Traditionally, commercial crime policies cover direct losses from fraud and theft — failures of human behavior. Cyber policies, on the other hand, were meant to cover indirect losses stemming from failures of systems and technology, picking up the costs of notification, forensic investigation, privacy monitoring and data recreation when PII is breached.
But new types of theft are blurring the line between cyber and commercial crime risk — most notably social engineering fraud. These schemes result in direct financial loss without any system failure or data breach … but bad actors nonetheless rely on computers and wire transfers to perpetrate their fraud. These incidents do not fit neatly into either a cyber or commercial crime bucket.
“Because of the increasing shift to digitized business operations, funds are at risk and there is a natural intersection between crime and cyber risk,” said Aaron Basilius, senior vice president and leader of the cyber insurance team at AmTrust Financial.
“It’s important to make sure that you’re aware of what coverage you might have both from a commercial crime perspective and from a cyber perspective. In many cases, you’ll need both to cover the loss itself in addition to the potentially significant incident response costs that come along with any type of system or network compromise.”
Here’s how social engineering is warping the boundaries of cyber and commercial crime policies and why it’s better to work with a single carrier to ensure comprehensive protection.
There are two key characteristics that typically disqualify social engineering scams as covered incidents under traditional crime or cyber policies.
First is the absence of direct theft. In cases of social engineering, employees are tricked into willingly transferring away large sums. Because the money was not taken directly or knowingly transferred to a falsified account, the loss doesn’t always fit the parameters of employee dishonesty, computer fraud or funds transfer fraud as outlined in most crime policies.
“When we started seeing these incidents, several years ago, one of the main issues we had was that while computer and funds transfer fraud insuring agreements were in our crime policies, the language was a bit dated. These insuring agreements had been written in the ’80s and ’90s, when social engineering fraud schemes didn’t exist,” said Melissa Schwartz, crime product manager, AmTrust EXEC.
“Social engineering fraud claims were being made under those agreements, but they were not originally designed for this type of loss.”
On the cyber side, the lack of any breach of the targeted company’s systems or any failure of its technology bars most social engineering scams from coverage under a cyber policy.
That being said, social engineering fraud does share traits common to both traditional forms of crime and cyber incidents.
“They are very similar exposures in the sense that an inadvertent error could always give rise to a potential loss. And at the same time, you have third parties actively trying to subvert whatever security measures you have in place, exploiting any weaknesses that might exist within your overall security framework but also vulnerabilities of human nature,” Basilius said.
In 2019, U.S. businesses lost $1.7 billion to social engineering scams, accounting for half of all cyber crime losses, according to data compiled by the federal Internet Crime Complaint Center. Clearly, it’s a risk in need of clear and definitive coverage … and that demanded new approaches to cyber and commercial crime underwriting.
No two carriers approach social engineering risk the same way. Some have specifically excluded these losses entirely. Others offer coverage on a sublimited basis via endorsement only. A handful offer standalone policies. Policy language also varies.
Social engineering, business email compromise, impersonation, spoofing and phishing are all terms used to describe this type of loss event.
“In the U.S., most cyber and crime markets have decided to cap the losses from social engineering schemes via sublimited coverage. But insurers have varying degrees of comfort with this risk, and the limits and language differ from one carrier to the next. It’s far from a unified approach,” Schwartz said.
In any case, insureds cannot assume that they have coverage for social engineering scams or that the coverage they do have is sufficient. Scammers have grown bold over the years, making off with tens of millions in some cases. An endorsement capped at less than $1 million may not cut it.
That’s why it is critical for companies to have specific conversations with their carriers about social engineering risk, including how much coverage is available and under which policy. Coordination between cyber and commercial crime underwriters helps to close coverage gaps and ensure all parties know what to expect if an incident occurs.
Working with a single carrier for both cyber and commercial crime policies increases the likelihood that coverage will truly reflect an insured’s exposures, without gaps or overlaps. Though social engineering coverage may be obtained under either policy, underwriters can take a holistic view of the client’s risk profile and budget and determine where it fits best and at what limit.
“My team regularly communicates with the commercial crime team on emerging exposures with elements of both cyber and traditional crime risk,” Basilius said. “We see how the crime policy in play addresses a particular risk from a policy wording and rating perspective, and whether we can supplement what’s already in place to fill in potential gaps and provide comprehensive coverage for a client.”
Added Schwartz, “We understand that the point of an insurance policy is to pay claims. But our role is also to help policyholders understand their exposures, and the circumstances of loss that determine where they will or won’t find coverage so there are no surprises. We’re continually working together to ensure all stakeholders are on the same page.”
Working with a single carrier also streamlines the claims process after a loss. Having a single point of contact eliminates the back-and-forth that insureds often encounter when a loss may implicate multiple policies from different carriers.
“When you work with one carrier, you also gain the full breadth of their expertise. At AmTrust, we’re thoughtful and deliberate about the business we write. We know our clients’ business and serve the industries and market segments where we have experience and expertise.” Basilius said “Insurance claims and losses are never pleasant experiences, but they can be made easier by working with an insurer that truly understands your exposures, your risk mitigation protocols, and your policies.”
The combination of industry- and risk-specific expertise with underwriting authority also allows AmTrust to be creative in the solutions it creates for clients.
“Both of our teams have the ultimate sign-off on what gets covered and what doesn’t. Because we can make those decisions ourselves, we can not only provide faster service for clients, but more bespoke solutions,” Schwartz said.
That level of service and coverage certainty will only grow more important as cyber and crime risks continue to evolve. The transition of many employees to remote work during the pandemic — and the extra layers of stress that came with it — have only given scammers more vulnerabilities to exploit. Businesses will need insurers with expertise in both cyber risk and crime to fully protect themselves from loss.
To learn more, visit http://www.amtrustfinancial.com/.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with AmTrust Financial. The editorial staff of Risk & Insurance had no role in its preparation.