Perhaps the only thing worse than falling victim to a business email compromise or “CEO fraud” that results in millions of dollars in wire fraud theft – is wondering whether your insurance will cover any of the loss.
Take Ubiquiti Networks Inc., for instance. The networking firm disclosed in August that cyber thieves recently stole $46.7 million using a growing scam in which cyber criminals spoof emails from executives at their company in a bid to initiate unauthorized international wire transfers.
The San Jose-based company said it discovered the fraud on June 5, and that the incident involved employee impersonation and fraudulent requests from an outside entity targeting the company’s finance department. The funds were then transferred by a company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.
Ubiquiti was able to recover some of the money, but it continues to pursue $31.8 million in lost funds. “The company may not be successful in obtaining any insurance coverage for this loss,” the company said in a statement on August 8.
Such is the problem with many companies that think their insurance covers wire fraud incidents where cyber criminals get employees to wire cash to a fraudulent bank account and then disappear along with the funds. Since the funds are seemingly wired voluntarily, most commercial insurance policies don’t cover the loss.
Out of 31 leading cyber insurance providers, only eight cover fraudulent wire transfer, according to a 2015 cyber and privacy insurance survey by The Betterley Report. Of those eight insurers, “a lot have further restrictions if the insured is involved in the wire fraud,” says Garrett Droege, executive director of TechAssure,an international association of technology-related risk insurance experts. “That’s a problem with CEO fraud because the insured is almost always involved whether or not they know it. It’s one of those things that gives insurance a bad name.”
Wire transfer fraud is a skyrocketing revenue source for cyber criminals. Thieves stole nearly $750 million in BEC scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015, a 270% increase since January alone, according to a new FBI report.
Likewise, the cyber insurance market has grown to $2.75 billion, up from $2 billion in 2014, with most insurers reporting 26%-50% growth, according to The Betterley Report.
The fact is, commercial crime policies differ from cyber crime policies, and “each cyber crime policy is designed differently [by individual insurers], plus they’re modular and can cover anywhere from seven to 15 things,” Droege says. Theft of funds by cyber fraud may be one of those things covered, but not always. It’s a blurred line for many companies.
Sharpening the blurred line
Some insurers are taking steps to clear up the confusion over cyber coverage. For instance, specialist insurer Beazley, a unit of Lloyds of London, in June began offering “fraudulent instruction insurance,” a new coverage to address losses from the transfer of funds as a result of fraudulent instructions from a person purporting to be a vendor, client or authorized employee. The new endorsement is for Beazley clients who currently carry its commercial crime policy, which covers general employee theft, forgery and other common business crimes. The insurance adds 10%-25% to the cost of a premium, depending on the company’s risk exposure.
“People are looking for a straight, clear, bright line” showing what is covered and what’s not, says Bill Jennings, head of Beazley’s commercial crime unit in New York. “That’s what our fraudulent instruction insurance provides.”
What is covered is an event where the insured company receives a fraudulent instruction that is allegedly coming to them from a vendor, client or senior management, instructing them to transfer funds, money or securities, and they act on those instructions, Jennings says.
What’s not covered is the fraudulent transfer of property – such as goods and merchandise – or anything that is not money or securities, he says. So far, Beazley has sold more than 50 of the policies, most of them to major retailers and manufacturing clients.
Coverage is limited to $250,000 – far below the multi-million dollar losses of recent, well-publicized frauds, but a realistic number for most companies. “Generally, most of the losses that we have seen have been in the low six figures, so a $250,000 limit makes sense and covers 90% of the exposure,” Jennings says, “butthere are always exceptions.” Beazley has offered two companies “substantially higher limits than $250,000,” for a higher premium, Jennings says.
Beazley has already paid out a handful of claims for money lost due to fraudulent instruction, but all claims were for less than $250,000, he adds.
Low coverage limits like these don’t ease the anxiety for many large companies, however, and insurers are responding. Droege sees many insurers offering coverage of $10 million to $25 million on cyber policies that include wire fraud, and one recent policy was inked for $100 million in coverage, he adds.
Bring in the CSO to ask the right questions
One big problem in getting the fraud insurance coverage is that companies don’t know the right questions to ask. What’s more, brokers aren’t well versed enough to bring up those questions because cyber insurance is so new to the industry, Droege says.
“The conversation needs to get very deep,”he says. Insurers and companies should be asking: What are the chief concerns for the operations of the business as it relates to cyber incidents? What’s on the network? Who has access to the network? Is cyber extortion a concern? Is identity theft a concern? Once those questions are answered, executives can make sure those concerns are specifically covered in the insurance policy.
“Unfortunately there’s a big C-level disconnect in most organizations, and the CSO rarely has a seat at the insurance purchasing table,” Droege says. “The CSO needs to be actively involved in at least the cyber insurance conversation. They would be able to facilitate that conversation better than a CFO could.”
Read the fine print
Another problem with cyber policies are sublimits, a maximum placed on the amount available to pay a specific type of loss. “You can look at a summary page and see $5 million in coverage, but then you dig into the policy and there are all of these sublimits that you didn’t even know were there,” Droege says. “It’s in the policy, but you just have to read the fine print -- go through it line by line.”
An ounce of prevention
Prevention is far less expensive than losing money to cyber thieves. While executive hash out the terms of cyber insurance coverage, IT and accounting departments can take steps to lessen the risk of social engineering scams that lead to wire fraud.
Companies should start by taking a look at people, policies and procedures, says Stu Sjouwerman, CEO of cyber security awareness company KnowBe4 LLC in Clearwater, Fla.
When it comes to wire transfers, have policies in place with the bank for any transfers larger than a certain amount, and have two people sign off on the transfer, Sjouwerman says. Companies can also require the bank to obtain verbal approval from at least one C-level executive at the company who is aware of the transaction. “Preferably the executive should be calling the bank and initiating the OK instead of the executive being called by someone claiming to be the bank,” he adds.
Wire fraud thefts typically start with a simple phishing scam that allows thieves to enter the email server and learn the who, what, when and where of an organization. So security awareness training and penetration testing should be given to all employees.
“Test and train everyone, not just high-risk employees, and send them simulated phishing attacks,” Sjouwerman says. “It doesn’t matter if it’s the C-level or boardroom person who gets compromised or somebody in the mail room. The moment the thieves are in your network, they’re in,” regardless of the entry point.