Social engineering insurance – a primer
When we mention “cyber insurance” to most clients, they tend to immediately picture situations like the target or yahoo data breaches. They picture some mystery mastermind on the dark web scheming up an elaborate plan to crack firewalls and compromise networks.
While that clearly happens more than we’d all like, it’s not the only threat out there, and it probably shouldn’t be the focus of most funded startups’ concerns. In reality, there are 3 major data breach threats that any company faces:
- Hacking attacks – DDoS, Injecting Malware, Brute force network penetration…
- Employee negligence – accidental unwitting leaks or disclosures of sensitive company or client information
- Rogue employee or ex-employee releasing information
We’re concerned with the 2nd type of cyber loss, particularly when an employee is induced & deceived into disclosing sensitive company or client information. This is called “Social Engineering,” and it has become a huge source of claims. In fact, over 55% of attacks are done via social engineering methods.
Why? Because it’s actually surprisingly easy to manipulate your employees. In a recent study done by social-engineer.org, 90% of people polled were willing to give their full name and email address without even verifying the asking person’s identity, and 67% would give even more sensitive data, such as birth dates or employee numbers.
What is Social Engineering?
There are several methods of social engineering that are seen frequently, including the following:
- Bogus Invoice: A business that has a long-standing relationship with a supplier is asked to wire funds to pay an invoice to an alternate, fraudulent account via email. The email request appears very similar to one from a legitimate account and would need scrutiny to determine if it was fraudulent.
- Business Executive Fraud/Email Phishing: The email accounts of high-level business executives (CEO, CFO, etc.) may be mimicked or hacked. A request for a wire transfer or other sensitive information from the compromised email account is made to someone responsible for processing transfers. The demand is often made in an urgent or time-sensitive manner.
- Interactive Voice Response/Phone Phishing (aka “vishing”): Using automation to replicate a legitimate-sounding message that appears to come from a bank or other financial institution and directs the recipient to respond to “verify” confidential information.
- Dumpster Diving and Forensic Recovery: Sensitive information is collected from discarded materials — such as old computer equipment, printers, paper files, etc.
- Baiting: Malware-infected removable media, such as USB drives, are left at a location where an employee may find them. When an employee attaches the USB to her computer, criminals can ex-filtrate valuable data.
- Tailgating: Criminals gain unauthorized access to company premises by following closely behind an employee entering a facility or by presenting themselves as someone who has official business with the company.
- Diversion: Misdirecting a courier or transport company and arranging for a package/delivery to be taken to another location.
According to the FBI, from October 2013 to February 2016, more than 17,642 social engineering victims from across the U.S. were defrauded of almost $2.1 billion. “Victims range from large corporations to tech companies to small businesses to non-profit organizations,” and most social engineers target businesses with foreign suppliers or a high volume of wire transactions.
How do we get social engineering insurance coverage?
Social engineering insurance is not a standalone product, and sits in a spot right between crime insurance and cyber insurance. Insured companies originally looked to their crime policies for coverage under the “computer and funds transfer fraud” line item, but courts have been mixed on whether or not coverage was afforded here. Furthermore, crime policies never provide coverage for the theft or loss of data. Similarly, cyber insurance policies cover compromise of networks and theft or loss of data, but traditionally no coverage is afforded for the loss of funds (the main loss from a social engineering attack).
Fortunately, we work with several insurers that provide specific social engineering endorsements and remove exclusionary wording in tandem with cyber coverage to eliminate any doubt as to what is and is not covered by the policy. Given the rapid growth of fraud cases in this area – particularly those aimed at early stage companies – it is clear that social engineering insurance is becoming a crucial coverage for all companies.
Talk to us to learn more about how you can protect your company.