Social engineering coverage within cyber forms is usually written with a number of restrictions:
We have experienced a significant increase in the number of fraudulent funds transfer claims resulting from social engineering. In a typical case, a bad actor infiltrates the email system of a design firm (this is usually due to a failure in endpoint protection systems). The bad actor monitors the progress of a project until a pay request is due, and then he submits a pay request that spoofs the email address of one of the project participants and requests payment to an offshore bank routing number. The fraudulent request looks official because it will reference project participants and the project number. This scheme has resulted in misdirected payments due to contractors and consultants. The amounts stolen have ranged from tens of thousands to over half a million dollars.
There are two types of insurance that potentially provide coverage for social engineering claims: a commercial crime policy or a cyber liability policy.
A commercial crime policy can be written to provide fund transfer fraud coverage (when a hacker breaches a financial institution and transfers funds from one financial institution to another), computer fraud coverage (when a hacker accesses a person’s account and uses their username and password to transfer funds out of their account) or social engineering coverage (where a victim is tricked into voluntarily transferring funds by means of fraudulent instructions). It is important to understand that social engineering coverage involves a voluntary transfer of funds, usually prompted by an email instruction. In contrast, computer fraud coverage applies to involuntary transfers of funds, usually accomplished by means of an unauthorized intrusion into a computer system.
Cyber liability policies will frequently offer social engineering coverage as an optional insuring agreement, but the social engineering component is typically subject to a sublimit such as $100,000 or less. The rationale is that if a significant exposure exists, it needs to be specifically underwritten in a commercial crime policy. Higher limits, such as $1 million or more, are available under a commercial crime policy.
Cyber liability policies require that insureds make “reasonable efforts” to verify payment instructions before social engineering coverage will apply. This means that the insured must use “out of band” authentication or a “two-factor” authentication system (verify payment instructions in a different mode of communication from the original instruction or require a username/password and an entry code that is periodically texted to the user of the email system) to verify payment applications. We recently saw a claim denied when the insured responded directly to the email from the hacker and was told in a reply email (fraudulently) that the client had opened a new bank account, and that was the reason for the change in routing numbers.
Based on the current threat environment, we recommend that all pay application approvals be subject to “out of band” or “two factor” verification procedures. This is a prerequisite to coverage under a policy providing social engineering insurance and is a “best practice” to protect every firm from fraud.
Firms that want to add an additional layer of protection may consider adding cyber security software solutions to protect the five key domains:
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).