20 October 2020
Peter Hedberg

Cyber Coverage Explained: Social Engineering and Cyber Crime Coverage

Peter-Hedberg-Headshot
Peter Hedberg, VP of Cyber Underwriting

Recently I explained how social engineering attacks can disrupt businesses in a video that covers several common first-party insuring agreements. In this article I’m going to dig in deeper on Social Engineering coverage, one of the insuring agreements I get asked about most by brokers. 

In this article I’ll define social engineering, explore common language you might see in different insurance carriers’ forms, and explain what all of these terms mean for policyholders with examples.

Background: The what, why and “how we got here” of coverage for Social Engineering

First, a definition. Social engineering is a general term for when malicious actors trick an individual into taking an action such as giving away sensitive information and/or credentials, making a transfer of company funds, or making purchases on their behalf. In contrast to more sophisticated ransomware exploits, social engineering enterprises may be run by individuals or by small, loosely organized crime cartels. Actors typically target younger, lower-level employees who tend to be more trusting and less wary of suspicious communications.

Social engineering exploits can cost firms significant amounts of money if the criminals succeed in getting an employee to do what they want, such as transferring company funds. It is extremely difficult to claw back any money lost by this means. Impacted businesses incur further expense through liability claims, where management pays lawyers to settle state and legal liabilities and hires digital forensics firms to restore their IT systems. 

Eclipsed only recently by ransomware attacks in driving cyber-related losses, social engineering has been a regular leading source of loss for businesses from small nonprofits to large, sophisticated companies. According to the FBI, social engineering attacks cost companies an average of $130,000 with damages climbing into millions of dollars. What’s more, the number of successful social engineering attacks continues to grow as the years go by.

social engineering continues to rise (12% since 2016)

Small wonder then that many insurers refuse to offer non-standard social engineering issues. If they offer coverage for these risks, they often define them narrowly, leaving the onus of responsibility on insured organizations to train employees to resist manipulated action.

Recently, though, some cyber insurers have begun to broadly cover a range of social engineering fraud losses, realizing the large gap that narrow coverage represented for their policyholders. These broad coverages may include phishing or business email compromise (BEC), invoice manipulation, cryptojacking, telecom fraud and funds transfer fraud. We’ll cover each of these specific situations in this post. 

The Details: What Brokers Should Watch For
Common Language

In covering these risks, insurers’ policy language isn’t universal.  Social engineering fraud — or as it is otherwise called “financial fraud loss”, “unwitting data breach”, “business instruction fraud” or “wire fraud” — is a blanket term for all types of crime losses. Other key wordings you may encounter are “voluntary parting,” an exclusion an insurer may use to preclude coverage for all, or certain, fraudulently authorized transactions. There is also “theft of funds held in escrow,where attackers steal funds held in trust for a third party, in contrast to “theft of personal funds” that refers to attackers stealing your client’s own money.

The common parlance for phishing or transfer fraud is “business email compromise” (BEC) or “email account compromise” (EAC).  Invoice manipulation is synonymous with “third-party phishing” or with “vendor manipulation”. Telecommunications fraud loss is a stand-in for “telecom fraud loss”, while cryptojacking, or the fraudulent use of an organization’s computing power for the specific use of bitcoin mining, can also be called “malicious cryptomining”.

We know that’s a lot of terms packed into one coverage agreement, which is why it pays to read this coverage closely and confirm with the carrier their specific definitions. We’ll get into what all of these mean in detail in the next section.

For context, here’s the full language Corvus uses in a typical coverage agreement for Social Engineering and Cyber Crime:

Financial Fraud Loss, Telecommunications Fraud Loss, Phishing Attack Loss, theft of Funds Held in Escrow,
or theft of Personal Funds incurred directly as a result of Financial Fraud, Telecommunications Fraud, or
Phishing Attack. 

Types of Social Engineering Fraud

BEC vector image1. Business Email Compromise (BEC)

In the most common type of social engineering attack, malicious actors scout for a vulnerability within your client’s system, which they exploit to dupe employees into moving money into a fake account.

For example: Hackers sit on your client’s traffic, identifying key players, habits and language, following which they use the information to dupe a company subordinate into transferring money to a certain account. Since this is usually a wire transfer, your client typically discovers the ruse only after the critical lead time of two to three days has passed, disabling them from blocking the transfer.

Invoice2. Invoice Manipulation.

In what’s a particularly devious enterprise and typically covered by few insurers, hackers impersonate the insured, tricking your client’s customers or vendors into payments to fraudulent accounts.

By the time, your client notices the deception, their business has irrevocably lost large sums of money. For that reason, most insurance companies withhold coverage for invoice manipulation, reasoning that the crime was perpetrated on another party outside of the firm. So it should be that party’s problem, right?

If your client is refused social engineering coverage, their closest possible alternative is crime coverage that’s, unfortunately, designed only to cover theft committed by the firm’s employees or by non-employee third parties.

Corvus does offer this non-standard agreement, recognizing your client may receive no coverage when they most need it.

Locked vector image3. Funds Transfer Fraud

Unlike previous situations where hackers manipulate lower-level employees into breaching the company’s IT systems, with funds transfer fraud, malicious actors become familiar enough with the company’s server to break in and steal your client’s login credentials. There’s no psychological manipulation of lower-level employees. Hackers simply monitor the system, identifying network vulnerabilities and penetrate their authentication system to steal their passwords.

According to law firm Ice Miller LLP, recent significant increases in funds transfer fraud are, unfortunately, underreported by both the FBI and the Secret Service.

Telecommunications fraud loss vector 4. Telecommunications Fraud Loss

Hackers invade the company’s phone networking system, resulting in your client incurring huge phone bills. Point of entry is achieved via the company’s computer network or the telecommunications service provider.

A 2019 joint report by Europol’s European Cybercrime Centre and Trend Micro, a Taiwanese cyber security and defense company found these unauthorized long distance calls cost companies around the world about $32.7 billion a year.

hacker vector5. Cryptojacking Attacks

Hackers infiltrate the company’s server resources, sucking up your client’s energy for their own use – mostly to mine digital currency. Side effects include slowing your client’s processing power which can impact their business, causing revenue loss. Your client is likely also to lose customers, who, frustrated by slow response time, may sign up for competitors. Their system hardware may crash since it’s overused. Your client will need to spend on hardware replacements because of the system’s expedited wear and tear. Worst of all, the company is left to foot the exorbitant energy bill.

Hackers penetrate the system, either through tricking employees into downloading malware through social engineering attacks, or through injecting malicious code into web pages. Cybersecurity professionals from the Norwegian University of Science and Technology noted cryptojacking can be very difficult to detect, and even organizations who become aware of the situation might not bother getting rid of the infection if it is not severe.

Bottom Line

While ransomware steals the headlines today, 70% to 90% of all malicious breaches are due to social engineering and phishing attacks. The FBI reports that scams continue to evolve, targeting small, medium, and large businesses.

The best two lines of proactive defense for any organization are multi-factor authentication and mandatory employee training. But as any security pro will tell you, no defense is perfect, and tactics used by cyber criminals evolve to stay ahead of even the best training programs. With this omnipresent and ever-evolving risk, it’s critical to know that your clients have comprehensive cyber insurance coverage for the many permutations of this type of attack. Beware narrow language and exclusions relating to the most common types of social engineering fraud, and look for policies that affirmatively cover all of the situations outlined above. 

Continue reading the rest of the Cyber Coverage Explained series below.

Mike Karbassi

Mike Karbassi is Vice President and Head of Cyber Underwriting at Corvus. He specializes in Network Security, Privacy Liability, Technology E&O, Media Liability, and Miscellaneous Professional Liability. Karbassi has over a decade of experience in insurance and is a graduate of the Boston University Questrom School of Business.

Gerritt Graham

Gerritt is the Chief Commercial Officer at Corvus. He has over 20 years of sales and marketing experience, primarily focused on technology and data solutions for the financial services industry.

James McElhiney

James co-founded Corvus and is the company’s Chief Technology Officer. A 30+ year technology veteran, Jaimie most recently served as CTO of Iora Health and previously co-founded Gazelle.

Mike Lloyd

Mike Lloyd is the Co-Founder and Chief Product Officer of Corvus Insurance. Previously, Mike co-founded Poncho, a personal lines agency InsurTech startup, and was a venture investor at FJ Labs. Mike has an MBA from Harvard Business School and engineering degrees from Virginia Military Institute and MIT.

Phil Edmundson

Phil is the founder and CEO of Corvus. A 30+ year insurance veteran, Phil co-founded broker William Gallagher Associates (acquired by Arthur J Gallagher in 2015) and was an active leader in both the Worldwide Broker Network and Council of Insurance Agents and Brokers. Phil is the Managing Partner of Edmus Ventures where he invests in InsurTech companies including Verifly, Wellthie, Agentero, and Cover Wallet, and serves on the board of Cover Wallet.

Play Video