Articles | May 11, 2020

Make Sure You're Covered For Social Engineering Fraud

Social engineering fraud (SEF) happens when a cybercriminal purports to be a trusted individual in order to deceive people into releasing confidential, personal information, money or other property.

For example, a fund office or finance department of an organization is the victim of SEF when an employee acting in good faith transfers money to a third party in response to fraudulent instructions in an email. The email is sent by a cybercriminal impersonating an individual who has the authority to request the transfer.

This article discusses the importance of ensuring that a plan or entity is covered for SEF since it is a rapidly growing threat, both in frequency and severity. We explain why uncertainty about protection provided by existing crime insurance or a fidelity bond suggests it is prudent to purchase explicit SEF coverage as part of the policy.

Stock close-up photo of a mature man surrounded by monitors & a holographic display which he is reading

Wondering about your current insurance coverage?

Reach out and get a complimentary assessment of your plan’s insurance coverage.

Contact Us

Social engineering fraud is increasingly common and has financial repercussions

According to the FBI's 2019 Internet Crime Report, the bureau's Internet Crime Complaint Center (IC3) received more than 23,000 complaints about compromised business email, which cost U.S. businesses $1.7 billion. 

This is a growing area of exposure for employee benefit plans and organizations given the number of vendors, participants, clients, members and transactions they manage on a daily basis. Equally troubling, IC3 reports that SEF continues to grow and evolve, with the criminals becoming ever more resourceful.

Repercussions of SEF include:

  • Financial losses
  • Cyber incidents related to stolen personal identifiable information
  • Potential lawsuits by a plan’s participants, regulators and/or vendors for not properly safeguarding data, funds or property
  • Damage to reputation and interrupted operations
  • Employment issues with victimized employees

An existing fidelity bond or crime insurance policy may not automatically cover social engineering fraud

A fidelity bond or crime insurance policy protects plans or organizations against financial losses related to acts of fraud and dishonesty, including theft. While these policies are not required to include coverage for third party computer fraud and funds transfer fraud, the additional coverages can be purchased to cover direct financial losses associated with electronic transactions and/or in communications with banking facilities.

Coverage for computer fraud generally offers protection if money or other property is directly lost as the result of unauthorized entry into or deletion of data from a computer system by a third party.

Coverage for funds transfer fraud generally provides protection for direct loss of money resulting from fraudulent instructions by a third party to a financial institution, directing them to transfer, pay or deliver money from an account maintained by the insured without the insured’s knowledge or consent. The fraudulent instructions can be made in writing (other than by forgery), via email or by telephone.

Even with these additional available coverages, a standard crime insurance policy or fidelity bond may not protect an organization or benefit plan if a fund office or finance department staff member falls victim to SEF. In fact, a major factor in SEF loss denials is that SEF losses are authorized with the organization’s knowledge or consent, even if consent was given mistakenly.

Another common reason insurers may give for denying an SEF fidelity bond claim is the policy’s so-called “voluntary parting exclusion.” These type of policies can offer protection from financial losses related to fraudulent or dishonest acts, but employees who are “hacked” are not acting dishonestly. Typical wording for that exclusion is: “no coverage for loss arising out of anyone on the Insured’s express or implied authority being induced by any dishonest act to voluntarily part with title to or possession of any property.”

Special coverage for plans is now available

The insurance industry responded to the rise in SEF by offering explicit coverage for this type of fraud. For employee benefit plans, this coverage is still relatively new, and can be added via an endorsement or included in newer bond forms. Although SEF coverage is becoming a standard part of newer crime bonds in the marketplace, Segal encourages plan sponsors to pursue SEF coverage through an endorsement to an existing fidelity bond or as part of a fidelity policy.

Insurers are reluctant to quote the coverage midterm, which could create a gap for policies written for a three-year period. Consequently, sponsors of employee benefit plans should pursue this coverage at renewal. In most cases, a short supplemental application will be required for underwriters to evaluate an insured’s SEF controls.

Typically, the cost to add SEF coverage is approximately 10 to 20 percent of the fidelity bond or crime insurance premium. The extension of coverage then becomes part of the bond’s regular renewal.

Many insurers offer social engineering fraud coverage, but the language can vary by carrier and form. Consequently, it is important to review coverage with your counsel and Segal in order to understand what SEF coverage it includes — and excludes.

What to look for in social engineering fraud coverage

When considering SEF coverage as part of a fidelity bond or crime insurance policy it is prudent to review the coverage carefully. In particular, look for variations in how the coverage responds, what conditions are required of insureds and what documentation, if any, the carriers require.

It is also important to look for any limits or loss qualifiers. To help mitigate their risk, insurers often offer sub-limited coverage, on average offering up to a maximum $250,000 sublimit. They are reluctant to offer higher SEF limits due to the growing sophistication, frequency and severity of SEF losses. In this marketplace, higher limits may be harder to come by and reviewing limits is an important step.

There may be exclusions with respect to where, when and how a loss is paid. Insurers might make payment conditional upon the fund or organization having certain practices and protocols in place, such as the ones described in the next section. It is important to view all the terms and conditions on the fidelity bond to see if the appropriate coverages exist, as well to cover expenses to investigate a loss.

What insurers look for when underwriting social engineering fraud coverage

Before pricing SEF coverage, insurers will investigate what steps a fund has taken to prevent a loss associated with SEF. Consequently, funds should have appropriate policies and procedures in place before seeking an SEF endorsement. That might include the following:

  • Educate employees about SEF by training them to recognize warning signs that an email may be fraudulent, such as unusual and/or particularly urgent requests. Health plan sponsors should include this as part of their HIPAA privacy and security assessments, policies and training.
  • Have — and consistently use — a two-step process to verify every fund transfer request received via email. That might include having a pre-determined call-back number and/or other verifications via a different method than the request was given.
  • Require that at least two designated people authorize all fund transfers made in response to email requests.
  • Set limits on how many fund transfer requests may be made via email each day and consider imposing a dollar limit.
  • Make payments using the Automated Clearing House (ACH), a computer system set up by the Federal Reserve Bank to process electronic transactions in batches, which can take a few business days to complete, instead of wire transfers, which are immediate. Because of the time delay, ACH fund transfers can be reversed.
  • Require that any and all instances of SEF be reported to the FBI’s Internet Crime Complaint Center.

Our Administration & Technology Consulting Practice can also help plan sponsors set up these practices and procedures.

Be safe in duplicitous times

Given the rise in SEF activity and the increasing sophistication of cybercriminals bent on human hacking, Segal suggests funds consider broadening the scope of coverage under their current fidelity bond policy by purchasing the additional coverage offered by an SEF extension of coverage.

SEF coverage under a fidelity bond or crime insurance policy complements the cyber liability insurance that many boards of trustees have already purchased to protect their plans if data about participants is lost or stolen. Prospective insureds seeking cyber liability insurance should also pursue the purchase of social engineering fraud coverage under the cyber policy given the limited availability of sublimits in the market. SEF coverage under a fidelity bond or crime insurance policy can protect plans when money, securities and other property is lost. However, each carrier’s language should be carefully reviewed with legal counsel and Segal to verify coverage.

Segal’s insurance brokers can help plan sponsors obtain SEF coverage. We continue to negotiate specialized coverage with language to address the changing exposures associated with this type of claim.

Learn more from our other insights

Businessman In Suit Leaning On Desk And Looking At Charts

Are You Covered For Social Engineering Fraud?

Segal Select Insurance's Diane McNally talks about why your current insurance coverage may not cover cases of social engineering fraud.
Young Asian Couple Managing Finances Reviewing Document And Accounts Using Laptop At Modern Home

Insurance Coverage Type Determines When to Notify Carriers

Make sure you know when you're obligated to notify your insurance carrier of a claim.
Businesswoman examining documents at desk

Review Commercial & Voluntary Insurance in Light of COVID-19

We consider some aspects of each type of insurance your may need to review in light of COVID-19.

Don't miss out. Join 16,000 others who already get the latest insights from Segal.