Social Engineering Risk and its implication on E&O insurance

• Author
• Recent Posts

Ashish Chaturvedi

Ashish is a seasoned insurance industry professional. Starting his career with an insurance company, he learned the ropes and then moved on to insurance software consulting and implementation side. Having worked in the property and casualty insurance space for more than 15 years now, he has sharpened his knowledge by attaining globally acclaimed professional certifications like CPCU, RPLU and FIII.
An avid follower of all insurtech startups and a critical thinker, he has also contributed several papers in organization wide technical paper contests.

Latest posts by Ashish Chaturvedi (see all)

• Bank Reconciliation - November 29, 2022
• London Bridge Risk:A Protected Cell Company - January 2, 2022
• Side Pockets in (Re) Insurance investments - July 20, 2021

What is it: Social Engineering risk is defined to be one where an entity faces the possibility of being defrauded from seemingly known entities but which are not. A thief will impersonate a vendor, client, employee or partner of your organization. This can be explained in a way of a confidence scheme penetrated mostly by organized rings where an employee of a company is tricked into sending funds to a person/entity he seems to know but is a fraudster.

Scenarios: Since the origination of cyber risk, there are innumerable scenarios where a social engineering loss can happen. Here are some scenarios how it is penetrated

1. An employee in the accounts department gets an email from his supervisor currently abroad, who has corporate entitlements to make buying decisions. The email instructs the employee to have the treasury team transfer a certain amount for a deal that he has been working on. This is a critical deal, per supervisor’s email and no one should know to keep it a surprise. The employee transfers the money and calls the supervisor to confirm receipt. An email was hacked and the fraud attempt was successful
2. The retailer makes a purchase from a supplier in China of about 50,000 children apparel, with payment terms of full payment in 30 days. A few weeks later, the retailer gets the email from the supplier with changed bank account details to transfer the transaction money. Retailer obliges and as per terms and conditions agreed before transfers the payment to the new bank account details within 30 days. The supplier email system was hacked, and the money went to fraudsters
3. Two parties are making a commercial transaction to buy/sell a car. A (seller) promises to deliver the call only on full payment in advance. B(buyer) agrees and asks the seller to pay transport charges. A(Seller) agrees. Transporter contacts the seller and provides a bank account to transfer the funds in advance in a week. A few days later seller gets another email from Transporter with an updated bank account and details for a truck to arrive in time. Seller transfers the amount to the new bank account info per the last email. When the seller contacted transporter to check with him for the truck arrival time on the day of arrival, it’s known that transporter never received any money. The updated bank account info was from the transporter’s email but was from hackers.

Is this a new exposure: Reliance on cyber technologies and tools for commercial transactions has become common. With all-new technology, advancements come the risk of hackers. Social engineering risks are new because they refer to a confidence scheme where the victim believes the perpetrator entity is not unknown. There have been risks of fraud earlier where similar situations were encountered but those were related to unknown entities and phishing. This means the hackers when hacking the system and illegally fork out the money, but with social engineering loss – it’s about inducement of the employee

Implications in Insurance: Several Insurers have responded with additional coverage in Professional indemnity policies which cover errors and omissions of professionals like Doctors, Engineers, Media Professional, etc. Insurers that offer traditional Crime insurance policies rely on the fact that if the loss occurred due to the ‘voluntary parting’ of the money, then it’s not covered by traditional crime insurance. There are exclusions that can be covered by amendatory endorsement at an additional premium. The class of risk is generally clubbed with Liability policies as additional coverage.

References

1. https://www.amwins.com/insights/article/social-engineering-an-increasing-risk-that-requires-increased-coverage_1-19
2. https://www.riskmanagementmonitor.com/beware-of-coverage-gaps/
3. https://www.chubb.com/us-en/business-insurance/social-engineering-fraud-coverage-for-crime-insurance.aspx
4. https://www.acadiainsurance.com/social-engineering-fraud-old-con-becoming-new-threat/
5. https://www.travelers.com/iw-documents/professional-liability-insurance/CP-8697-social-engineering-fraud.pdf