Cybercrime by Wire Fraud – What’s Covered?

Think your cyber liability insurance will protect loss of funds? Read the fine print.

Perhaps the only thing worse than falling victim to a business email compromise or “CEO fraud” that results in millions of dollars in wire fraud theft – is wondering whether your insurance will cover any of the loss.

Take Ubiquiti Networks Inc., for instance. The networking firm disclosed in August that cyber thieves recently stole $46.7 million using a growing scam in which cyber criminals spoof emails from executives at their company in a bid to initiate unauthorized international wire transfers.

The San Jose-based company said it discovered the fraud on June 5, and that the incident involved employee impersonation and fraudulent requests from an outside entity targeting the company’s finance department. The funds were then transferred by a company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.

Ubiquiti was able to recover some of the money, but it continues to pursue $31.8 million in lost funds. “The company may not be successful in obtaining any insurance coverage for this loss,” the company said in a statement on August 8.

Such is the problem with many companies that think their insurance covers wire fraud incidents where cyber criminals get employees to wire cash to a fraudulent bank account and then disappear along with the funds. Since the funds are seemingly wired voluntarily, most commercial insurance policies don’t cover the loss.

Out of 31 leading cyber insurance providers, only eight cover fraudulent wire transfer, according to a 2015 cyber and privacy insurance survey by The Betterley Report. Of those eight insurers, “a lot have further restrictions if the insured is involved in the wire fraud,” says Garrett Droege, executive director of TechAssure,an international association of technology-related risk insurance experts. “That’s a problem with CEO fraud because the insured is almost always involved whether or not they know it. It’s one of those things that gives insurance a bad name.”

Wire transfer fraud is a skyrocketing revenue source for cyber criminals. Thieves stole nearly $750 million in BEC scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015, a 270% increase since January alone, according to a new FBI report.

Likewise, the cyber insurance market has grown to $2.75 billion, up from $2 billion in 2014, with most insurers reporting 26%-50% growth, according to The Betterley Report.

The fact is, commercial crime policies differ from cyber crime policies, and “each cyber crime policy is designed differently [by individual insurers], plus they’re modular and can cover anywhere from seven to 15 things,” Droege says. Theft of funds by cyber fraud may be one of those things covered, but not always. It’s a blurred line for many companies.

Sharpening the blurred line

Some insurers are taking steps to clear up the confusion over cyber coverage. For instance, specialist insurer Beazley, a unit of Lloyds of London, in June began offering “fraudulent instruction insurance,” a new coverage to address losses from the transfer of funds as a result of fraudulent instructions from a person purporting to be a vendor, client or authorized employee. The new endorsement is for Beazley clients who currently carry its commercial crime policy, which covers general employee theft, forgery and other common business crimes. The insurance adds 10%-25% to the cost of a premium, depending on the company’s risk exposure.

“People are looking for a straight, clear, bright line” showing what is covered and what’s not, says Bill Jennings, head of Beazley’s commercial crime unit in New York. “That’s what our fraudulent instruction insurance provides.”

What is covered is an event where the insured company receives a fraudulent instruction that is allegedly coming to them from a vendor, client or senior management, instructing them to transfer funds, money or securities, and they act on those instructions, Jennings says.

What’s not covered is the fraudulent transfer of property – such as goods and merchandise – or anything that is not money or securities, he says. So far, Beazley has sold more than 50 of the policies, most of them to major retailers and manufacturing clients.

Coverage is limited to $250,000 – far below the multi-million dollar losses of recent, well-publicized frauds, but a realistic number for most companies. “Generally, most of the losses that we have seen have been in the low six figures, so a $250,000 limit makes sense and covers 90% of the exposure,” Jennings says, “butthere are always exceptions.” Beazley has offered two companies “substantially higher limits than $250,000,” for a higher premium, Jennings says.

Beazley has already paid out a handful of claims for money lost due to fraudulent instruction, but all claims were for less than $250,000, he adds.

Low coverage limits like these don’t ease the anxiety for many large companies, however, and insurers are responding. Droege sees many insurers offering coverage of $10 million to $25 million on cyber policies that include wire fraud, and one recent policy was inked for $100 million in coverage, he adds.

Bring in the CSO to ask the right questions

One big problem in getting the fraud insurance coverage is that companies don’t know the right questions to ask. What’s more, brokers aren’t well versed enough to bring up those questions because cyber insurance is so new to the industry, Droege says.

“The conversation needs to get very deep,”he says. Insurers and companies should be asking: What are the chief concerns for the operations of the business as it relates to cyber incidents? What’s on the network? Who has access to the network? Is cyber extortion a concern? Is identity theft a concern? Once those questions are answered, executives can make sure those concerns are specifically covered in the insurance policy.

“Unfortunately there’s a big C-level disconnect in most organizations, and the CSO rarely has a seat at the insurance purchasing table,” Droege says. “The CSO needs to be actively involved in at least the cyber insurance conversation. They would be able to facilitate that conversation better than a CFO could.”

Read the fine print

Another problem with cyber policies are sublimits, a maximum placed on the amount available to pay a specific type of loss. “You can look at a summary page and see $5 million in coverage, but then you dig into the policy and there are all of these sublimits that you didn’t even know were there,” Droege says. “It’s in the policy, but you just have to read the fine print -- go through it line by line.”

An ounce of prevention

Prevention is far less expensive than losing money to cyber thieves. While executive hash out the terms of cyber insurance coverage, IT and accounting departments can take steps to lessen the risk of social engineering scams that lead to wire fraud.

Companies should start by taking a look at people, policies and procedures, says Stu Sjouwerman, CEO of cyber security awareness company KnowBe4 LLC in Clearwater, Fla.

When it comes to wire transfers, have policies in place with the bank for any transfers larger than a certain amount, and have two people sign off on the transfer, Sjouwerman says. Companies can also require the bank to obtain verbal approval from at least one C-level executive at the company who is aware of the transaction. “Preferably the executive should be calling the bank and initiating the OK instead of the executive being called by someone claiming to be the bank,” he adds.

Wire fraud thefts typically start with a simple phishing scam that allows thieves to enter the email server and learn the who, what, when and where of an organization. So security awareness training and penetration testing should be given to all employees.

“Test and train everyone, not just high-risk employees, and send them simulated phishing attacks,” Sjouwerman says. “It doesn’t matter if it’s the C-level or boardroom person who gets compromised or somebody in the mail room. The moment the thieves are in your network, they’re in,” regardless of the entry point.

Join the CSO newsletter!

Error: Please check your email address.

More about BillCSOFBIInc.

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place