The problem of Social Engineering techniques called Phishing, Whaling, Spear Phishing, Pharming, or Impersonation Fraud has become significant and widespread in recent years. The insurance industry has made efforts to keep these risks in mind for cyber liability policies. Sometimes there is language added that will protect a company, but sometimes communication is added to a basic policy that would not protect a business against these specific risks.
The President's Letter
In the scam referred to as "The President's Letter," someone in accounting will receive an email that looks like it came from the president of the company. The sender will request the recipient to wire money to their account. This "impersonation" scheme has caused billions of dollars in losses over the last couple of years.
Friday Afternoon Fraud
Lately, the transaction has changed into something more dangerous because it seems more relevant to the recipient and harder for trained employees to debunk. In "Friday Afternoon Fraud" (called so in that the scam was sent initially with the idea that a bank will not be able to flag the transaction quickly or be as responsive so it would be more successful for a scammer) it starts when someone hacks into your email account via malware, brute force, or leaked credentials.
The hackers will then monitor your messages waiting for communication that involves an exchange of money. What they are looking for is a hint that you are sending payment to someone or request wiring instructions. The intruder then strikes to use social engineering tactics in the email exchange. Other wiring instructions will be sent that would instead route the funds to them.
On the vendor side, they are watching for you to send an invoice to a client. They send a fabricated email with fraudulent instructions, and your client pays your invoice to them. This scam further hurts your business in that either you are left with a client that will no longer pay your invoice because they paid It already – albeit to the wrong individual. As a payee, you have "paid" an invoice, but will have no product or service from your vendor because you sent funds to the wrong party.
How You Can Protect Your Business
Social engineering protection is available on both a Crime Policy and Cyber Policy. It pays for losses when your employees mistakenly wire funds. Social Engineering coverage may not cover Invoice Impersonation where your client pays a fraudulent invoice. These schemes are new, and not all cyber policies have kept up with the loss trend. Purchasing coverage from an expert is critical to make sure that you are adequately covered.
Procedures Should Also Be Developed As Part Of Your Risk Management Plan
Significant limits are not always easily available, so employee training is essential as are good solid business practices such as verifying wiring change instructions. The right insurance can save you lots of money and heartaches.
Do you have protection?
We have seen losses with clients of every size, shape, and level of sophistication. You may have been offered this coverage in the past and felt comfortable with your internal systems of software and employee training. Even organizations with red flag procedures in place could be at risk. If you don't have Cyber or Crime coverage, consider purchasing them. Check-in with us! We will be happy to assist.
5 Tips For Applying For Cyber Liability Insurance
For cyber coverage to be sufficient, it requires a high level of due diligence on the part of prospective policyholders. To get the most out of your policy, you will want to consider the following best practices when applying for cyber insurance:
1. Gather accurate data. Before the application process, it's critical to speak with your information technology (IT) management team and any vendors you utilize in order to collect accurate data. It's essential to quantify the data on your network. Above all, get a reliable estimate on how much personally identifiable information you have, including employee data.
2. Be honest. Complete the application process correctly and get the best possible policy; honesty is essential. When working with your insurer, be clear about your organizational setup, security protocols, and breach history. Not only will this help in securing adequate coverage, but it will also reduce the risk of your policy being voided if carriers find out you were dishonest during the underwriting process.
3. Don't wait. Even if your organization hasn't taken the appropriate steps to reduce its cyber risk, going through the cyber insurance application process can help identify exposures. Your insurer can work with you to get the best coverage possible today, leaving room to negotiate down the line when your data security methods are stronger.
4. Involve the right people. The application process for cyber insurance can be complicated, and it's important to have key personnel help you. In order to complete a cyber liability insurance application, an organization may need to work with their risk managers, IT professionals, HR department, financial officers, the board of directors, executives, privacy officers, marketing team and legal professionals.
5. Work with experienced brokers. Because cyber insurance is relatively new, some brokers are more experienced in the underwriting process than others. To get the most out of your policy, work with a carrier who can accurately assess your exposures and offer your organization the best protection. More experienced brokers can even provide details on how similar companies in your industry handle cybersecurity.