Fraudulent impersonation and cyber insurance

By: Cara Murray, Assistant Vice President, Alliant

The Treasurer gets an email from the CEO directing that money be wired out in connection with a hot new deal. Or a vendor emails a new invoice with updated wire transfer instructions. The money is sent. Except, the directions did not come from the CEO, and the invoice did not come from the vendor. These communications came from someone fraudulently impersonating them. The money has been stolen.

This “employee gets tricked into voluntarily sending money to a thief” kind of situation is what social engineering (or operational failure) fraud coverage responds to. Since the money has been stolen, a crime policy is the obvious first avenue of potential recovery. This is also the first place where insurers initially tried to deny coverage and then crafted policy language to provide the coverage, often with a sublimit and for an additional premium.

Another place a company may think to look for coverage in these social engineering fraud events is a network security and privacy / cyber policy.  As many of these fraudulent instructions come via falsified email addresses or through compromised email accounts, the issue is sometimes viewed as a cyber issue. That said, cyber policies tend to explicitly exclude loss of funds/monies/securities. That’s the main differentiator between cyber coverage and crime coverage when it comes to computer hacking – cyber covers the loss of data, crime covers the loss of money. Increasingly, though, insurers are offering to add social engineering fraud / fraudulent instruction coverage onto cyber policies.

In order to have fraudulent instruction coverage under a cyber policy, the exposure has to be specifically endorsed onto the policy. Several carriers have endorsements for this coverage for the cyber that carve back the exclusionary language to provide the coverage for the loss of money as a result of a fraudulent instruction event. As on crime policies, the fraudulent instruction coverage endorsed onto cyber policies is usually a sublimit.

Fraudulent instruction coverage as part of a cyber policy falls under the “First Party Coverages,” where it is added as its own insuring agreement most of the time, because the coverage is so different from what would otherwise be available under a cyber policy. The coverage triggers the same way it would in a crime form: when there is a fraudulently induced transfer of money based on instruction from someone purporting to be an authorized employee, outsourced provider, or customer of the insured, but who was not actually one of those parties.

So why would an organization want to have this coverage attached to their cyber policy versus attached to their crime coverage? A few differences in the structure of each kind of coverage suggest different strategies when it comes to overlapping coverage. First, the matter of the deductible – it is not uncommon for a company to have the deductible on one of their cyber or crime coverages be lower than the other. Second, the matter of limits – cyber carriers tend not to offer as high of sublimits as are available from the crime side. Additionally, a company having coverage under both the cyber and the crime effectively raises the total limit available for a fraudulent instruction event. Third, the policy type – crime coverage does not always have an aggregate limit, and so the sublimit that applies does so on a per occurrence basis, whereas in the cyber policies, the sublimit is offered as a single aggregate for the full policy period.

As there can be coverage for this kind of exposure under both the crime and cyber policies, it is also possible for a company to have coverage in both places. In such situations, one of the policies will need to be amended to specify that it will respond first in the case of a fraudulent instruction event. The decision of which policy should respond first will depend on the structural differences mentioned above.

With the right coverage, the story doesn’t have to end at “the money was stolen.”