Organizations of all sizes, across all regions, and in all business sectors face an evolving risk from cyber criminals.1 As businesses have become increasingly dependent upon technology, criminals have shifted from theft of physical assets to the theft of electronic information. The growing use of technology-enabled processes exposes businesses to cybercrime -- from direct theft of data (leading to the potential loss of financial assets) to the theft of personal data (that can be used to assemble an attack on financial assets). Cybercrime can threaten processes from point-of-sale purchases by debit/credit cards in the retail environment, to ATM transactions in the banking environment, to e-commerce or on-line sales, and to electronic business communications.
Recent studies illustrate the wide-ranging threat of electronic crime. In 2017, more than three of four (78%) respondents to the U.S. State of Cybercrime Survey detected security events in the preceding twelve months, and more than one third (36%) reported that the number of security incidents had increased over the previous year. The average number of incidents is also significant, with increasing monetary loss.
While cyber criminals employ several measures to breach information security defenses and seize sensitive business information, technical security measures implemented in response to increased regulation (as a result of Sarbanes-Oxley, Gramm-Leach-Bliley, and the Health Insurance Portability and Accountability Act) make direct pure technological attacks more difficult and costly.
As a result, cyber criminals have shifted their focus away from such pure technological attacks and instead have increasingly attacked employees through the use of “social engineering” – a collection of techniques used to manipulate people into performing actions or divulging confidential information. Social engineering is not a new concept. A social engineer is nothing more than a con man who uses technology to swindle people and manipulate them into disclosing passwords or bank information or granting access to their computer.
According to the FBI, from October 2013 to May 2018 there were more than 41,000 victims of Business Email Compromise scams – a form of social engineering attacks – reported from all 50 states in the United States, totaling $2.9 billion in monetary losses. The number of global incidents is growing at an alarming rate, with an increase of 136% from December 2016 to May 2018 in 150 countries.2
Traditional Insurance May Not Cover Social Engineering
Many businesses mistakenly believe that traditional commercial crime policies cover all cyber-related losses. Although traditional commercial crime policies contain a computer fraud and funds transfer fraud insuring agreement, courts interpreting such policies have generally distinguished between incidents (1) where a thief hacks the insured’s computer systems and, without any action by the insured, uses the computer to steal the insured’s property (either directly by transferring funds using the insured’s computer system or by convincing the insured’s bank to transfer the insured’s funds) and incidents (2) where the insured voluntarily transfers funds.
Depending upon the precise terms and conditions of the coverage provided, courts have generally held that the latter claims – many of which arise from social engineering – are not covered.
Funds Transfer Fraud Insuring Agreement
Courts have reached the same result when analyzing such claims under the funds transfer fraud insuring agreement. Subject to the specific terms of the policy, such insuring agreements typically cover fraudulent instructions issued to a financial institution directing such institution to transfer, pay, or deliver money from an account maintained by an insured without the insured’s knowledge and consent. Just as the computer crime insuring agreement is designed to cover a hacking incident, the funds transfer fraud insuring agreement is designed to cover the limited instances where an imposter induces a financial institution to allow funds to be withdrawn from the insured’s account by posing as the insured and submitting fraudulent instructions. The insuring agreement therefore will not respond where an employee authorizes a withdrawal.16 Coverage exists only if the insured demonstrates that the thief issued instructions that purport to have been authorized and the insured can otherwise satisfy the remaining conditions of coverage.17
As the cases referenced explain, the computer crime insuring agreement and funds transfer fraud insuring agreement incorporated into standard commercial crime policies are designed to cover certain types of hacking incidents, not loss resulting from the insured’s conscious decision to proceed with a business transaction (even if induced by a fictitious or fraudulent computer submission). An insured seeking to cover the risk of loss from social engineering should consider insurance policies tailored to address such risks.