Criminals have practiced social engineering for centuries, but modern computer technology is enabling scams to reach ever-greater numbers of victims. Social engineering is a ruse that persuades people to let down their guard, inadvertently revealing or permitting access to something of value. In the context of cyber risk, examples of social engineering include:

• Phishing. A common method of trying to dupe victims through impersonal but official-looking email into clicking a link or opening an attachment to gain account information or launch malicious software. Phishing can open the door to a variety of cybercrimes, including ransomware attacks.
• Spear-phishing. A personalized form of phishing that uses specific information to defraud a targeted individual. For example, a spear-phishing attack might offer partial account numbers or the names of business associates, suggesting that the sender is trustworthy.
• Business email compromise. A costly and growing problem, the Federal Bureau of Investigation’s Internet Crime Complaint Center in 2018 received 20,373 cases of business email compromise (BEC), with losses of more than $1.2 billion.1 Since January 2015, BEC cases have generated losses in excess of $3 billion. BEC scams usually target individuals who handle wire transfers. A typical example is an email request from an executive’s hacked email account, or appearing to be from that account, requesting funds for a business transaction. Variations of BEC may involve personal email accounts, texts and phone calls that spoof a person authorized to make such requests.
• Vendor/supplier impersonation. Another variation of BEC, this form of crime tricks the victim into diverting funds normally paid to an actual vendor or supplier to a fraudulent account. This tactic often succeeds when the victim fails to verify the change by contacting the vendor or supplier through existing records. All too often, victims “call back” a number provided by the requester, which of course is also fraudulent.

(Source 1)

Coverage for social engineering losses debuted in cyber insurance policies roughly five years ago. Sometimes known as fraudulent instruction or cyber deception, cyber insurers readily added coverage on a sublimited basis. Typically this coverage was conditioned on call-back procedures in policyholders’ accounting departments, but competition in the marketplace has softened this requirement. During the past few years, cybercrime has become a key exposure for small and medium-size enterprises. NetDiligence’s 2018 Cyber Claims Survey found that 92% of cyber claims in 2017 were caused by criminal activity, including hacking, social engineering, malware and wire transfer fraud; only 8% of claims were due to non-criminal causes, such as staff mistakes and system glitches. Since 2013, 85% of cyber claims in the NetDiligence study have come from organizations with $2 billion or less in revenue (source).

COVERAGE CONSIDERATIONS

If these loss trends continue, will social engineering coverage continue to be available for most insureds? Will restrictions apply to higher risk organizations?

With coverage for social engineering claims facing an uncertain future, retail agents and their insureds should consider whether a cyber policy is really the right insurance solution for cybercrime. A better option may be a stand- alone crime policy.

For starters, most cyber underwriters have little experience in underwriting crime risks. Secondly, cybercrime has been almost a “throw-in” form of coverage in cyber policies, until recently. As insurers begin to see their exposure to cybercrime claims rise, some established markets are taking actions to limit this exposure.

A stand-alone crime policy may be better suited to insuring social engineering risk. Unlike most cyber policies, which impose an aggregate annual limit, standard crime policies are written on an each-and-every-claim basis and usually have no aggregate limit. With the increasing frequency of social engineering claims, an each-and-every-claim approach has significant benefits to any insured worried about multiple claims within a policy period. Secondly, crime underwriters may be better equipped to evaluate crime exposures and recommend reasonable risk management steps. Thirdly, crime underwriters may be more flexible in providing higher social engineering limits, especially to insureds that implement their risk management requirements. Finally, crime insurers generally include coverage for third-party funds that an insured holds. Some cyber insurers exclude funds held in escrow.

BOTTOM LINE

Depending on the risk, it may be advantageous for retail agents to explore different coverage structures for cybercrime, such as using cyber coverage on an excess basis, with underlying losses paid under a commercial crime policy. If such an approach is taken, some cyber carriers will amend their form to recognize the erosion of their deductible by any payment made by the commercial crime carrier that is also covered on the cyber policy. Ultimately, the marketplace will determine if it will continue to cover cybercrime under existing cyber policy forms or create a hybrid form that covers traditional commercial crime and cybercrime exposures, along with first-party and third-party cyber risks. In the meantime, retail agents and their insureds should strive to fully understand their cyber exposures and partner with an experienced wholesale specialist to find the most appropriate available coverage.

Contact your CRC Group producer for more information.

Contributor:

Mark A. Smith is a CRC Senior Vice President and professional liability broker, based in Seattle and a member of the ExecPro Practice Advisory Committee.