The demand for Cyber Risk insurance coverage continues to escalate among large and small businesses. The media is certainly driving this increased interest, and insurance agents and brokers fielding more questions than ever about coverages that have long been offered in other types of policies. “It happened because of a computer; shouldn’t this be a ‘Cyber’ claim?” “What do you mean my property policy excludes this?” The fact is, more and more traditional coverages are blending their way into the modern “Cyber” policy and nowhere is this more pronounced than in the area of Cybercrime.
Agents and brokers have traditionally known “Crime” to mean things such as the theft of money, employee dishonesty, forgery/alteration, third party theft of property, etc. As the digital age came about, these traditional Crime policies expanded to include “Computer Crime” and “Funds Transfer Fraud,” but these coverage grants have typically been very limiting.
Just as Crime policies have evolved, so too have Cyber Risk policies. This evolution has created a dangerous E&O exposure for agents who are not well-versed in the nuances of how these policies work. Obtaining “Cybercrime” coverages for certain industries on a Cyber Risk policy can be particularly difficult. Financial institutions, investment advisors, title and real estate agents, law firms and others are among the industry segments that may be better served on the Crime side than in Cyber Risk policies for this reason.
In an effort to bring a bit of clarity, here is a high-level overview of critical Cybercrime coverage elements that can be found in the stronger Cyber Risk insurance policies today.
Social Engineering/Cyber Deception
Social engineering is thought to be a coverage, but it is actually a tactic – a method used by thieves to obtain information, assets or money through the art of manipulation and deceit. This can be carried out through email, telephone or other means. When an insured willfully releases money, information or property to a third party based on an instruction they believed to be true (but, was in fact, deceptive), they have fallen victim to a social engineering scam.
When it comes to Cyber Risk insurance policies, there are several important things to look out for when it comes to Social Engineering:
- Is there a dual authentication requirement before coverage applies? In other words, if the insured receives the request via email, do they also have to call the requestor via phone to verify its legitimacy?
- Does the policy cover money and securities only or goods/product as well?
- What is and is not considered “money”?
- Does the policy only cover loss of the insured’s funds? What about funds held on behalf of others? This can be very important, depending on the insured’s industry.
- Is Social Engineering automatically included in the Cyber policy, or is it available via endorsement?
- If purchasing excess Cyber coverage, will the excess drop down over the Social Engineering? (Typically not)
- Is this already covered in the insured’s Crime policy? If so, ask questions above.
Funds Transfer Fraud
Funds Transfer Fraud coverage definitions vary from policy to policy, but generally, the coverage involves unauthorized instructions from a third party to a bank without the insured’s knowledge. Like Social Engineering, this can happen via written instruction, via computer, phone or other means. It isn’t Social Engineering because the insured did not willfully give the money away. It isn’t computer fraud because the theft didn’t take place on the insured’s computer system.
When someone enters the insured’s computer systems and fraudulently manipulates data that results in a loss of money, this is considered computer fraud. It isn’t Social Engineering because the insured did not willfully give the money away. It isn’t Funds Transfer Fraud because it occurred on the insured’s computer system and was not the result of fraudulent impersonation of the insured to a financial institution. To add to the confusion, some policies will blend Computer Fraud and Funds Transfer Fraud into a single insuring agreement. This is fine, but just know where the coverage resides in the policy.
We have seen a rise in these incidents, and, unfortunately, the industry has either been slow to develop coverage, or, certain markets have provided coverage, paid a lot of claims, and have pulled back coverage grants and/or limits for that reason. This coverage goes by many different names, including “Reverse Social Engineering.” Reimbursement coverage is provided to the insured for their inability to collect an account receivable they hold because they have been impersonated by a third party through electronic means.
Typically, incidents like these occur when someone has hacked into an insured’s computer system, learned their billing practices and patterns, and then sends invoices to the insured’s customers directing funds to their bank instead of the insured’s. This occurs unknowingly to the customer, who pays the invoice, receives their goods or services, but the thief gets paid instead of the insured. This scenario is a first-party loss, since the customer has received what they “paid” for. Instead, it is the insured who now suffers from their inability to collect from their customer.
It is important to note that the reverse of this can be true as well, creating a third party loss that should be contemplated under the Cyber Risk policy’s Security Liability insuring agreement. If the same scenario as explained above occurs, and it is determined that the customer never actually received their goods/services but paid the invoice anyway, then the customer will look for remuneration from the insured for their loss. This is more common in large corporations that receive many invoices.
Beware of Cyber Risk policies that limit this third party loss scenario with a sublimit as the Security Liability insuring agreement should cover this and is typically offered at full policy limits. After all, were it not for the insured’s failure to protect their computer system, their customer would not have suffered a financial loss.
While Cyber Risk insurance policies are broadening coverage in many areas previously contemplated by more traditional policies, it is important to work with a broker who can help you navigate the nuances. Doing so can make the difference between a covered claim for your client and an E&O exposure for your agency.