I have talked about this potentially extremely expensive and very disappointing "CEO fraud" or "Business Email Compromise" problem many times before.
Your cybercrime policy may not include damage caused by sophisticated scams that "hack your humans" using social engineering tactics.
This is true worldwide, and last week another example came up in Canada where an article about a legal case appeared in Canadian Underwriter, asking insurance brokers to make sure that their customers were covered for social engineering fraud.
Editor Greg Meckback noted: "Brokers should not assume that a client who has bought a cyber or crime policy is covered for the risk of innocent employees who are duped into making fraudulent money transfers.
Endorsements are available for covering social engineering fraud, but brokers will need to inquire about them, lawyers warn. Some social engineering schemes may not be covered as part of a standard crime policy for ‘Funds Transfer Fraud.’
For example, an Alberta court case recently confirmed that coverage for social engineering under a crime policy for ‘Funds Transfer Fraud’ applies only when the fraudster implements the transfer without the knowledge or authorization of the insured company’s employees, wrote Ryan Burgoyne, a Fredericton-based insurance litigation lawyer with Cox & Palmer, in a paper, A New Realm: Cyberspace, Cyber Liability and Cyber Liability Insurance, announced Nov. 17.
"Coverage does not apply when employees are duped"
Coverage does not apply when the insured company’s employees knowingly make the fraudulent transfer without being aware that they have been duped into doing so. This is the fact situation laid out in the Alberta Court of Queen’s Bench’s ruling in Brick Warehouse LP v Chubb Insurance Company of Canada.
In August 2010, two Brick employees were contacted by people claiming to be from a supplier, Toshiba. One Brick employee indicated that Toshiba was changing its bank account to the Royal Bank of Canada. The bank account did not actually belong to Toshiba, but rather a victim of fraud, who was duped into transferring money to someone else.
The Brick changed Toshiba’s banking information. As a result, more than $300,000 was paid into the RBC account before The Brick discovered the fraud and reported it to policy. The Brick was able to recover about $114,000 and filed a claim of about $224,000 with Chubb.
Chubb denied coverage for the claim
In the policy Chubb wrote for The Brick, Chubb defined funds transfer fraud as “the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent.”
Anne Juntunen, an associate with Lerners LLP, which represented Chubb, said the insurer’s wording for the crime policy written for The Brick is “fairly close to the standard wording” in commercial crime policies.
Alberta’s Court of the Queen’s Bench upheld Chubb’s denial of coverage
The court found the transfer was done with the insured’s knowledge and consent because a Brick employee did give instructions to the bank to transfer funds out of the company’s account.
“What we are learning from what the courts are telling us is that the traditional wordings that have been out there for decades aren’t really designed to cover a social engineering scenario, which is a relatively new pattern that’s been coming up recently,” Anne, told Canadian Underwriter Monday. “You might have coverage – maybe – for social engineering if you buy a standard standalone cyber policy.”
CEO Fraud Prevention Manual Download
CEO fraud has ruined the careers of many executives and loyal employees. Don’t be next victim. This brand-new manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.
PS: Don't like to click on redirected buttons? Copy and paste this link in your browser: