Email, networked computers, smartphones and a range of handy apps drive the way we communicate. A variety of web-based order, procurement, financial, banking, HR and other business management platforms now control how we do business.
With such complexity and reliance on technology comes a sophisticated spectrum of electronic threats: from viruses and disruptive malicious software to highly motivated hackers, petty criminals and organised crime. Then there are the acts of careless or disgruntled employees – and even random cyber- saboteurs with no agenda other than scoring cheap and illegal thrills.
The tasty targets for cyber criminals tend to be confidential client information – useful for ID theft – and banking details for straightforward access scams like phishing and robbery by false invoicing. If a client runs an eBusiness for example, a denial of service (DoS) attack that paralyses their website or a ‘ransomware’ attack that locks systems or information until a release fee is paid can stop their business dead in its tracks.
The subsequent damage can be financial, reputational, legal and regulatory in nature – and far-reaching in impact. In addition, changing regulation like GDPR places a even higher duty of care on firms handling personal data. In the event of a breach, fines can be imposed of up to 4% of annual global turnover, or €20m, whichever sum is greater. An investigation into data breaches will take into account how prepared a firm was for a cyber attack and whether the firm took all appropriate measures to secure their clients’ data.
Cyber crime - a law firm case study
Type: Server hack and email hijack for invoice fraud.
Scenario: A medium-sized legal practice emailed invoices to nine of its clients, giving bank account settlement details and a standard request to settle payment in 30 days. The practice manager contacted one of the clients after two weeks without any payments and the client confirmed they had settled the invoice immediately on receipt using the banking details given.
Sting: The client sent the firm the payment details and the practice manager checked them against a bank statement. The bank details didn’t match and payment had been made to a bogus firm with a similar name. Calling the other clients, the practice manager discovered to her horror that all other eight invoices had been paid using the rogue details.
Investigation: Criminals had hacked the legal practice’s server, intercepted the genuine invoice emails and replaced them with the fraudulent versions which they then sent to the firm’s clients. By the time the fraud was discovered, the money was already long gone.
Conclusion: Up-to-date anti-virus protection, latest version internet browser and computer operating system may have prevented the fraudulent hack.
Source: Solicitors Regulation Authority (SRA) – Risk/Outlook Report 2016/17/Case Studies – Information & Cyber Crime
The problem with cyber risks is the speed at which they evolve. ‘Social engineering’ fraud has now become endemic throughout North America and Europe. These incidents are occurring more frequently, the individuals behind them more sophisticated, and the costs to corporations are soaring.
In a typical case of social engineering fraud, information is gathered through the internet or other forms of social media. Fraudsters convince unsuspecting employees to act voluntarily to divulge sensitive information or to perform some task on the fraudster’s behalf.
Examples of Social Engineering Fraud:
Mandate Fraud - Employee receives a phone call from an individual who they believe to be a genuine supplier. The fake supplier advises that their bank details have changed and payment is to be made to a new account. Going through procedure, they advise the request must come in writing via email or on company letterhead. The employee later receives an email from what appears to be the supplier, complete with the supplier’s signature at the foot of the email. The employee proceeds to change the bank details and payment is issued. Sometime later, the genuine supplier requests payment, indicating that the original payment was never received. Further investigation will identify that the requests were fraudulent.
Fake President Fraud - A mid-level finance employee is the last left in the office one evening. He receives a phone call from an individual who identifies himself as the CEO of the company. He explains that there is a major acquisition about to take place, that the deal must close tonight and that he cannot get a hold of anyone else in the finance team to process the payments.
The employee explains that he only has the remit to transfer funds up to £50,000 and that no-one else in the office to countersign the transfer. The CEO grows more irate with the employee refusing to transfer the funds, repeatedly telling him that he is granting the necessary authority. Eventually the ‘CEO’ persuades the employee to circumvent the established procedure by issuing multiple £50,000 transfers, totalling £500,000. It is discovered on the next business day that the company has been defrauded.
Falling between the policy cracks
Most companies believe that social engineering fraud would be covered under either a Cyber Liability policy or a Crime insurance policy under the computer/funds transfer fraud extension. However, claims similar to the scenarios above are being denied by insurers. The market argues that neither policy type covers social engineering fraud as standard.
What do my policies cover?
Cyber Liability - A Cyber Liability policy (often just referred to as ‘Cyber’) only covers the costs associated with a data breach when third party client data is stolen. Therefore coverage is not triggered with social engineering fraud as no client data is taken. Note it will not cover fines and penalties, such as those that may be result of a data breach following the implementation of the GDPR on 25 May 2018.
Crime: Computer fraud - If you have the Computer Fraud extension on your Crime policy, the insurer pays the insured for a direct loss of money sustained by the insured resulting from computer fraud committed by a third party. Computer Fraud is defined as the unlawful taking of money resulting from a computer violation. Since in many social engineering cases losses occur as a result of employees being duped into taking action by a third party, the Computer Fraud extension would not be triggered as a third party is not directly controlling or influencing the company’s computer systems -the loss follows an internal, not external party, taking action.
Crime: Funds Transfer Fraud - If you have a Crime policy with a Funds Transfer Fraud extension in place, the insurer pays for direct loss of money sustained by the insured resulting from fraudulently transferred funds committed by a third party. This includes any fraudulent written, electronic, telegraphic, cable, teletype, or telephone instructions, other than forgery, issued by the insured to a financial institution, directing such institution to transfer, pay, or deliver money from the insured’s account without the insured’s knowledge or consent. Similar to computer fraud, social engineering fraud coverage is not triggered as funds were transferred with the insured’s knowledge or consent. With social engineering fraud, the insured had knowledge and gave consent, albeit based on a mistaken basis and therefore the traditional coverages are not triggered.
Most firms are not quite sure where a social engineering fraud loss would be covered. It is often assumed that theft/fraud would be covered by a commercial insurance policy.
Crime or a Cyber policy; it is evident that when it comes to social engineering fraud, not all policies provide the scope of coverage one might immediately presume.
It is also a common misconception within law firms that a PI policy will respond to these losses, but in truth many different factors can influence the response of the PI policy. It is therefore necessary to avoid a silo mentality when considering Cyber and Crime policies; due consideration to the interaction with your PI policy is required.
Specific coverage for social engineering fraud has to be endorsed on to a Crime policy and insurers such as AIG, ACE, AXIS, Chubb, QBE, RSA, Travelers, and XL all provide some form of coverage. In many instances, insurers will require an additional proposal form and may only agree to a sub-limited amount for social engineering fraud.
Meanwhile, some Cyber policies are now being widened to take social engineering losses into account - bridging the gap between Crime and Cyber policy wordings.
Gallagher’s Cyber and Crime teams are at the forefront of these developments. We have specialist Cyber solutions available to help professional services firms manage everything from traditional data hacks, through to more sophisticated fraud risks.
Our policies also come with additional third party support built in, meaning that in the event of an incident, we can help your firm back up and running more quickly.