Cyber attackers all know that the majority of organizations are currently working from home due to the ongoing COVID-19 (commonly referred to as the Coronavirus) pandemic. And, as would be expected, social engineering scams are on the rise. Nonetheless, there may be limitations in your cyber liability insurance policy for these types of claims. It is advisable to take the initiative to review such insurance policies in detail for coverage considerations prior to the occurrence of any cyber incident. And, of course, protect your business from attacks by engaging in precautious cyber safety efforts.
What Is Social Engineering?
Social engineering refers to various means to manipulate individuals in the online environment so that they divulge sensitive, personal information, such as banking information, which may include account numbers and passwords. This can also take the form of receiving a request to transfer funds to what the victim believes is another employee, trusted financial information or other party with whom the person has a business relationship with. Unfortunately, however, those funds ultimately are received by the engineer of the cyber attack.
As an example, an attacker can send an e-mail that appears to be from a company executive or coworker related to an update on a company project, then request confirmation of company credit card information. Similarly, the e-mail can appear to be from a bank indicating that a wire transfer has been initiated and needs to be verified. And, with the flurry of e-mail requests related to online meetings being scheduled in this environment, phishing attackers are using these types of e-mails as they know most users are unlikely to carefully verify the information.
In addition, phishing has become a very popular type of social engineering attack – whereby an attacker will send an e-mail that appears to be from a trusted source – and seeks for the receiver to click a link or open attachment. Unfortunately, when such action is taken, malware can be injected into your computer network – which may lead to a data breach or a ransom incident.
Am I Covered For a Cyber Incident?
With social engineering and phishing scams increasing extensively in today’s remote working environment, do you have insurance coverage in the event of such a cyber incident? If you are relying on cyber liability insurance to cover such an incident, you may not have as broad of coverage as you have for other losses covered by a cyber liability insurance policy.
It is important to keep in mind that the specific terms and conditions of the insurance policy itself will dictate whether there is coverage or not for a particular loss. However, coverage for social engineering claims may not be included in your policy at all, be very limited in coverage and / or subject to a sublimit or other reduction clause.
One reason for these limitations may be that the insurance carrier issuing the cyber liability policy assumes that a commercial crime insurance policy is being maintained for these types of losses. While a crime policy may provide coverage for social engineering claims, including funds transfer fraud situations, not all companies maintain this coverage or understand how their cyber liability and crime insurance policy interact with one another. Even if you maintain both types of policies, social engineering claims may only be covered in your cyber liability policy on an excess basis over limits available under any applicable crime insurance policy.
Depending on the cyber liability policy, there may not be adequate coverage for damage caused by a phishing attack or other social engineering attack on your company.
Why Does This Matter
- In order to identify and understand all available coverages and limitations, cyber liability insurance policies, as well as other relevant policies, should be reviewed by experienced cyber insurance coverage attorneys.
- Such a review should be conducted without delay to confirm that you actually have the coverage you believe you do during this pandemic.
- Cyber safety measures should be utilized throughout your organization. This includes providing direction to all employees about these types of scams and how legitimate requests to transfer funds should be handled and verified.