Cyber Coverage Explained: Social Engineering & Cyber Crime Coverage
Recently I explained how social engineering attacks can disrupt businesses in a video that covers several common first-party insuring agreements. In this article, I'm going to dig deeper into Social Engineering coverage, one of the insuring agreements I get asked about most by brokers.
Background: The What, Why, and “How We Got Here” of Coverage for Social Engineering
First, a definition. Social engineering is a general term for when malicious actors trick an individual into taking an action such as giving away sensitive information and/or credentials, making a transfer of company funds, or making purchases on their behalf. In contrast to more sophisticated ransomware exploits, social engineering enterprises may be run by individuals or by small, loosely organized crime cartels. Actors typically target younger, lower-level employees who tend to be more trusting and less wary of suspicious communications.
Social engineering exploits can cost firms significant amounts of money if the criminals succeed in getting an employee to do what they want, such as transferring company funds. It is extremely difficult to claw back any money lost by this means. Impacted businesses incur further expense through liability claims, where management pays lawyers to settle state and legal liabilities and hires digital forensics firms to restore their IT systems.
Eclipsed only recently by ransomware attacks in driving cyber-related losses, social engineering has been a regular leading source of loss for businesses from small nonprofits to large, sophisticated companies. According to the FBI, social engineering attacks cost companies an average of $130,000 with damages climbing into millions of dollars. What's more, the number of successful social engineering attacks continues to grow as the years go by.
Small wonder then that many insurers refuse to offer non-standard social engineering issues. If they offer coverage for these risks, they often define them narrowly, leaving the onus of responsibility on insured organizations to train employees to resist manipulated action.
Recently, though, some cyber insurers have begun to broadly cover a range of social engineering fraud losses, realizing the large gap that narrow coverage represented for their policyholders. These broad coverages may include phishing or business email compromise (BEC), invoice manipulation, cryptojacking, telecom fraud, and funds transfer fraud. We’ll cover each of these specific situations in this post.
The Details: What Brokers Should Watch For
In covering these risks, insurers’ policy language isn’t universal. Social engineering fraud -- or as it is otherwise called “financial fraud loss”, “unwitting data breach”, “business instruction fraud” or “wire fraud” -- is a blanket term for all types of crime losses. Other key wordings you may encounter are “voluntary parting,” an exclusion an insurer may use to preclude coverage for all, or certain, fraudulently authorized transactions. There is also “theft of funds held in escrow,” where attackers steal funds held in trust for a third party, in contrast to “theft of personal funds” that refers to attackers stealing your client’s own money.
The common parlance for phishing or transfer fraud is “business email compromise” (BEC) or “email account compromise” (EAC). Invoice manipulation is synonymous with “third-party phishing” or with “vendor manipulation”. Telecommunications fraud loss is a stand-in for “telecom fraud loss”, while cryptojacking, or the fraudulent use of an organization’s computing power for the specific use of bitcoin mining, can also be called “malicious cryptomining”.
We know that’s a lot of terms packed into one coverage agreement, which is why it pays to read this coverage closely and confirm with the carrier their specific definitions. We’ll get into what all of these mean in detail in the next section.
For context, here’s the full language Corvus uses in a typical coverage agreement for Social Engineering and Cyber Crime:
Financial Fraud Loss, Telecommunications Fraud Loss, Phishing Attack Loss, theft of Funds Held in Escrow,
or theft of Personal Funds incurred directly as a result of Financial Fraud, Telecommunications Fraud, or
Types of Social Engineering Fraud
1. Business Email Compromise (BEC)
In the most common type of social engineering attack, malicious actors scout for a vulnerability within your client’s system, which they exploit to dupe employees into moving money into a fake account.
For example, hackers sit on your client’s traffic, identifying key players, habits, and language, following which they use the information to dupe a company subordinate into transferring money to a certain account. Since this is usually a wire transfer, your client typically discovers the ruse only after the critical lead time of two to three days has passed, disabling them from blocking the transfer.
2. Invoice Manipulation
In what’s a particularly devious enterprise and typically covered by few insurers, hackers impersonate the insured, tricking your client’s customers or vendors into payments to fraudulent accounts.
By the time, your client notices the deception, their business has irrevocably lost large sums of money. For that reason, most insurance companies withhold coverage for invoice manipulation, reasoning that the crime was perpetrated on another party outside of the firm. So it should be that party’s problem, right?
If your client is refused social engineering coverage, their closest possible alternative is crime coverage that's, unfortunately, designed only to cover theft committed by the firm’s employees or by non-employee third parties.
Corvus does offer this non-standard agreement, recognizing your client may receive no coverage when they most need it.
3. Funds Transfer Fraud
Unlike previous situations where hackers manipulate lower-level employees into breaching the company’s IT systems, with funds transfer fraud, malicious actors become familiar enough with the company’s server to break in and steal your client’s login credentials. There’s no psychological manipulation of lower-level employees. Hackers simply monitor the system, identifying network vulnerabilities and penetrate their authentication system to steal their passwords.
According to law firm Ice Miller LLP, recent significant increases in funds transfer fraud are, unfortunately, underreported by both the FBI and the Secret Service.
4. Telecommunications Fraud Loss
Hackers invade the company’s phone networking system, resulting in your client incurring huge phone bills. Point of entry is achieved via the company’s computer network or the telecommunications service provider.
A 2019 joint report by Europol’s European Cybercrime Centre and Trend Micro, a Taiwanese cyber security and defense company found these unauthorized long distance calls cost companies around the world about $32.7 billion a year.
5. Cryptojacking Attacks
Hackers infiltrate the company’s server resources, sucking up your client’s energy for their own use - mostly to mine digital currency. Side effects include slowing your client’s processing power which can impact their business, causing revenue loss. Your client is likely also to lose customers, who, frustrated by slow response time, may sign up for competitors. Their system hardware may crash since it’s overused. Your client will need to spend on hardware replacements because of the system’s expedited wear and tear. Worst of all, the company is left to foot the exorbitant energy bill.
Hackers penetrate the system, either through tricking employees into downloading malware through social engineering attacks, or through injecting malicious code into web pages. Cybersecurity professionals from the Norwegian University of Science and Technology noted cryptojacking can be very difficult to detect, and even organizations who become aware of the situation might not bother getting rid of the infection if it is not severe.
While ransomware steals the headlines today, 70% to 90% of all malicious breaches are due to social engineering and phishing attacks. The FBI reports that scams continue to evolve, targeting small, medium, and large businesses.
The best two lines of proactive defense for any organization are multi-factor authentication and mandatory employee training. But as any security pro will tell you, no defense is perfect, and tactics used by cyber criminals evolve to stay ahead of even the best training programs. With this omnipresent and ever-evolving risk, it’s critical to know that your clients have comprehensive cyber insurance coverage for the many permutations of this type of attack. Beware narrow language and exclusions relating to the most common types of social engineering fraud, and look for policies that affirmatively cover all of the situations outlined above.
Continue reading the rest of the Cyber Coverage Explained series below.
The rise of remote work and growing concerns over ransomware acted as partners-in-crime to get organizations to hone in on risk mitigation efforts over the past couple years. Through compiling our Risk Insights Index, we found that with certain initiatives — safer or reduced usage of RDP, growing use of email security tools, and other measures taken to limit the impact of threat actors — businesses are more prepared than a year before and ready to play defense. Those efforts are borne out in our finding that the rate of companies who pay a ransom when attacked with ransomware fell by half within a year.
The whisperings of “firming rates” start first, quietly in business meetings, then published in industry reports. Soon to follow, rumblings of a “hard market” are brought to the conversation. It’s cyclical in nature, and we see it across all insurance lines at one point or another. For years, Cyber Insurance stretched far and wide with “soft” market conditions, remaining highly profitable. Now that period of growth, with exceedingly available coverage and inviting terms, has stalled in the face of a hard market.