Social engineering fraud (SEF) happens when a cybercriminal purports to be a trusted individual in order to deceive people into releasing confidential, personal information, money or other property.
For example, a fund office or finance department of an organization is the victim of SEF when an employee acting in good faith transfers money to a third party in response to fraudulent instructions in an email. The email is sent by a cybercriminal impersonating an individual who has the authority to request the transfer.
This article discusses the importance of ensuring that a plan or entity is covered for SEF since it is a rapidly growing threat, both in frequency and severity. We explain why uncertainty about protection provided by existing crime insurance or a fidelity bond suggests it is prudent to purchase explicit SEF coverage as part of the policy.
Share this page
Reach out and get a complimentary assessment of your plan’s insurance coverage.
Contact Us
According to the FBI’s 2023 Internet Crime Report, the bureau’s Internet Crime Compliant Center (IC3) received more than 21,849 complaints about compromised business emails, which cost U.S. businesses $2.9 billion. While the number of incidents was slightly down from 2019, the cost to businesses nearly doubled.
This is a growing area of exposure for employee benefit plans and organizations given the number of vendors, participants, clients, members and transactions they manage on a daily basis. Equally troubling, IC3 reports that SEF continues to grow and evolve, with the criminals becoming ever more resourceful.
Repercussions of SEF include:
A fidelity bond or crime insurance policy protects plans or organizations against financial losses related to acts of fraud and dishonesty, including theft. While these policies are not required to include coverage for third party computer fraud and funds transfer fraud, the additional coverages can be purchased to cover direct financial losses associated with electronic transactions and/or in communications with banking facilities.
Coverage for computer fraud generally offers protection if money or other property is directly lost as the result of unauthorized entry into or deletion of data from a computer system by a third party.
Coverage for funds transfer fraud generally provides protection for direct loss of money resulting from fraudulent instructions by a third party to a financial institution, directing them to transfer, pay or deliver money from an account maintained by the insured without the insured’s knowledge or consent. The fraudulent instructions can be made in writing (other than by forgery), via email or by telephone.
Even with these additional available coverages, a standard crime insurance policy or fidelity bond may not protect an organization or benefit plan if a fund office or finance department staff member falls victim to SEF. In fact, a major factor in SEF loss denials is that SEF losses are authorized with the organization’s knowledge or consent, even if consent was given mistakenly.
Another common reason insurers may give for denying an SEF fidelity bond claim is the policy’s so-called “voluntary parting exclusion.” These type of policies can offer protection from financial losses related to fraudulent or dishonest acts, but employees who are “hacked” are not acting dishonestly. Typical wording for that exclusion is, “no coverage for loss arising out of anyone on the Insured’s express or implied authority being induced by any dishonest act to voluntarily part with title to or possession of any property.”
The insurance industry responded to the rise in SEF by offering explicit coverage for this type of fraud. For employee benefit plans, it can be readily added via an endorsement or included in bond forms subject to underwriting consideration. Although SEF coverage is becoming a standard part of crime bonds in the marketplace, Segal encourages plan sponsors to pursue SEF coverage to an existing fidelity bond or as part of a fidelity policy. Alternatively, cyber liability policies can afford protections for these types of coverages, however, they can vary by carrier and underwriting appetite.
Insurers can be reluctant to quote the coverage in the middle of a policy term, which could create a gap for policies written for a three-year period. Consequently, sponsors of employee benefit plans should pursue this coverage at renewal. In most cases, a short supplemental application will be required for underwriters to evaluate an insured’s SEF controls.
Typically, the cost to add SEF coverage is approximately 10 to 20 percent of the fidelity bond or crime insurance premium. The extension of coverage then becomes part of the bond’s regular renewal.
Many insurers offer SEF coverage, but the language can vary by carrier and form. Consequently, it is important to review coverage with your counsel and Segal in order to understand what SEF coverage it includes — and excludes — as well as the insured’s obligations under the policy.
When considering SEF coverage as part of a fidelity bond or crime insurance policy it is prudent to review the coverage carefully. In particular, look for variations in how the coverage responds, what conditions are required of insureds and what documentation, if any, the carriers require.
It is also important to look for any limits or loss qualifiers. To help mitigate their risk, insurers often offer sub-limited coverage, on average offering up to a maximum $250,000 sublimit. Higher limits are becoming more available in current market conditions.
Many organizations have basic coverage for cyber incidents and crime-related activities. However, standard policies often have low limits, which may not be sufficient to fully protect against the rising threat of SEF. To address this gap, a newer policy is being provided for excess SEF coverage.
This coverage is mainly provided on a surplus lines basis, meaning it can extend the protections of a primary crime insurance policy and the forms are non-admitted in the market. In simpler terms, if a company already has a basic crime insurance policy, this excess coverage can kick in to provide additional financial support when the limits of the primary policy are exceeded, ensuring better protection against potential losses from social engineering scams.
There may be exclusions with respect to where, when and how a loss is paid. Insurers might make payment conditional upon the fund or organization having certain practices and protocols in place, such as the ones described in the next section. It is important to view all the terms and conditions on the fidelity bond to see if the appropriate coverages exist, as well to cover expenses to investigate and a loss.
Before pricing SEF coverage, insurers will investigate what steps a fund has taken to prevent a loss associated with SEF. Consequently, funds should have appropriate policies and procedures in place before seeking an SEF endorsement. That might include the following:
Segal’s Administration & Technology Consulting Practice can also help plan sponsors set up these practices and procedures.
Given the rise in SEF activity and the increasing sophistication of cybercriminals bent on human hacking, Segal suggests funds consider broadening the scope of coverage under their current fidelity bond policy by purchasing the additional coverage offered by an SEF extension of coverage.
SEF coverage under, or in excess of, a fidelity bond or crime insurance policy complements the cyber liability insurance that many boards of trustees have already purchased to protect their plans if data about participants is lost or stolen. Prospective insureds seeking cyber liability insurance should also pursue the purchase of SEF coverage under the cyber policy given the limited availability of sublimits in the market. SEF coverage under a fidelity bond or crime insurance policy can protect plans when money, securities and other property is lost. However, each carrier’s language should be carefully reviewed with legal counsel and Segal to verify coverage.
Segal’s insurance brokers can help plan sponsors obtain SEF coverage. We continue to negotiate specialized coverage with language to address the changing exposures associated with this type of claim.
Insurance, Cybersecurity consulting, Multiemployer Plans, Public Sector, Healthcare Industry, Higher Education, Architecture Engineering & Construction, ATC, Cyber Advisor, Cybersecurity Awareness Month
Retirement, Technology, Cybersecurity consulting
Technology, Cybersecurity Awareness Month, Cybersecurity consulting, Cyber Advisor
This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.
© 2024 by The Segal Group, Inc.Terms & Conditions Privacy Policy California Residents Sitemap Disclosure of Compensation Required Notices
We use cookies to collect information about how you use segalco.com.
We use this information to make the website work as well as possible and improve our offering to you.