Source

The greatest number of complaints focused on social engineering scams.³ Social engineering is a ruse that persuades people to let down their guard and inadvertently reveal or permit access to valuable information. Criminals have utilized social engineering tactics for centuries, but modern technology is enabling scammers to expand the victim pool. In our increasingly connected world, many cyber insurers are reporting a significant rise in social engineering claims — particularly from the real estate sector and financial service providers.

During the last several years, cybercrime has become a key exposure for small and medium-size businesses. NetDiligence’s Cyber Claims Study revealed that since 2014, approximately 96% of cyber claims reviewed have come from organizations with $2 billion or less in revenue.² The report also found that social engineering, ransomware, hacking, and malware/viruses were the leading causes of loss in 2019. Another of the most visible trends in the data was the rising percentage of claims caused by criminal activity, which has increased from 72% in 2014 to 86% in 2017 and 2018.² Only 14% of claims had non-criminal causes, such as employee error or system glitches.

COMMON SOCIAL ENGINEERING SCAMS

When it comes to cybercrime, the most common social engineering scams employed by criminals include:

CYBER COVERAGE CONSIDERATIONS

Coverage for social engineering losses originally debuted in cyber insurance policies around 2012. Sometimes known as fraudulent instruction or cyber deception, cyber insurers readily added coverage on a sub-limited basis. Typically, this coverage was conditioned on call-back procedures within insureds’ accounting departments, but competition in the marketplace has since softened this requirement. However, the increase in social engineering claims means that retail agents and insureds can expect marketplace changes. Some insurers have reduced cybercrime limits, raised premiums, required policyholders to employ clear risk mitigation plans, or withdrawn from the cyber marketplace completely.

Over the past few years, the industry has seen an increase in insurance coverage disputes involving General Liability and Commercial Crime policies regarding coverage for cyberattacks.⁴ When an insured claims coverage for cyberattack under a traditional business insurance policy, the carrier may claim that this was unforeseen coverage, resulting in a dispute or litigation. Insurance companies have taken notice of such litigation, and amplified the need for Stand-Alone Cyber Insurance policies that give businesses clear cyber coverage. The decision to obtain Stand-Alone Cyber Insurance helps businesses avoid claim disputes and saves valuable time and money when a cyber incident occurs.⁴

When it comes to cybercrime, a stand-alone crime policy is another possible coverage option. Unlike most cyber policies, which impose an aggregate annual limit, standard crime policies are historically written on an each-and- every-claim basis and usually have no aggregate limit. With the increasing frequency of social engineering claims, an each-and-every-claim approach has significant benefits to any insured worried about multiple claims within a policy period. In addition, underwriters may be better equipped to evaluate crime exposures and recommend reasonable risk management steps. Finally, crime underwriters may be more flexible in providing higher social engineering limits, especially for insureds that successfully implement risk management requirements. While some cyber insurers exclude funds held in escrow, crime insurers also generally include coverage for third-party funds held by an insured.

BOTTOM LINE

As criminals get more sophisticated, it gets harder and harder for victims to identify red flags.³ Depending on the risk, it may be advantageous for retail agents to explore different coverage structures for cybercrime, such as using cyber coverage on an excess basis with underlying losses paid under a commercial crime policy. If such an approach is taken, some cyber carriers will amend the form to recognize deductible erosion by any payment made by the commercial crime carrier that is also covered under the cyber policy.

Ultimately, the marketplace dictates the availability and structure of cybercrime coverage, whether that be existing cyber policies or the creation of hybrid forms that cover traditional commercial crime and cybercrime exposures, along with first-party and third-party cyber risks. Agents and insureds should strive to fully understand cyber exposures and partner with experienced wholesale specialists to determine the most appropriate coverage option for each client.

Agents can contact their CRC Group Producer for more information about how we can help protect businesses in today’s connected, digital world.

Contributor

• Mark A. Smith is a CRC Senior Vice President and Professional Liability Broker, based in Seattle and a member of the ExecPro Practice Advisory Committee.

ENDNOTES

1. Federal Bureau of Investigation’s Internet Crime Complaint Center, https://www.ic3.gov/media/annualreport/2018_ IC3Report.pdf
2. NetDiligence Cyber Claims Study: 2019 Report, NetDiligence, 2020. https://netdiligence.com/wp-content/uploads/2020/05/2019_NetD_Claims_Study_Report_1.2.pdf
3. 2019 Internet Crime Report Released: Data Reflects an Evolving Threat and the Importance of Reporting, FBI, February 11, 2020. https://www.fbi.gov/news/stories/2019-internet-crime-report-released-021120
4. Silent Cyber: The Case for Stand-Alone Cyber Insurance, Jacksonville Business Journal, May 20, 2020. https://www.bizjournals.com/jacksonville/news/2020/05/20/silent-cyber-the-case-for-stand-alone-cyber-insur.html
5. 5 Social Engineering Attacks to Watch Out For, Tripwire, November 5, 2019. https://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/