Headlines practically write themselves these days. A company was duped into sending money to some unidentified party, be it hacker collective or nation-state or individual. Spear-phishing is not a new technique in the cyber war. In fact, it’s one of the oldest criminal techniques on the internet. Seems like only yesterday that we were all being told that a wealthy Nigerian Prince had decided to give us his fortune; all that was required was our bank account and routing info.
These days, the attacks are far less obvious (apologies to those of you that fell for the Nigerian 419 Scam) and far more nefarious. Spear-phishing attacks have become so sophisticated that even large Fortune 1000 companies are falling for them. The model is simple: find a way to impersonate a company executive and fool an employee into wiring money into an offshore account.
How the criminals get in is highly dependent on the given situation and parties involved. Most of the time, it involves email. Hacking an email server is as simple as sending a link to all known employees and getting just one to click on it. End-users are the weak link in cyber security and hackers know this. After an employee clicks on the malicious link, the hacker has everything they need to exploit the email server. Typically, they will monitor the email exchanges to learn names, dates, numbers, etc. – all which can be done in a matter of minutes. Knowing that a big deal is closing next week and the names of the closing attorneys, a hacker can easily convince a low-level accountant to wire money into an unauthorized account.
“Spoofing” spear-phishing attacks, whereby a hacker impersonates a known party (usually a senior executive) to conduct a crime, is more effective than all other forms of cyber attacks combined. In fact, according to Trend Micro, 91% of all cyber attacks start with spear-phishing. Why? It’s pretty simple actually. It comes down to trust. Humans are far more trusting than machines and want to please their bosses, employees, co-workers, etc. We are far too eager to help when asked. And, if it appears that a trusted person wants us to do something for them we do it – especially if it’s your boss.
So, how to you insure against spoofing attacks?
Back to the title of this blog post, so if and when this happens – what insurance policy pays for it? Surely, it’s covered under Crime Insurance? You have coverage for “wire fraud,” yes? Yes, you do. And, if not, it must be covered under Cyber Insurance. You have coverage for “cyber crime,” yes? Yes, you do. The answer may surprise you: both policies can cover it and both policies can exclude it. It all comes down to what was intentionally designed from the outset by your broker and what was offered by your insurance carrier. In recent days, it’s also coming down to court decisions – which are not consistent.
The scope of this post is not to offer legal guidance, but it’s worth noting that two recent court cases involving cyber wire fraud have been ruled differently by the courts. In one case, American Tooling Center vs. Travelers Casualty and Surety Company, the court determine that a spoofing attack did not meet the definition of cyber wire fraud under a crime policy. In yet another case (decided before American Tooling), Medidata Solutions, Inc. v. Federal Insurance Company, the court decided that spoofing did meet the definition under a crime policy. There is a great breakdown of both cases HERE in the D&O Diary Blog.
On the cyber insurance side, there are equally as many conflicting claims – many still in pending litigation. The denied claims are frequently due to the insured’s failure to investigate or monitor money transfers and/or their willing participation (even unknowingly) in the transfer. Most cyber insurance underwriters view social engineering claims as better suited for coverage under crime insurance. Not surprisingly, many crime insurance underwriters think the coverage belongs on the cyber form.
Time will determine the best course of action from an insurance standpoint. Many carriers have developed “social engineering” endorsements for crime and bond insurance products. There are some limitations in terms of limit capacity, but these may prove to be a viable solution for many companies. Many cyber carriers also currently provide coverage, but it needs to be requested in most cases. The main takeaway is this: Every company has a spear-phishing exposure and needs to understand where or if insurance coverage is available for them. A specialist broker, one that truly understands cyber insurance (such as any TechAssure member), can design a program that properly addresses these issues.
As with all insurance programs, trying to find coverage in the grey or silent areas is a bad idea. Much better to understand your risks and work with a broker that can help you address those risks properly and clearly.