October 13 • Cyber Liability

Why High-Growth Businesses Need Social Engineering Insurance

Generic placeholder image
Carl Niedbala

COO & Co-Founder

Social engineering insurance – a primer

When we mention “cyber insurance” to most clients, they tend to immediately picture situations like the target or yahoo data breaches.  They picture some mystery mastermind on the dark web scheming up an elaborate plan to crack firewalls and compromise networks.

While that clearly happens more than we’d all like, it’s not the only threat out there, and it probably shouldn’t be the focus of most funded startups’ concerns.  In reality, there are 3 major data breach threats that any company faces:

  1. Hacking attacks – DDoS, Injecting Malware, Brute force network penetration…
  2. Employee negligence – accidental unwitting leaks or disclosures of sensitive company or client information
  3. Rogue employee or ex-employee releasing information

We’re concerned with the 2nd type of cyber loss, particularly when an employee is induced & deceived into disclosing sensitive company or client information.  This is called “Social Engineering,” and it has become a huge source of claims.  In fact, over 55% of attacks are done via social engineering methods.

Why?  Because it’s actually surprisingly easy to manipulate your employees.  In a recent study done by social-engineer.org, 90% of people polled were willing to give their full name and email address without even verifying the asking person’s identity, and 67% would give even more sensitive data, such as birth dates or employee numbers.

What is Social Engineering?

There are several methods of social engineering that are seen frequently, including the following:

  • ­Bogus Invoice: A business that has a long-standing relationship with a supplier is asked to wire funds to pay an invoice to an alternate, fraudulent account via email. The email request appears very similar to one from a legitimate account and would need scrutiny to determine if it was fraudulent.

    socialengineeringinsuranceinfographicblog
    source: social-engineer.org
  • ­Business Executive Fraud/Email Phishing: The email accounts of high-level business executives (CEO, CFO, etc.) may be mimicked or hacked. A request for a wire transfer or other sensitive information from the compromised email account is made to someone responsible for processing transfers. The demand is often made in an urgent or time-sensitive manner.
  • ­Interactive Voice Response/Phone Phishing (aka “vishing”): Using automation to replicate a legitimate-sounding message that appears to come from a bank or other financial institution and directs the recipient to respond to “verify” confidential information.
  • ­Dumpster Diving and Forensic Recovery: Sensitive information is collected from discarded materials — such as old computer equipment, printers, paper files, etc.
  • ­Baiting: Malware-infected removable media, such as USB drives, are left at a location where an employee may find them. When an employee attaches the USB to her computer, criminals can ex-filtrate valuable data.
  • ­Tailgating: Criminals gain unauthorized access to company premises by following closely behind an employee entering a facility or by presenting themselves as someone who has official business with the company.
  • ­Diversion: Misdirecting a courier or transport company and arranging for a package/delivery to be taken to another location.

According to the FBI, from October 2013 to February 2016, more than 17,642 social engineering victims from across the U.S. were defrauded of almost $2.1 billion.  “Victims range from large corporations to tech companies to small businesses to non-profit organizations,” and most social engineers target businesses with foreign suppliers or a high volume of wire transactions.

How do we get social engineering insurance coverage?

Social engineering insurance is not a standalone product, and sits in a spot right between crime insurance and cyber insurance. Insured companies originally looked to their crime policies for coverage under the “computer and funds transfer fraud” line item, but courts have been mixed on whether or not coverage was afforded here.  Furthermore, crime policies never provide coverage for the theft or loss of data.  Similarly, cyber insurance policies cover compromise of networks and theft or loss of data, but traditionally no coverage is afforded for the loss of funds (the main loss from a social engineering attack).

crime-cyber-social-engineering-insurance-graphic

Fortunately, we work with several insurers that provide specific social engineering endorsements and remove exclusionary wording in tandem with cyber coverage to eliminate any doubt as to what is and is not covered by the policy.  Given the rapid growth of fraud cases in this area – particularly those aimed at early stage companies – it is clear that social engineering insurance is becoming a crucial coverage for all companies.

Talk to us to learn more about how you can protect your company and business! 

[vc_btn title=”GET A QUOTE” style=”outline-custom” outline_custom_color=”#ee2524″ outline_custom_hover_background=”#ee2524″ outline_custom_hover_text=”#ffffff” shape=”square” size=”lg” align=”center” link=”url:https%3A%2F%2Fapp.foundershield.com%2Fusers%2Fsign_up|||”]

Related Articles

eo_canadian_tech_companies
September 30 • Cyber LiabilityErrors & Omissions

E&O Insurance Guide for Canadian Tech Companies

Canadian tech companies face unique exposures — but tech E&O insurance helps to mitigate risks. Here’s what you should know.

Read Article
canadian_tech_companies
September 23 • Cyber LiabilityErrors & Omissions

Top 5 E&O and Cyber Claims for Canadian Tech Companies

Canadian tech companies face a slew of challenges — but five primary E&O and Cyber claims stick out. Here’s a look at these themes.

Read Article
protect from a data breach
August 18 • Cyber LiabilityRisk Management Tips

How to Protect Your Fast-Growing Business From a Data Breach

A cyberattack could devastate your fast-growing business quickly. With cybersecurity a real concern, here’s how to protect your mid-market business from a data breach.

Read Article
April 8 • Cyber LiabilityGeneral Liability

Reducing Risk for E-Scooter Operators: Safety, Security & Hardware

In the context of e-scooter safety, we’ve teamed with ACTON to identify and mitigate the most significant risks operators face today.

Read Article
cyber_liability_PCIDSS_compliance
April 8 • Cyber Liability

Cyber Liability and PCI DSS Compliance [Why it Matters]

PCI DSS compliance and cyber liability can seem confusing, but we break it down for you so you can keep your business booming.

Read Article
February 11 • Cyber LiabilityNews

The 101 Guide to the California Consumer Privacy Act (CCPA)

California is well-known for spearheading fresh trends, innovative ideas, and game-changing regulations. It’s no surprise that the California Consumer Privacy Act (CCPA) originated in The Golden State.

Read Article