Take the following cybercrime scenario and see if you think it should be insured:
A phishing attack is made where the cybercriminal uses social engineering techniques to convince an internal employee to process a fraudulent transaction, such as transferring funds to a cybercriminal-owned bank account
From an insurer’s perspective, do you think this counts as a cyber attack? Fraud?
The challenge here is that the entire fraudulent action was done (and consented to) by a trusted employee; the cybercriminal didn’t actually perform the malicious act.
So, for organizations with traditional cyber insurance products in place, the assumption is that losses from all types of attacks – including social engineering – will be covered by their crime/fidelity policy. But in cases like the one mentioned above, no “direct” fraud is deemed to have taken place by the insurance company (the employee did it, not the scammer).
In many cases even crime/fidelity policies contain exclusions including social engineering that cause claims to be denied. To ensure proper coverage, organizations should look at purchasing an endorsement to their crime/fidelity policy that provides coverage specifically for social engineering claims.
Additionally, to avoid these kinds of claims (whether paid or denied), organizations need to leverage Security Awareness Training. According to Steve Crystal, head of financial crime at Sedgwick, “Placing emphasis on awareness by an organization’s leadership team is vital – education for all colleagues [focusing] on what to look out for is fundamental. It’s incumbent on each of us to work in a way that protects against risks and threats - and setting that tone from the top is key.”
Marsh’s Cyber Catalyst program helps organization’s identify cybersecurity solutions that will have a material impact they ability to manage cyber risk. Only 17 solutions were selected in 2019, with KnowBe4’s Security Awareness Training and Simulated Phishing Platform receiving the designation.
Insurers are becoming very selective on whether claims are denied or paid based on the specific circumstances. The onus is now on organizations to both strengthen their security stance with meaningful and impact and ensure they have the correct insurance endorsements to protect themselves from social engineering attacks, as well as any other type of cyber attack.