Social engineering fraud is increasingly common and has financial repercussions

According to the FBI's 2019 Internet Crime Report, the bureau's Internet Crime Complaint Center (IC3) received more than 23,000 complaints about compromised business email, which cost U.S. businesses $1.7 billion. 

This is a growing area of exposure for employee benefit plans and organizations given the number of vendors, participants, clients, members and transactions they manage on a daily basis. Equally troubling, IC3 reports that SEF continues to grow and evolve, with the criminals becoming ever more resourceful.

Repercussions of SEF include:

• Financial losses
• Cyber incidents related to stolen personal identifiable information
• Potential lawsuits by a plan’s participants, regulators and/or vendors for not properly safeguarding data, funds or property
• Damage to reputation and interrupted operations
• Employment issues with victimized employees

An existing fidelity bond or crime insurance policy may not automatically cover social engineering fraud

A fidelity bond or crime insurance policy protects plans or organizations against financial losses related to acts of fraud and dishonesty, including theft. While these policies are not required to include coverage for third party computer fraud and funds transfer fraud, the additional coverages can be purchased to cover direct financial losses associated with electronic transactions and/or in communications with banking facilities.

Coverage for computer fraud generally offers protection if money or other property is directly lost as the result of unauthorized entry into or deletion of data from a computer system by a third party.

Coverage for funds transfer fraud generally provides protection for direct loss of money resulting from fraudulent instructions by a third party to a financial institution, directing them to transfer, pay or deliver money from an account maintained by the insured without the insured’s knowledge or consent. The fraudulent instructions can be made in writing (other than by forgery), via email or by telephone.

Even with these additional available coverages, a standard crime insurance policy or fidelity bond may not protect an organization or benefit plan if a fund office or finance department staff member falls victim to SEF. In fact, a major factor in SEF loss denials is that SEF losses are authorized with the organization’s knowledge or consent, even if consent was given mistakenly.

Another common reason insurers may give for denying an SEF fidelity bond claim is the policy’s so-called “voluntary parting exclusion.” These type of policies can offer protection from financial losses related to fraudulent or dishonest acts, but employees who are “hacked” are not acting dishonestly. Typical wording for that exclusion is: “no coverage for loss arising out of anyone on the Insured’s express or implied authority being induced by any dishonest act to voluntarily part with title to or possession of any property.”

Special coverage for plans is now available

The insurance industry responded to the rise in SEF by offering explicit coverage for this type of fraud. For employee benefit plans, this coverage is still relatively new, and can be added via an endorsement or included in newer bond forms. Although SEF coverage is becoming a standard part of newer crime bonds in the marketplace, Segal encourages plan sponsors to pursue SEF coverage through an endorsement to an existing fidelity bond or as part of a fidelity policy.

Insurers are reluctant to quote the coverage midterm, which could create a gap for policies written for a three-year period. Consequently, sponsors of employee benefit plans should pursue this coverage at renewal. In most cases, a short supplemental application will be required for underwriters to evaluate an insured’s SEF controls.

Typically, the cost to add SEF coverage is approximately 10 to 20 percent of the fidelity bond or crime insurance premium. The extension of coverage then becomes part of the bond’s regular renewal.

Many insurers offer social engineering fraud coverage, but the language can vary by carrier and form. Consequently, it is important to review coverage with your counsel and Segal in order to understand what SEF coverage it includes — and excludes.

What to look for in social engineering fraud coverage

When considering SEF coverage as part of a fidelity bond or crime insurance policy it is prudent to review the coverage carefully. In particular, look for variations in how the coverage responds, what conditions are required of insureds and what documentation, if any, the carriers require.

It is also important to look for any limits or loss qualifiers. To help mitigate their risk, insurers often offer sub-limited coverage, on average offering up to a maximum $250,000 sublimit. They are reluctant to offer higher SEF limits due to the growing sophistication, frequency and severity of SEF losses. In this marketplace, higher limits may be harder to come by and reviewing limits is an important step.

There may be exclusions with respect to where, when and how a loss is paid. Insurers might make payment conditional upon the fund or organization having certain practices and protocols in place, such as the ones described in the next section. It is important to view all the terms and conditions on the fidelity bond to see if the appropriate coverages exist, as well to cover expenses to investigate a loss.

What insurers look for when underwriting social engineering fraud coverage

Before pricing SEF coverage, insurers will investigate what steps a fund has taken to prevent a loss associated with SEF. Consequently, funds should have appropriate policies and procedures in place before seeking an SEF endorsement. That might include the following:

• Educate employees about SEF by training them to recognize warning signs that an email may be fraudulent, such as unusual and/or particularly urgent requests. Health plan sponsors should include this as part of their HIPAA privacy and security assessments, policies and training.
• Have — and consistently use — a two-step process to verify every fund transfer request received via email. That might include having a pre-determined call-back number and/or other verifications via a different method than the request was given.
• Require that at least two designated people authorize all fund transfers made in response to email requests.
• Set limits on how many fund transfer requests may be made via email each day and consider imposing a dollar limit.
• Make payments using the Automated Clearing House (ACH), a computer system set up by the Federal Reserve Bank to process electronic transactions in batches, which can take a few business days to complete, instead of wire transfers, which are immediate. Because of the time delay, ACH fund transfers can be reversed.
• Require that any and all instances of SEF be reported to the FBI’s Internet Crime Complaint Center.

Our Administration & Technology Consulting Practice can also help plan sponsors set up these practices and procedures.

Be safe in duplicitous times

Given the rise in SEF activity and the increasing sophistication of cybercriminals bent on human hacking, Segal suggests funds consider broadening the scope of coverage under their current fidelity bond policy by purchasing the additional coverage offered by an SEF extension of coverage.

SEF coverage under a fidelity bond or crime insurance policy complements the cyber liability insurance that many boards of trustees have already purchased to protect their plans if data about participants is lost or stolen. Prospective insureds seeking cyber liability insurance should also pursue the purchase of social engineering fraud coverage under the cyber policy given the limited availability of sublimits in the market. SEF coverage under a fidelity bond or crime insurance policy can protect plans when money, securities and other property is lost. However, each carrier’s language should be carefully reviewed with legal counsel and Segal to verify coverage.

Segal’s insurance brokers can help plan sponsors obtain SEF coverage. We continue to negotiate specialized coverage with language to address the changing exposures associated with this type of claim.