social engineering fraud a dangerous and emerging · pdf filesocial engineering fraud a...
TRANSCRIPT
Social Engineering Fraud: A Dangerous and Emerging Crime Exposure
January 2015 • Lockton Companies
L O C K T O N C O M P A N I E S
What is Social Engineering Fraud?While Social Engineering Fraud (SEF) is not an intuitive term, it is easy to understand why businesses face this risk. SEF occurs when employees and business partners, acting in good faith, comply with instructions sent via email to make a payment. Unfortunately, it is actually a third party fraudster mimicking legitimate correspondence, and can be very difficult to identify.
SEF is rapidly emerging as an expensive concern for numerous Lockton clients, with losses being incurred at an alarming rate. Accordingly, SEF is also emerging as a hot topic for the insurance market with multiple new endorsements entering the insurance market and many insurers denying coverage for these claims.
SEF is rapidly emerging as
an expensive concern for
numerous Lockton clients with
losses being incurred at an
alarming rate.
LISA MCALEENAN, CPCUSenior Vice President
Financial Services314.812.3246
NOËL OLEKSA, AIC, JDClaims Consultant
2
January 2015 • Lockton Companies
Examples of SEF Claims
� An email purporting to be from the company COO to an employee asks the employee what information the employee will need from the COO in order to make a wire transfer to a vendor. The employee responds back that he will need the routing number and the bank account number. The COO, who, unbeknownst to the employee, is actually a third party, provides the requested information. The employee, acting in good faith in the belief that he is assisting his COO, sends the wire transfer.
� A client doing business overseas has a main vendor partner in China to whom the client routinely remits payments for goods via wire transfer. The client receives notification from the vendor that the vendor has changed banks and provides updated remittance instructions. The client sends the notification to the internal accounts payable team who implements changes reflecting the updated instructions. After sending several payments to the new account, which was created by a fraudulent third party and not the vendor, the client is made aware by the vendor partner that they have not yet received payment and are seeking reimbursement for goods sent. Vendor’s email system had been hacked by a fraudulent third party.
What Happens When an SEF Claim is Filed?SEF claims typically are reported to Crime or Fidelity Bond coverage for the loss of money being sent to a fraudulent third party. However, these claims are often being denied, leaving the client without any practical recourse for recovery. Common insuring agreements under which an SEF claim would be reported include:
� Computer Fraud: the company shall pay the parent organization for direct loss of money… sustained by an insured resulting from computer fraud committed by a third party.
h Computer Fraud is defined as the unlawful taking of money resulting from a computer violation.
h Computer Violation is defined as an unauthorized entry into or deletion of data from a computer system committed by a third party.
� Funds Transfer Fraud: the Company shall pay the parent organization for direct loss of money sustained by an insured resulting from funds transfer fraud committed by a third party.
h Funds Transfer Fraud is defined as fraudulent written, electronic, telegraphic, cable, teletype, or telephone instructions, other than forgery, purportedly issued by an organization and issued to a financial institution, directing such institution to transfer, pay, or deliver money from any account maintained by such organization at such institution, without such organization’s knowledge or consent.
SEF claims are often being denied, leaving
the client without any practical recourse for
recovery.
3
January 2015 • Lockton Companies
Under these Insuring Agreements, coverage is denied for the first claim example for a few reasons.
1. The carrier argues that the Computer Fraud Insuring Agreement is not triggered as the fraudulent payment instructions came into the company via email, and email by its nature is an authorized entry.
2. The carrier reasons the direct cause of loss is not the email which was allowed to enter the computer system but was rather the insured sending the money on the basis of the belief the instructions were legitimate.
3. The carrier argues the Funds Transfer Fraud Insuring Agreement is not triggered as the funds were transferred with the organization’s knowledge or consent, as the organization did have knowledge, albeit based on a mistaken belief, and the insuring agreement requires the money be transferred without the organization’s knowledge or consent.
The wording of Computer Fraud or Funds Transfer Fraud Insuring Agreements can vary from carrier to carrier. The wording we have provided is typical, but not exclusively used. Nevertheless, carriers are often responding with denials, based either on a factual element of the loss deviating from the Insuring Agreement or due to the applicability of an exclusion in the policy.
� Voluntary Parting Exclusion: the so-called Voluntary Parting Exclusion is one key exclusion that carriers may cite in declining coverage. A typical wording for the Voluntary Parting exclusion is as follows: no coverage for loss arising out of anyone acting on the Insured’s express or implied authority being induced by any dishonest act to voluntarily part with title to or possession of any property.
To determine whether a loss may be covered, the policy, including the insuring agreements, definitions and exclusions, must be read very carefully in light of the specific facts of the loss for which recovery is being sought. As SEF losses are being presented at a rapidly increasing rate, carriers are starting to introduce endorsements to allow for certainty on the part of the insureds and to provide a cap on the risk for insurers.
While the Insuring
Agreement wording
varies, carriers are often
responding with denials.
4
January 2015 • Lockton Companies
New Endorsements Available in the MarketIn light of the need to clarify and define coverage for SEF, three key carriers have recently offered coverage endorsements for SEF scenarios. We suspect other carriers will have similar offerings very soon.
Three key carriers have recently offered coverage
endorsements for SEF scenarios with relatively small sublimits.
Multiple other carriers have refused to declare their position on covering SEF losses, and clients must continue to submit losses on a case by case basis to seek coverage and obtain the carrier coverage position. The lack of certainty is a source of frustration. Lockton Companies stands ready to discuss coverage options and to advocate for coverage.
RecommendationsWe recommend our clients develop and enforce policies and procedures within their organizations to help employees recognize potential fraudulent instructions. For specific guidance, carriers have begun distributing bulletins to insureds providing instructions on proactive measures which may be taken to avoid or mitigate loss from SEF. An example of such guidance follows.
� Educate your employees. Advise all employees to never send products or money to a new address or bank account without first verifying via a telephone call to a previously established contact at the original source that the request is legitimate.
� Establish procedures requiring two or more employees to sign off on any change to delivery or wire instructions.
� Document all such confirmations in writing and include the date and contact information of the employee at the original source.
� Hold regular conversations with your vendors regarding any security issues with information technology systems, including email.
ConclusionIt is the position of Lockton Companies that the insurance market should make available coverage options for SEF losses, and we will continue to monitor the development of coverage endorsements being offered in order to assess the best options based on our clients’ unique needs and exposures. However, to date, we are seeing limited insurance protection available for this exposure.
© 2015 Lockton, Inc. All rights reserved. \50\UF\Reference\Social Engineering Fraud\White Paper - SEF.pdfImages © 2015 Thinkstock. All rights reserved.
Carrier 1 is now offering SEF coverage under a Payment Instruction Fraud endorsement, through which they are extending either a $250,000 sublimit or a $1,000,000 sublimit with a 50% coinsurance provision.
Carrier 2 is offering SEF coverage under a Social Engineering Fraud endorsement, which would allow an insured to obtain up to a $250,000 sublimit.
Carrier 3 is offering a new insuring agreement titled Deception Fraud which may be added by endorsement upon policy renewal. This endorsement will offer a $15,000 limit with a $5,000 deductible. Future optional higher limits are being considered.
1
2
3