With few exceptions, most businesses are vulnerable. What exactly is “social engineering”? In the context of information security, it is defined as “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes”.
Social Engineering claims are occurring with greater frequency, so this is an exposure clients should be concerned about. But are they? Are they aware of the potential for some of these claims to be covered through insurance? Let’s look at a recent claim that became an E&O claim:
This claim involved a supplier of packaging for the electronics industry. An unknown tortfeasor hacked into a claimant’s email account and sent phony emails to the agency client’s employees instructing them to wire transfer $50,000 to an elderly gentleman in need of an operation. The next week, the hacker sent another email to the employees instructing them to wire transfer $100,000 to a business entity. The company did not have enough money in the account to cover this transfer, so an employee contacted the fraudulent company and asked if it would be okay to wire only $75,000 for the time being. The hacker agreed and the money was transferred.
The first activity in this claim is referred to as “Spear Phishing” – the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information. This security awareness training program educates staff and makes phishing your organization pointless.
It appears that endorsing Social Engineering Coverage to a claimant’s commercial crime policy would provide some degree of coverage although it is important to note that there are exclusions. One is referred to as the voluntary parting exclusion (there is no insurance coverage for money lost when you voluntarily give it away).
It would be prudent for agencies to better understand the coverages and limitations of providing social engineering coverage. In addition, this should be a discussion with clients to determine their interest in getting a proposal for consideration. Agencies should consider adding this coverage as one of the various “coverages to consider include but are not limited to the following”.
These types of coverages can be somewhat complex with exclusions that could come into play so agency producers should exercise caution when discussing the coverage with the client. It is probably best to include specimen policy forms with the proposal to assist the client in better understanding what is and what is not covered. Also, it would be wise to include any marketing material the carriers provide to avoid misstating the coverage.