Aon Risk Solutions Financial Services Group

Client Alert: Social Engineering Exposures

While social engineering can refer to many things outside of a risk management context, within the insurance world, social engineering has assumed a specific, and notable, meaning. In brief, social engineering refers to the use of identity to gain the confidence of an employee to induce him or her to part with an organization’s money or securities. We will explore some of the most common forms of social engineering, relevant coverage interpretations, and available coverage solutions.

Where Does The Threat Arise From? While a “theft” has undoubtedly occurred in a We’re here to Social engineering attacks can come in many social engineering loss, the commercial crime empower results forms, including: policy likely has not been triggered because the If you have questions employee did not “steal” the money/securities about your specific §§ scams are attempts by fraudsters to coverage or want more directly, and the employee certainly did not induce individuals into providing personal information, please benefit from it. Historically, crime policies did not information such as bank account numbers, contact your Aon broker. explicitly address social engineering, thus resulting passwords, and credit card numbers aon.com in varying outcomes. §§Spear phishing is an electronic communications scam targeted towards a specific individual, Relevant Cases organization, or business Although a few courts have found coverage for §§Vishing, or is the criminal social engineering losses under crime policies, practice of using social engineering over the most courts have found that social engineering telephone to gain access to private personal and losses are not covered under the policy’s financial information Computer , Funds Transfer Fraud, or Forgery §§SMiShing (short for “SMS phishing”) is a coverage agreements. See American Tooling Ctr. security attack in which the user is tricked into v. Travelers Cas. & Sur. Co. of Am., No. 16-12108, downloading a Trojan horse, virus, or other 2017 U.S. Dist. LEXIS 120473 (E.D. Mich. Aug. 1, malware onto a mobile device 2017); Taylor & Lieberman v. Fed. Ins. Co., 681 Fed. Appx. 627 (9th Cir. 2017); and Apache Corp. v. §§Mining social media allows a perpetrator to Great Am. Ins. Co., 662 F. App’x 252 (5th Cir. 2016). identify executives at a company via social The decisions that have denied coverage have media, with collected information used to generally held that duping caused the loss, and gather proprietary information or induce that the use of a computer was merely incidental. fraudulent transfer Only two recent decisions have found coverage, Regardless of the threat source, the fraudster seeks or potential coverage, for social engineering to induce the transfer of money or securities to a losses. Medidata Solutions., Inc. v. Fed. Ins. Co., fictitious account for the benefit of the perpetrator. 268 F. Supp. 3d 471 (S.D.N.Y. 2017) and Principle The fraudster may imitate a senior executive (i.e., Solutions Group, LLC v. Ironshore Indem., Inc., “fake president”), often in a very credible format, 2016 WL 4618761 (N.D. Ga. Aug. 30, 2016). and once funds are sent to the fictitious account, Both of those cases, however, are currently being they are often unrecoverable. appealed by the insurer and may be overturned. Commercial crime insurers’ responses have None of the cases involved an insured that had varied and evolved significantly in recent years. been directly hacked. Aon Risk Solutions Financial Services Group

Coverage Solutions maximize capacity. This approach can be About Aon’s Social engineering coverage is widely available in purchased in conjunction with the layered Financial the crime insurance marketplace. Underwriters approach mentioned above. Excess insurers Services Group require a social engineering questionnaire to will follow form to the primary insurer’s Aon’s Financial Services ascertain whether they will offer the coverage, social engineering endorsement terms Group (FSG) is the premier and to determine the limit and deductible that and conditions. team of executive liability they are comfortable providing. §§Consider approaching the London market. brokerage professionals, with extensive experience While domestic (U.S.) underwriters do offer Certain Lloyd’s of London syndicates offer in representing buyers of social engineering limits within their respective social engineering coverage within crime complex insurance products crime policies, more often than not, they provide programs with no sub-limit applied. including directors’ and a sub limit for this coverage. However, higher officers’ liability, Avoid condition(s) precedent language on limits can be provided within the primary layer if employment practices any social engineering endorsement, such liability, fiduciary liability, the insured can show appropriate controls. as “Before acting upon any such Transfer fidelity, and professional Strategies for achieving higher limits over a Instruction the Insured shall confirm the validity liability insurance. FSG’s primary sub-limit, including limits equal to global platform assists of such Transfer Instruction according to a (or above) the existing overall crime program clients in addressing their prearranged procedure in which the Insured executive liability exposures limits, include: verified the authenticity and accuracy of the across their worldwide §§Layered crime policy – In this example, Transfer Instruction by means of a call back to a operations. Aon’s Financial the primary coverage for social engineering predetermined telephone number or other Services Group manages would be provided on a sub-limited basis more than $2.2 billion in verification procedure agreed to in writing.” within the Insured’s crime policy. The excess annual premiums, assists If the Insured can demonstrate internal with annual claim settlements crime insurer(s) would then provide coverage controls, your broker may request this (or any in excess of $1 billion, and for social engineering, also on a sub-limited similar) wording to be deleted from the social uses its unmatched data basis, on each of their respective excess engineering endorsement. to support the diverse layers. Each excess layer of social engineering business goals of its clients. coverage would drop down and be follow- Conclusion form, attaching directly excess of the social While virtually unheard of just a few years ago, engineering sub-limit below. social engineering is a serious crime exposure. §§A separate stand-alone excess social While the exposure has grown, so too have the engineering crime tower is also available to options to address it.

All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy.