SFAA General Counsel Robert Duke discusses social engineering scams and changes to crime policy
Thursday, August 10, 2017
Social engineering scams prompt coverage litigation, crime policy changes
By Erin Ayers, Advisen
Recent court decisions have offered conflicting views on whether and how crime insurance policies should respond to social engineering scams, reflecting an ongoing industry discussion on how best to handle this rising tide of crime.
In late July, the United States District Court for the Southern District of New York ruled that the “funds transfer fraud” provision in a crime policy issued to Medidata Solutions by Federal Insurance, a Chubb subsidiary, would cover the loss of funds due to spoof emails directing a wire transfer. In a similar case decided Aug. 1, American Tooling Center v. Travelers, the United States District Court for the Eastern District determined that the “computer fraud” provision of a Travelers policy would not cover a similar social engineering scam.
The Court stated, “Although fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the ‘use of any computer to fraudulently cause a transfer.’ There was no infiltration or ‘hacking’ of ATC’s computer system. The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails.”
The cases added a new layer to the issue and offer a few takeaways, according to Roman Itskovich, founder and chief risk officer for CyberJack, a cyber insurance startup with roots in the tech world. He commented, “The comparison is interesting because it clearly demonstrates two trends. The first: there’s a lack of general understanding of what is and what is not covered under cyber related coverages. The many variations of cyber coverage wording in the market and the relatively small amount of case law in this space doesn’t help. Furthermore, explicit exclusions of cyber triggers are not common in many policies. The second is that cyber attack vectors permeate increasingly more lines of traditional, non-technological insurance.”
However, while case law gets has been getting hashed out, the insurance industry appears to have already come up with a solution – loss of funds due to social engineering or impersonation fraud should be covered by endorsements on crime policies. Experts say that updates to the “computer fraud” provisions of crime policies were long overdue, having been drafted in some cases decades ago, and should reduce litigation in coming years.
“Lots of people have blurred the lines or had trouble distinguishing between cyber insurance and crime insurance,” said Bill Jennings, crime manager with Beazley. “We try to oversimplify the distinction. If there’s money that’s missing, that’s a crime policy. It’s there’s data missing, that’s cyber.”
Cyber policies can also act as excess coverage or difference-in-conditions over crime policies, according to Robert Parisi, cyber product leader for Marsh.
“The one thing that these two cases can do is make clear to the buyer that this isn’t well settled,” said Parisi, adding that pressing insurers for clear policy language is key. He predicted brokers would hold insurers’ “feet to the fire” for broad coverage.
He added, “What we’re telling clients is, ‘look at how your risk profile is changing.’ Social engineering is a fact of life and there are ways to manage the risk.”
“There’s a whole host of ways to minimize this type of activity happening, not the least of which is better employee training,” he said. “At its core, this is a people and process issue. Don’t turn a blind eye to what is a developing, evolving, and here-to-stay issue.”
Parisi noted, “Crossing your fingers and hoping for the best is never really the best business model.”
The confusion and ambiguity in these cases derives from old policy language – language that should clearly cover social engineering, according to Scott Godes, partner with Barnes & Thornburg, LLP. Courts finding coverage under crime policies have made the right call, with ambiguous language decided against the policy drafter being a bedrock principle of contract litigation, he told Advisen.
“The insurance industry should write clear forms and they should honor the forms that are open-ended and unclear,” Godes said. “Rather than fighting the policyholders on every claim, they should pay.”
The Surety and Fidelity Association of America, a trade group that develops standard forms for use by insurers, is in the process of updating crime forms to make clear that social engineering scams weren’t envisioned as part of the traditional crime policies and instituting endorsements to the policy. Robert Duke, the SFAA’s general counsel, told Advisen that association members say social engineering represents a top concern – hence the efforts to revise wording to make explicit what computer fraud is meant to cover.
“Everything we do today involves a computer, whether it’s communication or typing a letter,” said Duke. “If a court interprets computer fraud to mean simply a loss caused by fraud and a computer is involved, that interpretation would convert what was intended to cover computer fraud into covering all fraud.”
The original computer fraud provision envisioned scenarios involving no intervention by employees of the affected organization, but rather hackers or outside parties directly tampering with an insured’s computer systems to effect funds transfers, he explained.
Now, coverage expressly designed for social engineering is more readily available, Duke added, a newer development over the last 24 months.
With most insurers offering specific endorsements, crime underwriters can more effectively price and underwrite the risk, with a specific eye toward the controls put in place by insureds to avoid social engineering. Beazley’s Jennings told Advisen that the Medidata and American Tooling cases originated in 2014 and 2015 – at a time when social engineering scams were less frequently addressed by insurance policies.
“Three years on the internet is like 1,000 years. Where we are right now is not as gray and fuzzy as it would have been three years,” he said. “It was never our intent to be picking up that type of social engineering loss under a computer fraud provision. These days, it’s much more black and white.”