Insurance Coverage for Social Engineering Losses

11-4Cyber criminals employ a variety of tactics—such as hacking, phishing or baiting schemes—to steal a business’s money, property or proprietary information. The term “social engineering” is applied to schemes that use technology, not to steal directly from the business, but to manipulate employees unwittingly to perform acts, transfer assets or divulge confidential information. A common social engineering loss scenario involves a trusted employee who is induced, by a spoof email or forged written instructions from someone impersonating a customer, a vendor or a senior officer of the company, to instruct the employer’s bank to wire funds to the imposter’s account.

Many businesses mistakenly believe that traditional commercial crime policies cover all such cyber-related losses. Although commercial crime policies have traditionally included computer fraud and funds transfer fraud insuring agreements, courts interpreting the scope of such coverages have generally distinguished between: (1) Losses where a thief hacks the insured’s computer systems and uses the computer to steal the insured’s property or to induce the insured’s bank to transfer the insured’s funds; and (2) Losses where the insured voluntarily transfers funds. Courts have generally allowed coverage for the first category of loss, but the latter losses—which include “social engineering” claims—usually are not covered.

Standard computer fraud insurance usually applies to hacking losses, i.e., direct loss resulting from “theft” through the use of a computer system. Social engineering losses are outside the scope of coverage because they do not arise “directly” from the use of any computer to fraudulently cause a transfer of property; they arise from an authorized transfer of funds.

The Funds Transfer Fraud insuring agreement applies when an imposter induces a financial institution to allow funds to be withdrawn from the insured’s account by posing as the insured and submitting fraudulent instructions. Social engineering claims are outside the scope of the insuring agreement, where an authorized employee is induced to authorize a withdrawal.

Social engineering loss is difficult to prevent; it cannot be defended against through hardware or software. Insurance coverage against social engineering risks, however, is available, usually by endorsement to commercial crime policy forms.  Such coverage typically covers direct loss resulting from the intentional misleading of an employee through electronic or written instruction sent by a person who purports to be a vendor, client or employee, that directs the Employee to transfer, pay or deliver money or property, and contains a misrepresentation of material fact which is relied upon by the employee.