Cyber attacks and data breaches seem to be making headline news almost daily. As the cyber-security industry evolves and becomes more sophisticated, however, cyber criminals are increasingly targeting an age-old vulnerability – the human element. Recently, there has been an uptick in “social engineering scams,” including phishing and spear phishing scams, in which cyber criminals trick the recipient of an email that was ostensibly sent from a trusted source into transferring money, providing account information, or paying an invoice delivered via the fraudulent email. Experts estimate that over 90% of cyber attacks start with a phishing email. While many companies carry commercial cyber and crime liability insurance policies, some are learning that they may not be fully covered if they fall victim to one of these scams.
Understanding the Risk
Spear phishing scams target specific individuals or employees within an organization by exploiting information available online through business websites or social media accounts to send customized, accurate, and compelling emails designed to lure the target into clicking on an infected link or attachment. The link, once opened, executes malware leading the target to specific website and allowing the hackers to perform a targeted attack. Many recent and well-publicized breaches, including the JP Morgan, Home Depot, and Target hacks, were all attributed to spear phishing scams.
Other types of spear phishing scams go one step farther, targeting an individual or business via a trusted vendor. Here is how it works: your company receives an email from a third-party service provider requesting payment of a recent invoice through the vendor’s “new” payment processing system or asking you to update your account information. A link to the system is provided in the email and payments are made directly online and without suspicion, or you provide your account details allowing the hackers to initiate unauthorized transfers. As soon as you realize your company’s loss, you report a claim to your insurance carrier or look to your vendor for restitution.
Spotting Coverage Gaps
Cyber and crime insurance policies focus primarily on first-party coverage and will generally insure against the cost and losses associated with breach response, investigation, and liability related to disclosure of private information. But what happens when your company’s loss is simply the result of paying a fraudulent invoice? Insurers have started to push back, distinguishing these targeted spear phishing attacks from typical data breaches by asserting as a coverage defense that the payments were authorized and made voluntary by the targeted business, even where the business was innocently misled into making the payment or divulging account information. Many companies are surprised to learn that there is a gap in their cyber and crime policies for this type of cyber theft.
Further, these issues are the subject of pending litigation and there is not yet a clear answer as to who bears liability in these situations. Is the vendor liable to the victim company for fraudulent emails that are sent through its system? In certain cases, the answer may be yes. In other cases, however, the victim company may have no recourse against its vendor.
Preparing for the Future
Whether your company ends up being the targeted vendor or the victim payee in this situation, companies that have or intend to obtain cyber and crime insurance should carefully review those specific overages and all of their commercial liability policies as a whole to understand the scope and limitations of coverage currently in place. A comprehensive coverage review just might identify gaps in first and third party coverage that, if addressed, could leave your company better protected in the future.