Risk & Business Magazine Spectrum Insurance Magazine - Spring 2019 | Page 27
SOCIAL ENGINEERING
Cybercrime Survey detected security
events in the preceding 12 months,
and more than one third (36 percent)
reported that the number of security
incidents had increased over the previous
year. The average number of incidents
is also significant, with increasing
monetary loss.
While cyber criminals employ several
measures to breach information security
defenses and seize sensitive business
information, technical security measures
implemented in response to increased
regulation (as a result of Sarbanes-Oxley,
Gramm-Leach-Bliley, and the Health
Insurance Portability and Accountability
Act) make direct pure technological
attacks more difficult and costly.
As a result, cyber criminals have shifted
their focus away from such pure
technological attacks and instead have
increasingly attacked employees through
the use of “social engineering”—a
collection of techniques used to
manipulate people into performing
actions or divulging confidential
information. Social engineering is
not a new concept. A social engineer
is nothing more than a con artist who
uses technology to swindle people
and manipulate them into disclosing
passwords or bank information or
granting access to their computer.
ACCORDING TO THE FBI,
FROM OCTOBER 2013 TO
MAY 2018 THERE WERE
MORE THAN 41,000
VICTIMS OF BUSINESS
EMAIL COMPROMISE
SCAMS—A FORM OF
SOCIAL ENGINEERING
ATTACKS—REPORTED
FROM ALL 50 STATES,
TOTALING $2.9 BILLION IN
MONETARY LOSSES.
TRADITIONAL INSURANCE MAY NOT
COVER SOCIAL ENGINEERING
Many businesses mistakenly believe that
traditional commercial crime policies
cover all cyber-related losses. Although
traditional commercial crime policies
contain a computer fraud and a funds
transfer fraud insuring agreement,
courts interpreting such policies
have generally distinguished between
incidents
• where a thief hacks the insured’s
computer systems and—without
any action by the insured—uses this
access to steal the insured’s property
(either directly by transferring funds
using the insured’s computer system
or by convincing the insured’s bank
to transfer the insured’s funds), and
• where the insured voluntarily
transfers funds.
Depending upon the precise terms and
conditions of the coverage provided,
courts have generally held that the latter
claims—many of which arise from social
engineering—are not covered.
FILLING IN THE INSURANCE GAPS
Subject to specific terms of coverage
within the policy, social engineering
coverage expands coverage traditionally
afforded under commercial crime
policies to address schemes arising from
the impersonation of vendors, executives,
and clients. Combined with strong
internal controls, such coverage enables
companies to better protect themselves
against the growing risk of a catastrophic
loss from social engineers.
Such coverage can be endorsed onto
either a commercial crime policy or
a cyber insurance policy. Because
commercial crime policies are oriented
toward covering first-party losses, an
insured may prefer to endorse social
engineering coverage to that policy
while preserving the liability coverage
afforded under a cyber policy in the event
of a breach which results in substantial
liability exposure.
Computer crime insuring agreements
and funds transfer fraud insuring
agreements incorporated into standard
commercial crime policies are designed
to cover certain types of hacking
incidents, not losses resulting from the
insured’s conscious decision to proceed
with a business transaction (even if
induced by a fictitious or fraudulent
computer submission). An insured
seeking to cover the risk of loss from
social engineering should consider
insurance policies tailored to address
such risks.
The number of global incidents is
growing at an alarming rate, with an
increase of 136 percent from December
2016 to May 2018 in 150 countries.
27