A number of recent court judgements in the US have highlighted potential limitations in computer crime insurance for social engineering and business email fraud.
Social engineering has proved to be a huge boon to criminals. Fraudulent, but authentic looking spoof emails, coupled with some simple background research, allow thieves to impersonate legitimate third parties (like suppliers) or senior executives and trick companies into transferring money to the criminal’s accounts.
When cyber criminals hack into a company’s IT system and steal funds, it is right to expect computer crime insurance to pay-out. But with many cases of social engineering and business email fraud, insurers have been denying coverage, claiming that computer crime policies are limited to traditional hacking. In many cases, the courts seem to agree.
In American Tooling Center v Travelers Casualty and Surety Company of America a US District Court ruled in favour of the insurer, which had refused a social engineering claim under a crime policy.
ATC, a US-based engineering company, fell victim to a ‘vendor impersonation fraud’ in 2015. Responding to a faked email purporting to be from a vendor, ATC’s Vice-President and Treasurer was duped into transferring USD 800,000 to cyber criminals.
The case centred on whether a vendor impersonation fraud loss fell within the insured’s crime policy’s computer fraud coverage. The judge ruled that that there was no coverage for social engineering fraud loss under the crime policy’s computer fraud insuring agreement.
The decision is just the latest in a line of cases in which the court has found no coverage for social engineering fraud losses under traditional commercial crime coverages.
In the case of ATC, for example, the insurer took the view that the insured had not suffered a loss caused by the use of a computer. The court agreed, noting that ATC had not been hacked and that the fraudulent emails did not constitute the “use of any computer to fraudulently cause a transfer.”
However, not all social engineering fraud cases are as clear cut. In another recent court decision, Medidata Solutions v Federal Insurance Company, the court ruled in favour of the insured, which sought to claim for a business email fraud under its computer fraud cover (within an executive protection policy).
Employees at Medidata were tricked by spoof emails impersonating the company’s President into transferring USD 4.7 million to criminals. The insurer denied the claim on the basis that the policy extends only to hackers who cause an involuntary transfer of money.
However, the criminals did use computer code embedded in the message to trick the company’s email system into presenting the fraudulent mail as genuine. As a result, the court ruled that Medidata’s losses were a direct cause of a computer violation.
Clarity of Cover
In light of these and other cases, it is advisable to work with a specialist broker to review crime and cyber insurance wordings and identify possible gaps in cover.
The cyber insurance market would not typically cover a social engineering claim without hacking, but some standalone cyber insurance can be extended to include crime. The industry has also developed social engineering fraud-specific coverage, which will provide cover for these types of losses that fall outside the coverage provided under traditional crime policy wordings.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org