Anyone who owns a cell phone or uses an email address has received communications from a scammer looking to obtain confidential information or trick recipients into sending money abroad. These efforts have taken on many forms that have evolved and become more sophisticated over time. The early days were a random email asking for money to be sent to the king of Zimbabwe, followed by an “internal” email from a senior member of the organization asking for a gift card or an urgent transfer late Friday afternoon. . requesting a money transfer, and now the scammers have upped their game by accessing the system to change the payment instructions through using fake emails to redirect payment of expenses. ordinary business to a ghost foreign bank account.
As recently as three or four years ago, there was explicit coverage for these types of social engineering and scam guide claims, and full policy limit protection is often offered—sometimes by the policy. criminal policy, sometimes under an independent cyber policy, and possibly even both. However, as these types of claims began to be common in every industry of all sizes and geographies, insurers began to reduce the coverage offered. Initially, the withdrawal was done through the use of sub-limits, which meant that insurers were still willing to provide coverage for fraud instruction and social engineering claims, but they will not agree to pay the full policy limit for them. Instead, insurers place sub-limits — typically between $100,000 and $250,000 — on the coverage for those claims.
Because scammers still try to steal money and continue to achieve success in businesses of all types, sizes, and geographies, the insurance industry is taking a new approach to reducing insurance coverage. insurance coverage for these types. book claim. This approach is cause for concern because insurers have not been outspoken about the disappearance of coverage but have instead quietly added policy language that, in essence, makes insuring any Actual recovery of any claim becomes extremely difficult and in some cases impossible.
If insurers wanted to be blunt about the fact that they would no longer agree to cover fraud and social engineering guide claims, they would make an unambiguous exclusion. in contracts and reduce premiums for those policies in proportion to the reduction in coverage. But insurance companies have chosen a more secretive route, seemingly designed to allow them to get their cake and eat it. Most policy forms continue to offer and charge premiums for fraud/social engineering instruction coverage, but currently, to access that coverage, policyholders must ” independently verify” a change in the payment instructions before sending money to a vendor or other third party. Indeed, some policies go so far as to state that “independent verification” must be done by contact method. other than a method of communication used to make changes in wire transfers or electronic payments.
In other words, insurers are asking policyholders to pick up the phone and call the sender of an email requesting a change in payment instructions to confirm that the claim is not a scam before actually doing it. show changes and final payment. Of course, in our digital society, phone calls have gone the way of the dodo bird, and the main reason why phishing and social engineering scams succeed is that Our workforce is used to (and sometimes trained to) work “seamlessly” via email And Are not communicate over the telephone line.
So what is the lesson here?
First, as the best risk management tool, companies must train (and always be vigilant in training) the employees responsible for the movement of electronic payments within or outside the organization. to follow Carly Rae Jepsen’s wise advice: Do not make any changes to your transfer or payment instructions without first telling a living human to confirm the requested change. And remember that these scammers are good; even if your employee sends a Private email to a scammer asking for “proof” of a change in guidelines, the company could still face a coverage dispute with its insurer, depending on the wording of the policy. coinsurance, because sending another email (possibly to the same phishing address) may not be considered another form of communication for verification purposes.
Second, that last point turns into an important topic worth more than all insurance claims and disputes: The word of the insurance policy is always important. Therefore, before accepting an immediate denial of coverage on a scam/social engineering instruction claim, companies would be well served to review with an experienced insurance advisor regarding the language of their insurance policy and the insurance company’s cover letter to determine whether coverage exists based on the truth of the claim.
Finally, because contract words always matter, policyholders need to pay careful attention to the renewal of their cybercrime and liability insurance policies. Insurers will continue to revise and refine policy language year over year as online claims activity continues to remain high, losses continue to pile up, and insurers The insurer seeks to balance the amount it will incur when paying the claim. Here too, an experienced insurance advisor can provide important insights into current claims trends and what the “market standard” is in terms of policy wording for the type of risk worth taking. tell this.