As social engineering attacks continue to proliferate, insurers are responding with specialized coverages to provide specific social engineering coverage. These coverages often are available as endorsements to Cyber, Commercial Crime, or Fidelity policies. Endorsement may be titled “Social Engineering,” “Fraudulent Funds Transfer,” “Fraudulent Impersonation,” “Business Email Compromise,” or something conveying a similar meaning.
While the development of this additional coverage generally is a positive development, insureds should not judge the adequacy of the coverage simply by the name of the endorsement. It’s critical to carefully examine the exact wording of the endorsement to see if it provides the most appropriate coverage for their business needs.
Limitations on the Type of Fraud
Some endorsements cover a loss of funds resulting from a fraudulently induced transfer, but only if the fraudulent instruction was purportedly transmitted by a corporate insider. For example, under one endorsement, the fraudulent instruction had to have been “transmitted by a purported director, officer, partner, member or sole proprietor of [the insured] or other employee, but which was in fact fraudulently transmitted by someone else with [the insured’s] or [the insured’s] employee’s knowledge.”
This coverage, therefore, would not respond to the common situation in which the fraudulent instruction is sent to the insured by a fraudster impersonating a vendor, client, business partner, or other third party.
Imposition of Controls
Social engineering coverage under some policies will not be triggered unless the insured can demonstrate that it followed a series of delineated steps to verify the transfer request prior to the transfer of funds. Critics of this type of coverage question its value, stating that in most circumstances, adherence to the prescribed requirements will expose the fraud before the funds are ever transferred. And an insurer may well dispute coverage when an employee negligently fails to follow the required protocol.
Coverage for social engineering events without direct imposition of related security controls is available. For example, one policy contains the following Funds Transfer Fraud coverage:
“We agree to reimburse you for loss first discovered by you during the period of the policy as a direct result of any third party committing:
Any phishing, vishing, or other social engineering attack against any employee or senior executive officer that results in the transfer of your funds to an unintended third party.”
How We Can Help
As with coverage for many emerging cyber risks, the devil is certainly in the details. We can help companies understand proposed policy provisions and work with their broker to negotiate for more appropriate coverage for the company’s cyber risk profile.
Originally published by Judy Selby on LinkedIn Pulse.