
· Computer fraud refers to losses stemming from the unlawful theft of money due to a “computer violation”—that is, the unauthorized entry into or deletion of data from a computer system by a third party. This could include engaging in data mining via spyware and malware or sending computer viruses with the intent to destroy or ruin another party’s computer or system.
· Funds transfer fraud refers to losses stemming from fraudulent instructions to transfer funds made without the insured’s knowledge or consent. This could take form by gaining login credentials to protected accounts or logging into a website or portal and being instructed to move money out of the insured’s account into an account held by the third party.
Potential Vulnerabilities
Depending upon the specific language and definitions laid out in the cyber, crime or fidelity policy, the insurer might argue that SEF is excluded from coverage for a number of reasons:
· There was no “computer violation.” Often, SEF doesn’t involve compromising network security in order to steal data. Instead, criminals “hack” human vulnerabilities in order to gain access. Clicking on a shortened of misleading link that directs the user to a suspicious website that hosts a phishing landing page is one such example. Because the system functioned as it was supposed to, and the criminal gained access due to human failure, an insurer might try to deny the claim.
· The insured knew about and consented to the transfer. Again, the specific language of the policy is crucial, but an insurer might argue that a SEF isn’t covered under “funds transfer fraud.” That’s because, in most social engineering scenarios, some agent of the insured willingly and knowingly authorized the transfer of funds to the intended account. Again, in SEF, the systems in place to transfer funds worked as intended; it was a human failure that resulted in the loss.
· The voluntary parting exclusion. Most crime policies have a voluntary parting exclusion that excludes coverage for losses that result from anyone acting on the insured’s authority to part with title to or possession of property. In other words, because the employee knowingly and willingly authorized the transfer, it wouldn’t be covered.
Social Engineering Fraud Endorsements
Because of this potential gap in coverage, some carriers have started offering SEF endorsements to their crime and fidelity policies. The insurance agreements might go by different names, but they’re all intended to make limits and liabilities explicit for both the insured and the policy issuer.
The endorsement may be subject to a sublimit and may be subject to some additional exposures. They also are only offered by a handful of carriers, but with the increasing prevalence of SEF, more are likely to follow.