As I have noted in prior posts, a recurring challenge many organizations face these days is the threat of “payment instruction fraud,” also sometimes called “social engineering fraud” or “payment impersonation fraud.” In these schemes scammers use official-seeming email communications to induce company employees to transfer company funds to the imposters’ account. Among the many issues arising when these kinds of scams occur is the question of insurance coverage for the loss. Some victims may expect that their cyber liability insurance will cover their loss.
However, as Lauri Floresca of Woodruff-Sawyer points out in her December 5, 2019 post on her firm’s blog entitled “Payment Impersonation Fraud: Why is This Common Cyber Problem Not a Valid Cyber Claim” (here), these claims rarely involve the kind of cyber security breach required to trigger cyber insurance coverage. Accordingly, there are other steps well-advised companies may want to take to try to protect themselves from these kinds of losses.
As Floresca points out in her blog post, when these kinds of losses occur, many people assume that because these circumstances present a “cyber claim” because they involve computers and emails. However, as Floresca also notes, the fact is that underwriting these kinds of exposures is “primarily about accounting controls (crime) rather than IT security (cyber).” In most instances, there is “no cyber security breach at the root of the theft, just phishing emails based on knowledge collected from multiple sources.”
Because the heart of this scam is a theft, many insurance professionals (and, as Floresca points out, most insurers) believe that these payment fraud cases belong under the crime coverage, rather than under the cyber coverage. However, as these claims have emerged, one problem with trying to put get coverage for these kinds of losses under the crime policy has become apparent. The problem is that many crime policies have exclusions precluding coverage for “voluntary parting with funds,” which the crime insurers contend is exactly what these kinds of scams involve.
More recently, crime insurers have been willing to modify their policies to provide affirmative coverage for these kinds of losses. Unfortunately, in granting this coverage extension, the crime insurers have been willing only to offer relatively low coverage sublimits, usually in the range of $100,000 to $250,000. (Some insurers may be willing to offer higher sublimits in some circumstances, usually subject to further underwriting and the payment of additional premium.) Many insurers will require the provision of information showing that the insured organization has adequate controls in place before they will offer this coverage.
As this coverage extension has become available, one question has been whether the extension properly belongs in the crime policy or in the cyber policy. Even though, as Floresca puts it, “cyber insurance was never a very logical place for to cover this exposure,” many insurance buyers nonetheless expect their cyber insurance to provide this coverage. And so some cyber insurers have begun offering a sublimited coverage extension for this exposure – at least for small and mid-size companies — that mirrors the extension available under the crime policy.
One question that arises when the extension is available under both the crime and cyber coverage is which policy is the right one to add this coverage to. Floresca suggests not making a choice, but rather adding the coverage to both policies. As she notes, “having a small amount of coverage in both places can be helpful, given that the sublimits being offered are often lower than companies would like.” She notes further that “best practices are to stipulate which policy should be primary – usually the one with the lower retention. “ If the loss exceeds the sublimit on one policy, “you may be able to collect on from the other, but would need to satisfy a second retention as well.”
As between the crime and cyber policies, I believe that the crime policy is the right place to put the coverage extension. However, I also agree with Floresca that it could be advisable for companies to consider seeking the sublimited coverage extension under both policies.
In addition, it is important to ensure that the coverage is constructed to ensure that the coverage will respond in a broad variety of circumstances. For example, some versions of the extension limit coverage to situations where the fraudster impersonates an officer or employee of the insured company. However, losses can arise not just from the impersonation of a company officer or employee, but can also arise from the impersonation of a customer. Or even a vendor, regulator, lender, outside professional (such as an attorney, accountant, or investment banker). For that reason, it is important that the coverage extension be worded so that the coverage available does not depend on the false identity that the imposter assumes.
In addition, claims experience with these kinds of claims has taught that the imposters may not only try to get the bamboozled employee to transfer their employer’s funds. In some instances, we have seen the fraudster try to induce the company’s employees to transfer funds the company is holding for third parties. In other instances, the fraudster has tricked the company employee into transferring inventory, raw materials, or other goods. Again, in order to try to ensure that the coverage extension is available in the broadest range of circumstances, the extension should be worded so that it applies not just to the employer company’s funds, but also applies to fraudulently induced transfer of any funds, as well as inventory, supplies, and other goods.
While these coverage extensions do provide some insurance protection against these kinds of losses, the reality is that in many instances the insured company’s exposure will far exceed the amount of available insurance. As Floresca also points out, given the claim frequency that the insurers have experienced for these kinds of losses, the coverage available for these kinds of losses is “not likely to significantly improve in the near future.” The reality is, as Floresca notes, “the insurers are not collecting enough premium to offer higher limits than they already do, and in fact, some are pulling back on the limits they currently offer. “
As Floresca also correctly notes, given the limited insurance options available, the best practice for companies to protect themselves against these kinds of losses is to implement strong financial controls. Until a more comprehensive insurance solution is available, well-advised companies will need to look to other risk management tools in order to protect themselves from these kinds of losses. In particular, companies should incorporate internal training designed to alert employees to the possibilities of these kinds of scams is an important first step. Employees should be particularly wary of funds transfer requests in unusual amounts, or that are made with an unusual level of urgency or that require the transfer of funds to an unfamiliar account or address. Another important risk management tools is the development of multi-level authentication and verification processes.