Social engineering is a quickly rising risk in the cyber community that is causing major financial issues. This cyber risk is executed by tricking employees of a company into transferring funds to a fraudulent scammer on the other end.
The fraudster will send out an email to a victim who believes the email is from a legitimate sender, such as an executive in their company or their supervisor. The email will usually include a prompt that advises the person receiving the email to send back financial-related information at the supervisors supposed direction. The email looks genuine in everything from the sender’s email to the request they make, tricking the victim into providing exactly what the fraudster needs.
The Cost of Social Engineering
According to statistics from 2017, more than $5 billion was stolen in social engineering-related scams between 2013 and 2016, shining a light on cyber crimes and the need for better cyber insurance coverage. Unsuspecting and trusting employees are following along with a fraudster’s requests, costing their companies millions of dollars in connection with insurance claims related to social engineering.
When companies hone in on their traditional insurance coverage, they usually come to understand that they do not have adequate coverage to get back what they lost. From money stolen directly by the fraudster to paying out claims to customers, the cost is high, just like the risk of operating without the right cyber insurance protection.
Insurers have denied coverage in the past when it comes to social engineering claims under certain policies, claiming that a loss did not result from direct fraud. The crime policies, according to some insurers, only apply if a hacker gets into a company’s computer system and takes money from a company’s coffers illegally. When it comes to social engineering claims, company funds have been released with consent of an employee, even if that means that the employee was tricked.
Looking at Crime Policies & Endorsements
Some crime policies contain exclusions that may put up specific limits to social engineering claims. Many traditional crime policies include a voluntary parting exclusion that prohibits coverage for losses that come from anyone acting with authority who voluntarily gives title to company property. What’s more, some insurers have put broad exclusions on crime policies that are directed toward cutting out coverage for many cyber risks and liabilities, such as social engineering claims.
Some insurers are seeing this as an opportunity to offer up endorsements that provide coverage for social engineering risks, especially since this is a growing concern as companies become more digitally engaged and dependent. These endorsements may be subject to a sublimit and may include coverage for some social engineering risks. Like all policies, the wording of the endorsement matters and should be looked over with a fine-tooth comb to avoid penalties.
It’s also important to note that social engineering coverage will not automatically be added to a policy for a company and not all insurers are willing to provide such coverage. Since social engineering is still new, insurers might not know exactly what they’re up against and how much they will have to pay out.