The number of employees working remotely has risen sharply due to the COVID-19 pandemic. As your company’s computing footprint expands, cybercriminals are seizing the opportunity to initiate a growing number of cyber-attacks. Social engineering fraud, and, particularly, fraudulent impersonation schemes, have become common. Understanding and preserving your insurance is critical to protecting the company from such losses.
What is the risk?
Fraudulent impersonation occurs when an imposter induces an employee to make fraudulent payments. The imposter - posing as a current vendor of the company - may issue an official-looking invoice with new banking information that redirects payments into an account controlled by the imposter. Often, the imposter previously compromised the company's or the vendor’s system and accessed accounting details that allow them to easily deceive the company into believing their request is legitimate. These schemes account for substantial losses in the U.S. In 2019, the FBI’s Internet Crime Complaint Center received a total of 23,775 email compromise complaints that caused over $1.7 billion of losses.[1]
What insurance coverage is available?
Coverage for losses caused by fraudulent impersonation often is provided under a Commercial Crime and/or CyberPolicy. Historically, Crime Policies have afforded coverage for such losses, because the exposure typically arises from accounting controls, and is not directly related to a company’s IT security. In the past five years, however, CyberPolicies have expanded in coverage to include losses caused by fraudulent impersonation schemes.
What is a common precondition of the available coverage?
Insurance companies often include, as precondition of the coverage, that the policyholder use dual authentication, or out-of-band authorization, to verify the authenticity of the instructions. Dual authentification requires that the company send a confirming communication by means other than the original communication, to confirm that the original communication was authentic. For example, if the company’s accounting department receives an email request to alter a vendor’s banking information, personnel from the department must call the vendor to verify the request. If the company does not employ its dual authorization process, and makes payment based on the fraudulent instruction, it may be unable to obtain coverage for the loss of the transferred money.
What should you be doing to protect against such loss?
Review and understand the scope of coverage afforded for losses caused by fraudulent impersonation schemes under your company’s crime and cyber liability policies, and identify any preconditions to the coverage, including the use of dual authorization processes. Implement any required processes, educate appropriate personnel on their use, and monitor compliance. These simple measures might prevent loss from occurring in the first instance, and will ensure the company has the insurance it needs if a loss does occur.
[1] 2019 Internet Crime Report, https://pdf.ic3.gov/2019_IC3Report.pdf.
If you have questions concerning this topic, or would like to discuss in further detail, please contact Amanda Burns.