As Social Engineering Attacks Surge, It’s Time to Coordinate Your Cyber and Crime Policies
A worker receives an invoice from a critical supplier. They quickly look over the email, check the amount and approve the transfer.
But in their haste, they miss a subtle variation in the email address that sent the request. The email didn’t come from a supplier; it came from a cybercriminal.
The company in this fictive scenario was hit with a social engineering attack. During these events, an attacker may send an email impersonating a company executive, client or supplier, using data they’ve gleaned from a previous system infiltration or even social media to make the solicitation more convincing.
“Fraudsters are very clever,” said Antonio Trotta, vice president, financial lines claim practice leader, cyber and professional liability, with QBE. “They’ll find 10 million different ways to get your money.”
Social engineering has become such a threat over the past few years that insureds and their carriers are worried it will overtake employee dishonesty as the mostly frequently seen claim under crime policies “Social engineering is becoming a major driver of claims that come in,” said Matt Dodd, vice president fidelity/crime product leader, with QBE.
With social engineering and similar attacks, cyber and crime coverages may both come into play. If multiple carriers are involved, this can frequently create issues over which policy should apply and how different factual scenarios should be treated under each policy. Increasingly, brokers are asking for solutions that coordinate these policies and minimize coverage disputes.
Cyber and Crime Policies: Siloed No Longer
Crime and cyber risks rank as a top concern for companies. QBE’s 2022 Mid-Sized Company Risk Report found that companies ranked cyberattacks as their number one micro-risk concern and fraud and theft as number two.
Historically, companies have purchased cyber and crime policies separately — often through different brokers and carriers.
Cyber policies were designed to cover damages caused by ransomware, data breaches and other network infiltrations, while crime coverages addressed issues like employee and third-party fraud and theft, among other risks. Companies didn’t see a need to intertwine the two because there wasn’t much overlap.
These attacks combine elements of cyberattacks with characteristics of theft, which may be traditionally covered under a crime policy.
When an event with both elements occurs, opportunities for coverage disputes abound, especially for businesses with separate cyber and crime carriers. “Both carriers may be going, ‘Well, make sure you’re submitting it to your cyber policy’ or ‘Make sure you’re submitting it to your crime policy,’ ” Trotta said.
A cyber carrier may say that the attack isn’t covered because the hacker didn’t necessarily invade the company’s system — they just sent a fraudulent email.
“The carrier could say something like, ‘We can provide coverage for an investigation of your computer network, because if there was an intrusion there, that’s certainly covered. But any financial loss that you incurred as a result of transferring money to a fraudster, there’s no coverage for that under a cyber policy,’ ” Trotta said.
Crime policies, too, may have exclusions. Hackers didn’t actually break into the network and steal the money — an employee willingly transferred them the funds.
“The issue I’ve always faced is that the insured is technically transferring money on their own,” Dodd said. “It’s not the hackers getting into the system and actually stealing the money and transferring it themselves.”
Coordinating Cyber and Crime Coverages
To address overlaps between cyber and crime policies, many brokers are encouraging insureds to work with a single carrier to coordinate the two coverages in the event of an attack.
“When our brokers request it, we’ll have conversations between the lines of businesses about how to approach a singular risk,” Trotta said. “If you coordinate the coverage to begin with, it’s a very streamlined conversation.”
Intertwined cyber and crime coverages will have clarifying language that details which parts of a social engineering attack are covered by each policy.
Dodd and Trotta emphasized that working with a single carrier on both policies can help minimize potential gaps, especially since the two risks are likely to become more interconnected over the next few years.
“Our crime group and cyber group routinely work together,” Dodd said. “It’s still an evolving area of interwoven coverage that we’re trying to keep current with the changing risk environment.”
Cyber insurance markets have been hardening over the past few years, even as submissions are increasing. Coordinating policies so that exposures are transferred between both cyber and crime can help carriers balance their appetite for social engineering and other network risks.
That’s why looking to a single carrier for both policies can streamline the process and reduce claim resolution complexity.
“A lot of carriers are very cautious about this kind of risk because of the frequency,” Trotta said. “When you buy products from a single insurer, their products are designed to cover these types of losses but do so in a manner where the insurer wants to place them.”
Risk Management Can Help Prevent Social Engineering Attacks
Even with coordinated coverages, the increasing frequency of social engineering attacks demands proper risk management. Trotta and Dodd recommend conducting training so employees can recognize an attack, as well as implementing internal procedures to protect against fraudulent fund transfers.
One key tip they shared is encouraging employees to call the party requesting funds before issuing a transfer. That way, a worker can confirm the executive, client or supplier actually submitted the request, rather than a fraudster.
“Most of these frauds occur by email, and you need to be able to pick up the phone and call a dedicated number — not just a number that you’re seeing on the email — to contact the other party and say, ‘Did you send this? Is this right?’ ” Dodd said.
“And that goes for not just instructions that come in for wire transfer but also for any changes in a customer’s or a vendor’s bank account, contact info — anything.”
Another strategy for preventing fraudulent transfers is mandating that supervisors approve any requests for funds over a certain amount. This practice allows another person to double-check the submission before any money changes hands, increasing the opportunities for preventing fraud.
After an attack occurs, contacting the authorities can help companies get their money back. The FBI’s Internet Crime Complaint Center has a 74% success rate when it comes to investigating and recovering funds from fraudulent transfers.
“They’re very successful in helping recover stolen monies,” Dodd said. “If you can catch this within 48 to 72 hours, there’s a reasonable chance you can claw back that money.” &