Archived Insight | May 11, 2020
Social engineering fraud (SEF) happens when a cybercriminal purports to be a trusted individual in order to deceive people into releasing confidential, personal information, money or other property.
For example, a fund office or finance department of an organization is the victim of SEF when an employee acting in good faith transfers money to a third party in response to fraudulent instructions in an email. The email is sent by a cybercriminal impersonating an individual who has the authority to request the transfer.
This article discusses the importance of ensuring that a plan or entity is covered for SEF since it is a rapidly growing threat, both in frequency and severity. We explain why uncertainty about protection provided by existing crime insurance or a fidelity bond suggests it is prudent to purchase explicit SEF coverage as part of the policy.
According to the FBI's 2019 Internet Crime Report, the bureau's Internet Crime Complaint Center (IC3) received more than 23,000 complaints about compromised business email, which cost U.S. businesses $1.7 billion.
This is a growing area of exposure for employee benefit plans and organizations given the number of vendors, participants, clients, members and transactions they manage on a daily basis. Equally troubling, IC3 reports that SEF continues to grow and evolve, with the criminals becoming ever more resourceful.
Repercussions of SEF include:
A fidelity bond or crime insurance policy protects plans or organizations against financial losses related to acts of fraud and dishonesty, including theft. While these policies are not required to include coverage for third party computer fraud and funds transfer fraud, the additional coverages can be purchased to cover direct financial losses associated with electronic transactions and/or in communications with banking facilities.
Coverage for computer fraud generally offers protection if money or other property is directly lost as the result of unauthorized entry into or deletion of data from a computer system by a third party.
Coverage for funds transfer fraud generally provides protection for direct loss of money resulting from fraudulent instructions by a third party to a financial institution, directing them to transfer, pay or deliver money from an account maintained by the insured without the insured’s knowledge or consent. The fraudulent instructions can be made in writing (other than by forgery), via email or by telephone.
Even with these additional available coverages, a standard crime insurance policy or fidelity bond may not protect an organization or benefit plan if a fund office or finance department staff member falls victim to SEF. In fact, a major factor in SEF loss denials is that SEF losses are authorized with the organization’s knowledge or consent, even if consent was given mistakenly.
Another common reason insurers may give for denying an SEF fidelity bond claim is the policy’s so-called “voluntary parting exclusion.” These type of policies can offer protection from financial losses related to fraudulent or dishonest acts, but employees who are “hacked” are not acting dishonestly. Typical wording for that exclusion is: “no coverage for loss arising out of anyone on the Insured’s express or implied authority being induced by any dishonest act to voluntarily part with title to or possession of any property.”
The insurance industry responded to the rise in SEF by offering explicit coverage for this type of fraud. For employee benefit plans, this coverage is still relatively new, and can be added via an endorsement or included in newer bond forms. Although SEF coverage is becoming a standard part of newer crime bonds in the marketplace, Segal encourages plan sponsors to pursue SEF coverage through an endorsement to an existing fidelity bond or as part of a fidelity policy.
Insurers are reluctant to quote the coverage midterm, which could create a gap for policies written for a three-year period. Consequently, sponsors of employee benefit plans should pursue this coverage at renewal. In most cases, a short supplemental application will be required for underwriters to evaluate an insured’s SEF controls.
Typically, the cost to add SEF coverage is approximately 10 to 20 percent of the fidelity bond or crime insurance premium. The extension of coverage then becomes part of the bond’s regular renewal.
Many insurers offer social engineering fraud coverage, but the language can vary by carrier and form. Consequently, it is important to review coverage with your counsel and Segal in order to understand what SEF coverage it includes — and excludes.
When considering SEF coverage as part of a fidelity bond or crime insurance policy it is prudent to review the coverage carefully. In particular, look for variations in how the coverage responds, what conditions are required of insureds and what documentation, if any, the carriers require.
It is also important to look for any limits or loss qualifiers. To help mitigate their risk, insurers often offer sub-limited coverage, on average offering up to a maximum $250,000 sublimit. They are reluctant to offer higher SEF limits due to the growing sophistication, frequency and severity of SEF losses. In this marketplace, higher limits may be harder to come by and reviewing limits is an important step.
There may be exclusions with respect to where, when and how a loss is paid. Insurers might make payment conditional upon the fund or organization having certain practices and protocols in place, such as the ones described in the next section. It is important to view all the terms and conditions on the fidelity bond to see if the appropriate coverages exist, as well to cover expenses to investigate a loss.
Before pricing SEF coverage, insurers will investigate what steps a fund has taken to prevent a loss associated with SEF. Consequently, funds should have appropriate policies and procedures in place before seeking an SEF endorsement. That might include the following:
Our Administration & Technology Consulting Practice can also help plan sponsors set up these practices and procedures.
Given the rise in SEF activity and the increasing sophistication of cybercriminals bent on human hacking, Segal suggests funds consider broadening the scope of coverage under their current fidelity bond policy by purchasing the additional coverage offered by an SEF extension of coverage.
SEF coverage under a fidelity bond or crime insurance policy complements the cyber liability insurance that many boards of trustees have already purchased to protect their plans if data about participants is lost or stolen. Prospective insureds seeking cyber liability insurance should also pursue the purchase of social engineering fraud coverage under the cyber policy given the limited availability of sublimits in the market. SEF coverage under a fidelity bond or crime insurance policy can protect plans when money, securities and other property is lost. However, each carrier’s language should be carefully reviewed with legal counsel and Segal to verify coverage.
Segal’s insurance brokers can help plan sponsors obtain SEF coverage. We continue to negotiate specialized coverage with language to address the changing exposures associated with this type of claim.
This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.