Don't Get Hooked by Phishers.
In technical terms, "phishing" is a fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by the sender disguised as a trustworthy entity in an electronic communication. Phishing is also known as social engineering. Email and instant message are common means of communication, and spoofing the identity of the trusted source creates an opening for the bad actor. These attacks often direct a user to click on a link or enter personal information at a fake website, the look and feel of which are similar to the legitimate site.
SPEAR, CLONE OR WHALE
The attacks can be by spear, clone or whale. In a spear you or your firm are specifically targeted. Cloned messages will use an intercepted email, and the hacker will mimic it and add a harmful link to catch a phish. Finally, a whale attack goes after executives of a company using the guise of a corporate subpoena against the company as an example, to get the manager to engage or click on a response link. The saving grace for surviving these attacks, beyond a tight setting on a spam filter, is that there often are typographical errors in the message, changes in font, or a visible email address of the sender that isn't their actual address. (Attempts at attack where the email address isn't visible eliminate the last safeguard and create a real challenge for everyone who gets attacked.)
Beyond my own stats from the month of January, here are few others that you should think about, in addition to stressing the importance of a good technology plan and a great insurance policy to transfer the risk should the plan fail.
According to the Anti-Phishing Working Group, almost 1.2 million unique phishing attacks were launched in 2017--and the number of overall attacks is much greater. KeepNetLabs claims the average cost of a successful cyberattack is $1.6 million, Accenture says it's $2.4 million, Microsoft $3.8 million and IBM $7.35 million. Juniper Research--clearly anticipating inflation--predicts that by 2020 the average cost of a successful cyberattack will be $150 million.
When the question is whether something is covered or not covered by the terms of the policy, an insurer will go through the following sequence of spot checks:
* Is the insured or is the claimant making a demand against a valid and current policy?
* Is the damaged item covered by the policy with or without limitation?
* Is the cause of the loss covered with or without limitation?
* Is the limit of insurance after the deductible is satisfied available?
* Are there any exclusions, either built in to the policy or added by endorsement, that would reduce or eliminate coverage?
COVERED OR NOT?
With social engineering as an example, let's look at the answers to these checkpoint questions and see how far we get. We will assume the insured has a valid policy that is in force. We will also use the example of the social engineering claim for $25,000 of funds the insured parted with in a fraudulent request for wire transfer. The loss of funds has a few places where it might be covered: crime coverage for money and securities, electronic funds transfer fraud, computer fraud or the cyber policy under a breach. The next question is where to look more deeply at the noted policy coverage terms and see if money is covered and what term of the policy may reduce or eliminate coverage altogether.
The money and securities coverage are for physical theft or disappearance, so the electronic transfer eliminates coverage because it was cyber. Most property and crime policies also have an exclusion for voluntarily parting with an asset, money, funds or cash are an asset, and sending the money is an act of voluntarily parting with the asset even if it was by trickery. The electronic funds transfer fraud is worded to be for the hacking of a wire. Therefore, unless there was a liberal interpretation by an insurer (not likely or legal), this part of the crime policy would not afford coverage. Computer fraud, at least by the name of coverage, seems to be a fit.
When the coverage terms are read, they state that a hacker by use of the insured's network or computer system is able to divert a tangible asset to a location not owned by the insured and steal the item. While money is an asset, the theft was not done by the hacker using the network or system to divert the cash, and even if it could be construed as such, the voluntary parting exclusion is applied.
With no crime or property coverage, the cyber policy is the next one to review. The initially developed policies were basic property and liability protection against a breach. The loss of money wasn't from a hack per se; instead, the use of email was the culprit in deceiving the employee of the insured to send the funds. The original policies did not have a coverage trigger for this, and while more recently introduced forms might have coverage, nothing is standardized where all insurers offer the same thing. Most polices are not covering the social engineering claim of $25,000 in this example.
KNOW YOUR RISK
While the claim in the example may not produce a large dollar amount that isn't covered, the bigger issue is understanding what you are purchasing and knowing that you are retaining risk. Everyone should be striving for educated decisions. Having the right agent or broker is the starting point for you to have the most up-to-date information on the insurance market. With this as the foundation you can build a partnership with your agent and insurer to achieve your desired goals. Don't get caught on a line when you can swim safely and free with peace of mind.
By Peter J. Elliott, CPCU
Peter J. Elliott, CPCU, is president and chief executive officer of Telcom Insurance Group. Contact him at firstname.lastname@example.org.