Given the increasing reliance of business on IT and the fact that the majority of many businesses’ assets are intangible rather than physical, cyber insurance is fast becoming as essential an insurance product as property cover or motor insurance. Whilst the message is clearly getting through, many businesses have been slow to change long established practices and cyber fraud is responsible for millions of pounds of losses every year.
Does Cyber Insurance Cover Online Fraud and Phishing? There are various cyber insurance products that offer broad coverage to protect against certain types of cyber based risks. However, the rapid emergence of cyber insurance and the fact that until recently, there has been considerable variation between cyber policy wordings, means that there are a number of misconceptions regarding what a cyber insurance policy covers.
The scope of cyber coverage available in the insurance marketplace will generally include a range of first party and third party covers which could protect your business against legal liabilities, loss of earners and breach response costs. Cyber insurance can often overlap with different policies; your professional indemnity might cover you for loss of documents but not notification costs; telecommunications fraud could be provided under a crime policy and office insurance could cover the cost of losing a laptop but not the loss of data. In our experience, one of the most common areas of confusion is social engineering causing a financial loss to individuals or organisations. Social engineering is a broad term for any cyber-attack that relies on fooling people into taking action or divulging sensitive or confidential information; the most common case is phishing attempts.
Typically, a phisher sends an e-mail, instant message (IM), or text message, or makes a phone call that appears to come from a legitimate colleague or organisation, trying to trick people into giving them confidential information, divulge sensitive data, or download a file infected with malware and will give the attacker access to sensitive or confidential information such as passwords, bank information as well as giving them control over your computer or network with the potential to also impact the security of other organisations. Social engineering has the potential to cause different types of losses that may trigger different insurance policies, not just cyber policies.
How Cyber Insurance Could Protect Against CEO Email Fraud A spoofed email is sent from a high-level executive such as a CEO or partner instructing someone with a financial role to transfer funds out of the company, or an email has been received from supplier for an invoice to be paid. In both cases the employee has acted on the email as the perpetrator has used an almost identical email address, using details gathered from public sources, to trick them into making a payment.
The above financial loss is typically excluded from the primary coverage provided by most cyber insurance policies as the loss is not of an intangible asset (as would be the case for loss of data) but a direct financial loss. Even cyber policies where there is a potential cover for fraudulent wire transfer will very likely exclude the above scenario, as often insurers have further restrictions if the insured is involved in the wire fraud (whether or not they are aware of the fraud) and require the insured’s systems to be compromised to trigger cover. The fact that a fraud is perpetrated by email does not in itself make the financial loss a cyber-incident. In these circumstances, the insured is a victim of crime in the same way it would be if the insured is persuaded to transfer money as the result of a fraudulent telephone call, meeting or letter. If the fraudster had sent the email from a genuine internal account, then the security of the company network could have been compromised or it could be the result of your data compromised as part of separate cyber-attack on a supplier then you might have a case against the supplier.
If your policy included fraudulent instruction that covered you against losses resulting from any payments made to someone impersonating a client, vendor or employee that is intended to mislead you then you should be protected from CEO email fraud.
Another outcome of invoice hijacking could be that you transfer clients’ funds to a fraudulent account which could be worth hundreds of thousands of pounds for law firms and solicitors. Conveyancers regularly handle significant sums of money making them attractive target for fraudsters both in terms of the ease of identifying transactions to target and the potential returns. The same can be applied to private client teams handling trusts and estate administration work or family breakdown that involves transfers to a number of parties.
Professional indemnity insurance is intended to cover the insured for any liability it has to its client for loss of funds, but again coverage will still very much depend on the policy wording.
What About Phishing for Data? Not all social engineering attacks try to mislead you into making financial payments; data has become just a big a commodity as cash. An example of a data breach due to phishing could be an email coming in from a third party asking an employee to send employees’ tax returns/ payslips, or a fraudster impersonating a partner in a law firm instructing the client relationship team to send confidential client information. Where data loss occurs, even as a result of social engineering, this would typically be covered under the cyber policy sections concerned with liability for loss of data and breach response services. Other social engineering losses that potentially could trigger a cyber policy include emails containing an attachment or link to a compromised website.
Clicking on either results in malware downloaded to a company's systems. Losses resulting from the compromising of the firm’s system following the introduction of malware is the type of loss intended to be covered by cyber insurance. While we’ve discussed in great depth the overlap of policies when it comes to social engineering and phishing, there are other scenarios which are just as complicated. If you are looking to purchase cyber insurance, we’d recommend you always consult with your insurance broker before taking out any cover, or if purchasing directly ensure you read the policy wording very carefully. For more information on the issues covered by this article visit our Cyber insurance hub.
This article has been compiled using information available up to 14/09/22. Whilst care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in this document.