Cybercrime Insurance is something organizations should give consideration to, in the current age of heightened and ever-increasing cybercrime activity. Having said this, one area to keep in mind when reviewing current or potential cyber crime coverage, is that it may not include damage caused by employees being fooled by sophisticated scams using social engineering tactics. Even where an endorsement is available covering social engineering fraud, some schemes are not likely to be covered, such as for ‘Funds Transfer Fraud’. If the insured organization’s employees voluntarily make a fraudulent money transfer, not knowing they are being duped into doing so, insurance coverage won’t apply.
This situation was laid out in a recent Alberta court case between Brick Warehouse LP v Chubb Insurance Company of Canada. In this case, two Brick employees were contacted by people claiming to be from Toshiba. They advised that Toshiba was changing its bank account information, so The Brick updated their records. Subsequently, more than $300,000 was paid to the false account before The Brick discovered the fraud.
Chub denied coverage for the claim. In The Brick’s policy with Chubb, funds transfer fraud is defined as “the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent.”
Since a Brick employee gave instructions to the bank to transfer the funds, it was done with the insured’s knowledge and consent. The fact that they were fooled into doing so, is not the responsibility of the insurance company. It simply points to the fact that the insured’s employees need to be better trained to spot fraudulent activity.
Lessons to be learned from this story are:
- Cybercrime insurance will not provide complete protection against loss.
- Ongoing cybercrime security awareness training is a must. Experts agree that an organization’s people represent the greatest cyber security risk.