We have received numerous requests from businesses seeking to understand insurance coverage for phishing scams. Many of these businesses have become the victim of phishing attacks and are pursuing claims for coverage.
Scam I: Phishing
Computer email scams are increasing on an alarming rate. The FBI reports that companies have been swindled out of billions of dollars due to email scams over the past few years. To counteract this, the FBI recently issued public service warnings to businesses about criminals using bogus email accounts to pose as CEOs to trick financial controllers into wiring funds to the fraudsters’ bank accounts. See FBI’s Public Service Announcements, www.fbi.gov. Last year, Equifax, one of the three major credit reporting agencies in the US, announced a data breach affecting 143 million customers, based on hackers accessing Social Security numbers, birthdates, addresses, and driver’s license numbers.
Most companies have experienced these types of scams first-hand. The reason for this is that phishing scams have become more and more sophisticated over time. We all know to look out for that email from a Nigerian prince asking us to hold $10 million dollars of money for them. We also know not to respond to a bank asking us to “click here” to verify user names and passcodes. With organizations, the scams have become much more sophisticated. Cyber criminals hack into an organization’s internal computer system so that they can send what look bona fide emails from a CEO or CFO requesting the payment of invoices to a “new” bank, which coincidentally is located in China. Employees who get one of these emails from their management, naturally respond asking for confirmation. Those emails are then intercepted by the cyber-criminal, and the cyber-criminal responds saying that all is ok.
Scam II: Insurance Company Response
Insurance companies are responding to these scams by offering specialized policies, for additional premiums of course, specifically addressing these risks or adding coverage to their standard Fidelity/Crime or Cyber Liability policies, typically under the moniker of “Deception Fraud” or “Social Engineering” insuring agreements. As with most things in the world of insurance, the devil is in the details, but some of the insurance coverage bought to specifically to cover phishing scams is worthless.
Here’s how many insurance companies are deceiving their corporate policyholders. “Deception Fraud” and “Social Engineering Fraud” are so broadly defined in the policies that they cover nearly every possible computer scam. For example, in the currently available Private Choice Premier Policy, Crime Coverage Part offered by The Hartford Insurance Company, “Deception Fraud” is defined as “the intentional misleading of a person to induce the Insured to part with Money or Securities by someone, other than an identified Employee, pretending to be an Employee, owner of the Insured, . . . a Vendor, a Customer, a Custodian, or a Messenger.” Incredibly broad, which is exactly what companies want to protect them against risks, right? Not so fast. This coverage may come with a very small sub-limit of $50,000-$100,000, whereas other coverages under these same policies may have limits of between $1-$5 million.
What’s even worse (and here comes the true deception) is the fact that insurers often take the position that losses falling under “Deception Fraud” or “Social Engineering Fraud” cannot also be covered under other higher limits insuring agreements, such as “Computer Fraud” or “Funds Transfer Fraud” (which are typical coverages in Fidelity/Crime policies). Insurers argue that, despite higher limits under other coverage grants, that the loss nonetheless must be recognized as a “Deception Fraud” or “Social Engineering Loss” only, subject to a small limit of insurance. In other words, heads insurers win, tails policyholders lose. Given this widely adopted position of insurers, Policyholders were better off rejecting these new highly promoted enhancements to coverage and relying upon coverage they previously had.
Insurance Coverage for Phishing
Insurance coverage for There’s nothing more disappointing and frustrating than to spends thousands, if not hundreds of thousands, of dollars buying insuring policies to protect against the risk of fraud, only to have an insurance accompany argue that it sold a nearly worthless policy. Corporate policyholders should review their current and prospective policies to spot this and other clever limitations, and demand appropriate changes. If a company has already become a victim to phishing, however, it is not too late to challenge an insurance company regarding this kind of position which creates an unnecessary and unwarranted gap in coverage and retain coverage counsel to assess all options.