Most policyholders are aware of the danger of losses from fraudulent instructions and invoices accomplished through what is known as “social engineering” or related methods. Often this is carried out by an email claiming to be from a vendor or company executive that provides instructions for payment to a fraudulent account. In some cases, the fraud can go on for months before it is detected, leading to losses of hundreds of thousands of dollars.
Unfortunately, policyholders are sometimes unpleasantly surprised when their cyber insurance excludes or places limits on coverage for this type of fraud. Unlike many other kinds of insurance, cyber has not become standardized in the years since its inception. Instead, the cyber insurance market offers policyholders a menu of coverage options from which the organization must purchase specific insuring agreements that match its risk profile. This “à la carte” approach means that policyholders must pay close attention to the insuring agreements in their policies, as well as key conditions on this coverage. They must also recognize missing coverages because not all cyber policies offer social engineering or other theft-of-property coverages.
Confusing terminology compounds the problem: If given options to purchase coverage for (a) “computer fraud,” (b) “funds transfer fraud,” or (c) “fraudulent instruction,” would you know which one insures against an invoice your company received from a spoofed vendor email? As these terms are commonly used in the insurance market, the answer is most likely (c), but depends on the specific policy language.
Where coverage does exist, it is frequently subject to sublimits that are much lower than the overall policy limits. Policyholders should consider whether, for example, a sublimit of $100,000 is sufficient for the expected risk of a fraud event or if higher limits are needed.
An important condition typically imposed by insurers requires policyholders to maintain and utilize procedures for verifying a transaction, such as using two-factor or “out-of-band” authentication before transferring funds. The organization should determine the specific procedures mandated by the policy or represented to the insurer during the application process, and confirm those requirements are being followed. Ideally, this will not only avoid forfeiting coverage, but may prevent the loss in the first instance.
What about the reverse scenario when your customer is deceived by an email purporting to be from your organization? The customer may balk at paying the same invoice twice, or may argue that your company was at fault, particularly if the deception was aided by a breach of your own data. Some insurers will refuse to cover this type of event, reasoning that a third party, not the insured, has been defrauded. Other insurers expressly offer this coverage or make it available by endorsement. Coverage is usually available — but only if the insured understands its risks and obtains knowledgeable counsel from its coverage attorneys and brokers.