chevron-down Created with Sketch Beta.
August 31, 2018 Did You Know?

Securing Insurance for Social Engineering Exploits

By Roberta Anderson

Social engineering exploits are maddeningly simple and often successful. The goal is typically to trick people into divulging sensitive information, transferring funds, downloading malicious code, or otherwise unwittingly circumventing security.

Social engineering is the current reality of risk—its pervasive seriousness punctuated by the fact that a phishing email precipitated Target’s massive data breach. Such exploits have exploded over the past few years and have cost U.S. companies billions. Yet many organizations remain uninsured, or underinsured, for this dangerous risk. Many organizations incorrectly assume that they are covered under their “cyber” insurance, or commercial crime insurance, the latter of which typically includes insuring agreements dedicated to protecting against “computer crime” and “funds transfer fraud.” But, absent a specific social engineering endorsement, many such exploits, including those involving transfers of funds, do not trigger the typical cyber insurance insuring agreements, and losses from such escapades also may be expressly excluded from coverage under cyber policies. For example, one popular off-the-shelf form excludes loss relating to claims for “the transfer or loss of money or securities from or to an Insured’s accounts or accounts under an Insured’s control, including customer accounts . . .”.

Resistance from Commercial Crime Insurers

Likewise, as to commercial crime insurance, insurers point to the “direct loss” and “directly resulting” verbiage present in many commercial crime insuring agreements and typically argue that social engineering exploits do not trigger coverage. They contend, among other reasons, that social engineering does not present a sufficiently “direct” loss because the victim acts of his or her unwitting volition—in contrast to a purposeful “hack” into the computer system. A typical insuring agreement may state, for example, that the insurer will pay for “loss of . . .money . . . resulting directly from the use of any computer to fraudulently cause a transfer . . .”.

Exclusions in crime policies also can be problematic, as illustrated by the recent decision in Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co. of America, No. 2:14-cv-01368 (9th Cir. Apr. 17, 2018), an unpublished decision in which the Ninth Circuit affirmed summary judgment for the insurer, holding that a commercial crime policy exclusion (for “loss or damages resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System”) barred coverage for a social engineering scheme in which the insured’s employees were tricked into authorizing several international electronic fund transfers to an overseas fraudster.

Email Phishing Schemes

Three other cases currently pending before the Second, Sixth, and Eleventh Circuits, each to address whether email “phishing” schemes trigger coverage under commercial crime coverage, will further develop the legal landscape on these issues. The cases are Medidata Solutions, Inc. v. Federal Insurance Co., No. 17-2492, 2018 WL 3339245 (2d Cir., July 6, 2018) (involving potential coverage for loss resulting from an email spoofing scam under a commercial crime policy that covers “direct loss of money, securities or property”); American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018) (involving potential coverage for a phishing loss also resulting from fraudulent spoofed emails under a commercial crime policy that covers the “direct loss” of funds “directly caused by computer fraud”); and Principle Solutions Group LLC v. Ironshore Indemnity Inc., No. 17-11703 (11th Cir. 2018) (involving potential coverage for loss resulting from a fraudulent email under a commercial crime policy that covers “computer and funds transfer fraud” losses).

In the meantime, the time to consider insurance is proactively, before a loss. Social engineering exploits present relatively new exposures that do not tend to fit neatly into traditional forms of coverage.

Tips to Secure Coverage

Here are three tips for securing coverage for social engineering exploits:

  1. Identify the insurance policies the organization already has in place that may respond to social engineering exploits, which may include commercial crime, cyber, fidelity, and errors and omissions coverages, among others.
  2. Consider purchasing additional, specialized social engineering coverage, which is frequently offered by endorsement to the above-mentioned coverages, but be careful to consider the scope of coverage, policy conditions, and exclusions, to ensure that the coverage reasonably meets the reality of risk, and does not present unreasonable hurdles to securing coverage.
  3. Pay attention to sublimits, which are often applicable to social engineering coverage, to ensure that they are commercially reasonable.

Insurance is a valuable asset. Before an incident, companies are advised to carefully evaluate and address their risk profile, potential exposure, risk tolerance, the sufficiency of their existing insurance coverage, and the role of specialized coverage. Following an incident, companies are advised to carefully consider the best strategy for pursing coverage in a manner that will most effectively and efficiently maximize the potentially available coverage across the insured’s entire insurance portfolio.

Entity:
Topic:
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

By Roberta Anderson

Roberta Anderson practiced for 20 years with K&L Gates LLP before forming RAS Enterprise Risk Management Services LLC, of which she is owner and principal, in the Pittsburgh, Pennsylvania, area. In addition to helping clients successfully pursue contested insurance claims and recover insurance assets, she counsels clients proactively on complex underwriting and risk management issues. She may be reached at [email protected].