Risk & Business Magazine Spectrum Insurance Magazine - Spring 2019

SOCIAL ENGINEERING Cybercrime Survey detected security events in the preceding 12 months, and more than one third (36 percent) reported that the number of security incidents had increased over the previous year. The average number of incidents is also significant, with increasing monetary loss. While cyber criminals employ several measures to breach information security defenses and seize sensitive business information, technical security measures implemented in response to increased regulation (as a result of Sarbanes-Oxley, Gramm-Leach-Bliley, and the Health Insurance Portability and Accountability Act) make direct pure technological attacks more difficult and costly. As a result, cyber criminals have shifted their focus away from such pure technological attacks and instead have increasingly attacked employees through the use of “social engineering”—a collection of techniques used to manipulate people into performing actions or divulging confidential information. Social engineering is not a new concept. A social engineer is nothing more than a con artist who uses technology to swindle people and manipulate them into disclosing passwords or bank information or granting access to their computer. ACCORDING TO THE FBI, FROM OCTOBER 2013 TO MAY 2018 THERE WERE MORE THAN 41,000 VICTIMS OF BUSINESS EMAIL COMPROMISE SCAMS—A FORM OF SOCIAL ENGINEERING ATTACKS—REPORTED FROM ALL 50 STATES, TOTALING $2.9 BILLION IN MONETARY LOSSES. TRADITIONAL INSURANCE MAY NOT COVER SOCIAL ENGINEERING Many businesses mistakenly believe that traditional commercial crime policies cover all cyber-related losses. Although traditional commercial crime policies contain a computer fraud and a funds transfer fraud insuring agreement, courts interpreting such policies have generally distinguished between incidents • where a thief hacks the insured’s computer systems and—without any action by the insured—uses this access to steal the insured’s property (either directly by transferring funds using the insured’s computer system or by convincing the insured’s bank to transfer the insured’s funds), and • where the insured voluntarily transfers funds. Depending upon the precise terms and conditions of the coverage provided, courts have generally held that the latter claims—many of which arise from social engineering—are not covered. FILLING IN THE INSURANCE GAPS Subject to specific terms of coverage within the policy, social engineering coverage expands coverage traditionally afforded under commercial crime policies to address schemes arising from the impersonation of vendors, executives, and clients. Combined with strong internal controls, such coverage enables companies to better protect themselves against the growing risk of a catastrophic loss from social engineers. Such coverage can be endorsed onto either a commercial crime policy or a cyber insurance policy. Because commercial crime policies are oriented toward covering first-party losses, an insured may prefer to endorse social engineering coverage to that policy while preserving the liability coverage afforded under a cyber policy in the event of a breach which results in substantial liability exposure. Computer crime insuring agreements and funds transfer fraud insuring agreements incorporated into standard commercial crime policies are designed to cover certain types of hacking incidents, not losses resulting from the insured’s conscious decision to proceed with a business transaction (even if induced by a fictitious or fraudulent computer submission). An insured seeking to cover the risk of loss from social engineering should consider insurance policies tailored to address such risks. The number of global incidents is growing at an alarming rate, with an increase of 136 percent from December 2016 to May 2018 in 150 countries. 27

Risk & Business Magazine Spectrum Insurance Magazine - Spring 2019 | Page 27