Crime Insurance vs. Social Engineering Claim - Is There Coverage?
I’m often asked by clients why their crime policy may not respond to a social engineering attack, specifically the computer fraud and funds transfer fraud coverage. First, it’s important to understand what social engineering fraud (SEF) is. A SEF occurs when employees, acting in good faith, comply with instructions sent via email to make a wire transfer or another type of transfer, to a fraudulent third party replicating a legitimate correspondence.
There are a couple reasons why a crime policy may not provide coverage for this type of fraud, which I’ve outlined below. However, wording can vary from carrier to carrier. The below is typical, but not exclusively used, so it’s very important to review your individual crime policy to understand what’s included and excluded.
1. Voluntary Parting Exclusion: The so-called voluntary parting exclusion is a key exclusion carriers may use in declining coverage. Typical wording for the exclusion is, “no coverage for loss arising out of anyone on the Insured’s express or implied authority being induced by any dishonest act to voluntarily part with title to or possession of any property.” The key words here are, “being induced” and “voluntary act” which constitute SEF.
2. Computer Fraud: This generally covers an organization for direct loss of money or other title or property, sustained by the insured resulting from computer fraud committed by a third party.
- Computer fraud is generally defined in crime policies as the unlawful taking of money resulting from a computer violation.
- Computer violation is generally defined as an unauthorized entry into or deletion of data from a computer system committed by a third party.
The key coverage denial issue with computer fraud is carriers often argue that this coverage hasn’t been triggered because the fraudulent payment instructions came via email, and email by its nature is an authorized entry and it needs to be unauthorized to trigger coverage.
3. Funds Transfer Fraud: This generally covers organizations for direct loss of money sustained by the insured resulting from funds transfer fraud committed by a third party.
- Funds transfer fraud is generally defined as fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions, other than forgery, purportedly issued to a financial institution, directing them to transfer, pay or deliver money from any account maintained by the organization, without such organization’s knowledge or consent.
The key coverage denial issue with funds transfer fraud is funds are transferred with the organization’s knowledge or consent, which for SEF the organization did have knowledge and did consent, even if it was on the mistaken belief, and coverage requires transfer without knowledge or consent.
The potential coverage denials aren’t written in stone. There are pending court cases challenging the insurers coverage denials. Medidata Solutions Inc. v. Federal Insurance Co., Ameriforge Group, Inc. v. Federal Insurance Co. and BitPay, Inc. v. Massachusetts Bay Insurance Co. all challenge the insurer’s denial on various elements of the crime policy as it relates to SEF. It’s too early to tell whether insurers asking the court to strictly interpret computer crime and fraud policies to apply only to traditional hacking will be upheld or whether these types of policies will be broadly interpreted by the courts to include new types of hacking and phishing attacks. Regardless, companies can improve their coverage by simply adding a social engineering or equivalent endorsement to their crime policy.
To learn more about the policies that may help protect your organization, contact a member of the ‘A’ Team.
- Hand It Over: The Scary Truth About Social Engineering
- Anatomy of a Cyber Incident Response Plan
- Data Security Breaches Webinar Recording
- Cyber Liability E-Book
ABOUT THE AUTHOR