Making Sense Of Computer Crime and Social Engineering Insurance
When reviewing a cyber policy, nothing creates more confusion that the computer crime insuring agreements. Business email compromise is often insured under a social engineering insuring clause, except when it’s referred to as e-theft or fraudulent instruction, which sounds a lot like funds transfer fraud which is an entirely different insuring agreement (sometimes). That’s also not to be confused with computer fraud which is also different. Dizzy yet? Below we’ll break down the basic insuring agreements in a way that’s easy to digest along with some policy terms to review, but generally speaking it all comes down to: how was the fraud perpetrated, and who was tricked into processing the payment?
Insuring Agreements
Computer Fraud: Coverage in the event that a malicious actor gains access to your computers systems and directly steals money or securities. In contrast with some of the other coverages which can vary by name, this coverage is almost always referred to as “computer fraud” coverage. When performing a cyber coverage assessment, policyholders should first ensure such coverage is actually being provided. Some policies will provide funds transfer fraud and social engineering coverage while entirely omitting coverage for computer fraud. When coverage is being provided, insureds should carefully review the definition of “computer systems”, ensuring that they are inclusive of external computer systems operated by 3rd parties such as cloud providers and data storage providers.
Funds Transfer Fraud: Coverage in the event that a malicious actor tricks your bank into arranging a wire to a malicious account. Most carriers unanimously refer to this coverage as “funds transfer fraud”, or in some cases, may include it within their social engineering insuring agreement.
Social Engineering Fraud: Coverage in the event that a malicious actor tricks you into arranging a wire to a malicious account. Depending on the carrier, this insuring agreement may also be referred to as e-theft, fraudulent instruction coverage, or included in the funds transfer fraud agreement. Policy terms can also differ greatly from one carrier to another. Some policy forms limit coverage only to claims where the policyholder has been tricked into transferring "money or securities", whereas broader forms will include coverage for claims where the policyholder is tricked into transferring actual "property" (such as goods and inventory). Carriers can also specify how the fraud must be conducted. Narrower policy forms may specify that the fraudulent request must be made solely in an electronic form (such as an email), whereas broader policies will include fax or telephone requests. Most insureds don’t think of such frauds as being perpetrated by phone, however (while rarer) they absolutely happen, and when they do, they are often more sophisticated and damaging in nature. Some insurers also include coverage requirement, that all wire transfers are first verified before arranging. Any such requirements should be aggressively avoided. If the organization verified every outgoing wire transfer, there would arguably be little need for the insurance. Lastly, some policies may also limit coverage to specific impersonation types. For example, the policy may define social engineering as impersonation by a “client, customer, or vendor”, however narrow definitions could omit coverage should the malicious actor be impersonating an employee or other business partners.
Invoice Manipulation: Also referred to as reverse social engineering, this insuring agreement provides coverage in the event that a malicious actor tricks your customers or vendors into arranging a wire to a malicious account. It’s important to highlight, this is a first party insuring agreement, reimbursing the insured organization for its own financial loss as a result of an inability to collect on that invoice.
Important Terms, Conditions, and Considerations
“Money, Funds and Securities”: Defining money and securities may seem straight forward enough, however, many policies can contain slight, yet important differences. Cryptocurrencies are one such example. While some carriers may include coverage for frauds involving bitcoin and other cryptocurrencies, others clearly exclude such digital assets. It’s also important to consider whether the policy will cover any loss to funds that may not be yours, but for which may be responsible for. This is a particularly important consideration for financial institutions and Fintech companies. For such operations, it’s critical that any cyber policy obtained, explicitly covers money in your care, custody, control and/or money that you’re legally or contractually responsible for. Any E&O policy would also need to be reviewed, in order to ensure there are no problematic “funds transfer” exclusions that may otherwise preclude coverage in the event that the loss be attributed to a tech failure.
Sub-limits: When cyber policies do include “computer crime” insuring agreements, they almost always do so with a reduced policy sub-limit. As is the case with all coverage limits, policyholders should carefully review that limit for adequacy. If you’re an organization that’s regularly wiring large sums, a policy with a sublimit of 100k or 250k may not be sufficient. It’s also important to remember these sublimits are often an aggregate limit, meaning, should any one large loss exhaust that limit, there would be nothing remaining for any subsequent frauds that might be incurred during the same policy period.
Crime policies: A few years ago, the general advice to companies seeking computer crime insurance, was to secure that coverage under a broad crime policy as opposed to a cyber policy. Cyber policies however have come a long way, and most of these losses are well covered by today’s cyber insurance policies. That said, policyholders should perform a careful review of their insurance program to ensure they understand the structure of their coverage. If their cyber policy doesn’t contain a computer fraud insuring agreement, is one contained on their crime policy? Is the organization paying any double premium for social engineering endorsements on their crime policy, that might already be covered under their cyber policy? When organizations are unable to secure adequate social engineering policy limits under a cyber policy, might they have more success securing such coverage under a crime policy? These are all questions that should be considered as there is still a lot of interplay between the two. For those interested, we previously published a guide to assessing a crime policy's social engineering endorsement.
Regulatory Investigation Coverage: Certain companies operate in highly regulated environments. Broker dealers, financial institutions and public companies, are all subject to increased scrutiny, heightened oversight and strict disclosure requirements. Should these companies sustain any computer crime attacks, it could subsequently trigger costly regulatory investigations. For that reason, any organizations operating under increased regulatory scrutiny should also carefully asses the policy terms pertaining to regulatory coverage, as we had previously addressed here.