Social engineering fraud is the art of exploiting human psychology, rather than hacking via technological methods, in an effort to trick, deceive or manipulate unsuspecting individuals into transferring money or key confidential information, usually for financial gain. The schemes have become increasingly sophisticated and are often easily mistaken for being genuine. Although the fraud can be perpetrated through a number of different communication methods, such as telephone, fax and messaging platforms, e-mail is generally the most common conduit. Hackers usually monitor email traffic for months to familiarize themselves with the style and tone of communications. Targeted and well-constructed communications are then sent to individuals within a business, purportedly from people they know and would otherwise trust.
Hackers usually monitor email traffic for months to familiarize themselves with the style and tone of communications.
Instances of social engineering fraud continue to rise for professional and financial businesses. Traditional insurance coverages are being tested with such social engineering losses, with the majority of claims being reported to crime and cyber policies. If you find yourself grappling between your cyber and crime policies, trying to understand if you have coverage under either or both and how they might interact in the event of a loss, you are not alone. While the insurance market isn’t always aligned with respect to coverage, there has been overwhelming agreement from the insurance community that the loss of first party funds resulting from social engineering fraud, should first and foremost be covered under a crime policy.
If you find yourself grappling between your cyber and crime policies, trying to understand if you have coverage under either or both and how they might interact in the event of a loss, you are not alone.
Cyber policies have always been designed to respond to schemes which result in stolen personal or confidential information. As cyber insurers looked for a competitive edge in the marketplace, crime endorsements emerged, expanding coverage for funds stolen through social engineering fraud. Although the coverage itself is similar to that which you would find in a crime policy, minimal sub-limits usually apply.
Whilst having strict protocols and procedures in place to help prevent fraud is essential, crime (and indeed cyber) policies should form part of your defense strategy for protecting your company against social engineering fraud.
Let’s address some other frequently asked questions:
1. If I have Social Engineering coverage under both my cyber and crime policies, which should respond first?
Ideally, we’d prefer to see an “optimal recovery” endorsement or an “Other Insurance” clause which expressly provides the insured with their choice of which policy they want to respond first at the time of a loss. When this language is not available, (which may often be the case in the current hard market), it is best to examine both policies, including applicable retentions and coverage terms, to make one policy respond first for claims or losses that may be picked up under both policies.
2. If I have Social Engineering coverage under both my cyber and crime policies, do I need to pay two deductibles?
Ideally each policy should specify that their retention will be eroded by payments made under the other policy in question. This way, you will not have to pay two deductibles for the same loss.
3. Should my primary cyber and crime insurer be the same?
While it can certainly make the coordinating of two policies easier, in the event of a claim or loss, it is not imperative.
4. Should the coverage under both policies be identical?
Ideally, this does make the most sense, as you would like the policies to work in lockstep with one another. Realistically, this might not always be the case as each insurer uses proprietary language and your primary crime and cyber insurers may differ.
5. What if the Social Engineering fraud results in a loss of funds and confidential information?
We recommend putting both crime and cyber insurers on notice. Be mindful of potentially different notification requirements on both the crime and cyber policies. In most cases, the cyber policy will respond first for claims that result from the loss of confidential information and the crime policy will be primary for claims that result from the loss of funds.
Crime underwriters generally request that a social engineering supplemental questionnaire be completed and, in most instances, require an additional premium for robust limits. Social engineering fraud largely remains sub-limited, however the ability to negotiate higher sub-limits or full limits on any given account is dependent upon the strength of the business’ policies and procedures. Excess insurers are generally agreeable to follow the underlying social engineering limits or offer a reduced excess limit. As the scope of social engineering coverage varies from insurer to insurer, it is important to read the language and understand whether condition precedent to liability language exists.
Cyber underwriters generally do not require supplemental questionnaires when they offer social engineering fraud coverage on their policies, largely because of the small sub-limits that are available. Although cyber insurers have recently pulled back a bit when offering the additional coverage, particularly for financial institutions, the enhancement is still largely available for most clients, especially on large accounts. Excess insurers have, however, been increasingly reluctant to follow crime coverages.
Similar to the US/Canada, crime insurers frequently request the completion of a social engineering supplemental questionnaire. Whilst for most insureds, social engineering fraud coverage is offered at full limits, especially for financial institutions, some insurers require that verification language (or “Tested” language) be added to the coverage if not already present. Verification (or “Tested”) language stipulates how and by what means communications are verified and/or checked by the financial institution. Examples include requirements of a “call-back”, or that specific security codes be successfully entered by an individual.
The more modern and bespoke wordings generally offer a broader scope of coverage, compared to off the shelf insurer issued products. However, we are seeing some UK crime insurers pull back some of the coverage in some instances, particularly where those insureds have had previous incidents of social engineering fraud losses. UK cyber insurers, who already provided crime endorsements (albeit less frequently than their U.S. counterparts), began to pull back from adding this enhancement to certain cyber policies in 2020, particularly those written for smaller financial institutions given the full coverage offered under their crime policies.
Insurers have responded to the demand for social engineering fraud coverage in a variety of ways. We invite you to contact us if you have any questions relating to your current crime and/or cyber program and how to ensure you are positioned for optimal insurance recovery in the event of a loss. As there is an inherent overlap between cyber and crime coverage, insurers continue to evaluate areas where multiple policies may respond to the same loss.
Please keep an eye out for our future client alert, where we examine coverages that insurers are focused on eliminating from crime policies with the intention of relying on cyber forms.