Recently, in one of the first social engineering fraud cases to be heard in a Canadian Court, the court ruled that social engineering attacks were not covered under the terms of a plaintiff’s cyber insurance policy.
Following a successful social engineering attack, including the use of targeted telephone, fax, and email communications, an individual scammed a company’s accounts department into transferring approximately $338,000 into fraudulent bank accounts. The victim company was only able to recover $113,000 once the fraud had been detected a few months later.
Fortunately, the company had the risk awareness and maturity to have previously taken out a cyber insurance policy to ensure such risks could be transferred, if ever needed. Unfortunately for them, after submitting a claim to their insurance company, the coverage was refused, with the insurer reasoning that all instructions from the company to its bank were via authorised employees and, therefore, the “instructions” themselves were not fraudulent. Because the fund transfers were done with the company’s “consent,” the court ruled in favour of the insurance company.
Whilst this is certainly not the first case of an insurance policy holder receiving a good old rogering from their insurance company when the time comes to calling in their coverage, it does beg the question: “What’s the point of cyber insurance?” with regards to protecting against one of the biggest cyber threats to businesses today – social engineering.
Despite the best technology, processes, user training and will in the world, the unfortunate reality is that a successful cyber incident against your company is an inevitability that risk managers need to accept and mitigate against.
Why businesses need Cyber Insurance
Cyber insurance is a fundamental mitigation measure for minimising the impact from this growing business risk but few businesses even know where to start when shopping for coverage or trying to understand the policy fine print and limitations.
Sharif Gardner (pictured), Cyber Unit Training Manager at AXIS Insurance, answered a few questions for us:
GoldPhish: The vast majority of cyber incidents that businesses today are protecting against start with social engineering attacks, which may include phishing, spearphishing, vishing, smishing and business email compromise. How are insurers distinguishing between cyber social engineering and regular business fraud?
SG: We have to be careful when adopting the term “social engineering attacks”. It is a very broad term and triggers for cyber policies should be more defined so that a risk manager understands what exactly will trigger it. Most forms of hacking comprise some type of social engineering, which refers to the methods attackers use to deceive victims into performing an action. Database attacks aside, the distribution of malware or phishing for information such as login credentials will normally require the manipulation of a human to handover that information or click on that enticing attachment.
Cyber policies will cover phishing, spearphishing, vishing, smishing and business email compromise where the resultant damage is to data or the threat of damage to data.
Cyber social engineering through Business Email Compromise (BEC) that ultimately leads to transactional fraud/theft of money is still fraud through cyber enabled means and would normally be covered under a crime policy. Cyber insurance, whilst mostly offering protection against data theft, can cover theft of money, including theft of money perpetrated through social engineering where requested. If a client asks for this coverage (because it is of major concern) then it would be down to the broker to seek it and ensure they have the suitable amount of cover.
There are two main reasons victims fall to this type of fraud: lack of awareness training or poor practices. We expect to see the potential victim company carry out a call back procedure to the telephone number held on file for the entity requesting the money to ensure the legitimacy of some requests. This means that there is a separation of duties and, in theory, should mitigate against any final illegitimate transaction being made.
GoldPhish: You mention “cyber enabled means.” How are insurers defining this term nowadays where most communications are being conducted through IP systems (including telephone & fax)?
SG: If it has an IP address, it is connected technology (to the internet) and will always carry an element of risk. The term “cyber” is often seen as an awkward term, but it is here to stay. As insurers, we understand that information has a value – mostly personally identifiable information – and we are insuring against the costs associated with the breach of that information. If the vehicle of choice for criminals to steal that information is now through IP addresses, and this information is stored in large databases; when it is accessed or stolen it can be very costly financially and reputationally. This can be triggered by a “computer attack” and can include malicious insiders.
Additionally, we have business interruption triggered by the same thing from ransomware attacks, DDoS or “operational error”. The key is to read the defined terms embedded in each insuring agreement. If you still don’t understand them, get the broker to spell it out. If it’s not clear then find a broker who can!
Most companies are buying cyber insurance for reasons such as first- and third-party costs associated with data breaches, including Personally Identifiable Information (PII), Personal Healthcare Information (PHI) and financial information. A breached database containing 100 million personal records could mean legal and regulatory notification costs, forensic expenses and PR costs. A good cyber insurance policy will have these costs covered at far better rates than sourcing them independently. Consider cyber insurance as a great crisis response tool!
GoldPhish: Are insurers offering coverage against these types of attacks as default in cyber policies or do customers need to specifically request that the coverage be included?
SG: Insurers are offering protection against cyber-attacks and technology errors. If a social engineering attack leads to the introduction of malware or handing over credentials that is then used to launch a further attack to steal data, damage data and extort money triggering breach costs, then yes, that is covered.
Not all cyber insurance policies are the same and coverage can be varied. The below is what you can expect from a good cyber insurance policy:
First Party
Crisis management costs – This includes costs to notify persons whose data has been impacted as well as call-centre costs in handling calls from those individuals, and costs to provide credit monitoring services to protect against identity theft. A good policy will also provide costs to appoint a PR consultant and any digital forensic expenses to investigate the cause and extent of the breach.
Costs to repair, replace or recreate damaged data from some form of computer (hacking) attack – This should include DDoS, any form of criminally used malware or unauthorised access (including authorised persons for unauthorised means). This should also include operational error, accidental or electricity failures. Expect exclusions based on geography. For example, the operating environment of a nation that is prone to power outages may have an exclusion shaped to this.
Business interruption caused by a cyberattack or operational error – This covers loss of profit and extra expense due to network interruption. A good cyber policy will cover your loss of profit and extra expenses caused by an interruption event on the insureds network as well as a network interruption event at a Outsource Service Providers network.
Losses and/or expenses incurred from ransom demands – This has been particularly prevalent due to the rise of ransomware attacks. The policy will pay for the costs to remove the threat and, where applicable, can cover ransom payments.
Costs and extra expense incurred during the restoration period arising from losing customers as a direct result of reputational damage.
E-Theft – This includes costs associated with the theft of any money, credit, securities or other property of value through fraudulent transactions.
Third Party
Privacy and confidentiality liability – This includes defence and judgements or settlements arising from data breaches or failures to protect confidential information. The policy should cover amounts payable in connection with administrative or regulatory investigations and including regulatory fines or penalties unless legally prohibited. Network security liability should be covered, which includes the inability to access the network because of DDoS or malware such as ransomware or a destructive malware.
Multimedia liability – This covers third-party liability arising from copyright infringement.
GoldPhish: Can companies insure against the complete negligence of their staff in falling victim for these types of scams, or is there still an element of accountability on the company to ensure that adequate technology, processes and user training is in place?
SG: As with any insurance policy, the insured is expected to be truthful and the insurer is obliged to ask relevant questions related to the risk. Cyber insurers should not be taking on clients that do not adequately educate staff and carry out the relevant controls and processes commensurate to the risk.
There are specific controls we expect with this type of social engineering attack. It is a very specific attack and easy to defend against. If you implement the call-back process and user education you will greatly reduce your exposure to these types of attacks.
If social engineering is used for phishing, which leads to a data theft or business interruption, etc., you can expect to be covered because it will fall within the defined term of a computer attack. If it is for the accidental transferring of funds (e-theft), you can be covered but subject to limitations. Read your policy and if this is of concern, make sure you inform your broker to ensure you have the right amount of coverage.
You can’t stop all types of cyberattacks but social engineering that leads to fraudulently handing over money without penetrating a network is the most basic of attacks and is easily defended against.
About AXIS:
AXIS is a global insurer and reinsurer, providing clients and distribution partners with a broad range of specialised risk transfer products and services, backed by exceptional financial strength and solid claims-paying ability. Their highly experienced underwriting, claims, modeling and actuarial teams in Bermuda, the United States, Europe, Singapore, the Middle East, Canada and Latin America have a breadth and depth of knowledge that distinguishes AXIS as a provider of choice.
AXIS’ ethical, entrepreneurial and disciplined culture promotes outstanding client service and intelligent risk taking.