In the context of cybersecurity, social engineering refers to a cyberattack method in which a cybercriminal preys on key human behaviors (e.g., trust of authority, fear of conflict and promise of rewards) to obtain unwarranted access to victims’ technology, funds or data. These attacks can be deployed through various tactics, such as digital impersonation, deceitful messages of malware. Social engineering attacks have become a significant threat for all levels of businesses across industry lines; after all, anyone can be targeted in these incidents – including entry-level workers, managers and CEOs.
To combat social engineering exposures, some businesses have sought risk transfer in the form of insurance. However, they may encounter challenges when trying to find coverage for social engineering attacks within traditional crime or cyber insurance policies. As such, it’s important for businesses to have a clear understanding of coverage options for these incidents.
This article provides more information on social engineering attacks, outlines coverage considerations for such incidents and offers additional mitigation measures for businesses to implement.
In a social engineering attack, a cybercriminal utilizes a number of manipulative tactics to lure their target into performing actions that they normally wouldn’t – namely, sharing confidential details (e.g., login credentials or company data) and granting access to funds or technology. Some common social engineering attack methods include:
Regardless of attack technique, a cybercriminal typically utilizes social engineering to commit fraud against another party, such as the target’s financial institution(s), employer or company stakeholders. Specifically, a cybercriminal may launch a social engineering attack in an attempt to get their target to wire funds, permit access to workplace networks and intellectual property, divulge sensitive information regarding their employer’s customers or send fraudulent invoices to vendors.
The consequences of social engineering incidents can be substantial. According to recent research from the FBI, these attacks cost impacted businesses an average of $130,000 in lost funds and compromised data. With this in mind, it’s vital for businesses to secure proper coverage to protect against potential losses from social engineering attacks.
While some businesses have looked to their traditional crime and cyber insurance policies to cover losses stemming from social engineering attacks, these policies may not offer adequate protection for sure incidents. Generally, the level of coverage that these policies can provide for social engineering attacks (if any) will vary based on the specific policy wording.
In particular, standard crime insurance policies usually cover losses resulting from “direct theft” of money, securities and other property by an employee or contractor within a business, such as a dishonest employee intentionally hacking workplace technology and wiring company funds into their personal bank account. Yet, social engineering attacks that involve honest employees being tricked by cybercriminals into transferring company funds to external accounts would likely not qualify as direct theft, thus excluding these incidents from coverage. Furthermore, some crime insurance policies exclude losses stemming from cyber incidents altogether.
In the scope of cyber insurance, traditional policies generally offer coverage for losses stemming from targeted system breaches and technology failures. However, social engineering incidents often don’t involve these elements, as employees are tricked into openly participating in the attacks. Consequently, some cyber insurance policies may also exclude these incidents from coverage.
Nevertheless, it’s important to note that some court cases have rules in favor of policyholders utilizing traditional insurance policies to protect against social engineering losses. For example, in the 2022 case of Ernst and Haas Management Company Inc. (the policyholder) v. Hiscox Inc. (the insurance carrier), the 9th U.S. Circuit Court of Appeals ruled the policyholder was entitled to coverage under a standard crime insurance policy for losses resulting from a social engineering incident, qualifying the incident as direct theft.
Despite the results of this particular case, businesses should still consider purchasing additional, specialized coverage to ensure sufficient protection for social engineering losses. Primarily, social engineering insurance can be leveraged as an endorsement on either a traditional crime insurance policy or a standard cyber insurance policy, with specific coverage capabilities depending on the nature of the attack and type of fraud involved. However, some carriers may prefer to provide this endorsement solely on crime insurance policies, seeing as these policies can be better positioned to protect against first-party losses (including those resulting from social engineering incidents) than their cyber counterparts.
In addition, businesses should consider utilizing the same carrier for both their crime and cyber insurance policies. This practice can make it easier to identify potential gaps or overlaps between the two forms of coverage, especially as it pertains to protection for social engineering losses. Further, having the same carrier for both policies can help foster open communication between underwriters, establish suitable policy limits and streamline the claims process. Altogether, using the same carrier for crime and cyber insurance can help businesses maintain effective coverage tailored to their unique risks and exposures.
Apart from securing proper coverage for losses resulting from social engineering attacks, it’s also critical for businesses to take steps to prevent these incidents and minimize their impact. Here are some mitigation techniques that businesses can implement.
In summary, social engineering attacks are a notable cyberthreat for businesses of all sizes and sectors, making proper prevention and protection measures increasingly vital. By understanding social engineering tactics, securing adequate coverage and implementing effective mitigation techniques, businesses can successfully safeguard themselves against these incidents. For additional insurance guidance and solutions, contact us today.
The information contained within these materials are confidential and not to be distributed. Use of and access to this information, site, or any of the links contained within this document does not create a relationship between the recipient and CoverEase.