Just released: How to raise venture capital in 2023

Download

Why High-Growth Businesses Need Social Engineering Insurance

TL:DR

Key Takeaways

Carl Niedbala - Founder Shield
Carl Niedbala

Managing Partner; COO & Co-Founder

When we mention “cyber insurance” to most clients, they tend to immediately picture situations like the Target or Yahoo data breaches.  They picture some mystery mastermind on the dark web scheming up an elaborate plan to crack firewalls and compromise networks.

While that clearly happens more than we’d all like, it’s not the only liability out there, and it probably shouldn’t be the focus of most funded startups’ concerns.  In reality, there are 3 major data breach threats that any company faces:

  1. Hacking attacks – DDoS, Injecting Malware, Brute force network penetration…
  2. Employee negligence — accidental unwitting leaks or disclosures of sensitive company or client information
  3. Rogue employee or ex-employee releasing information

We’re concerned with the 2nd type of cyber loss, particularly when an employee is induced & deceived into disclosing sensitive company or client information.  This is called “Social Engineering,” and it has become a huge source of claims.  In fact, over 55% of attacks are done via social engineering methods.

Why? Because it’s surprisingly easy to influence your employees, especially in the realm of social media. According to a recent study conducted by social-engineer.org, a staggering 90% of individuals polled were willing to provide their complete name and email address without verifying the requester’s identity. Even more astonishing, 67% were willing to divulge highly sensitive information, including birth dates or employee numbers.

GUIDE

Cyber Risk Management Guide

What Is Social Engineering?

There are several methods of social engineering that are seen frequently, including the following:

  • ­Bogus Invoice: A business that has a long-standing relationship with a supplier is asked to wire funds to pay an invoice to an alternate, fraudulent account via email. The email request appears very similar to one from a legitimate account and would need scrutiny to determine if it was fraudulent.
  • ­Business Executive Fraud/Email Phishing: The email accounts of high-level business executives (CEO, CFO, etc.) may be mimicked or hacked. A request for a wire transfer or other sensitive information from the compromised email account is made to someone responsible for processing transfers. The demand is often made in an urgent or time-sensitive manner.
  • ­Interactive Voice Response/Phone Phishing (aka “vishing”): Using automation to replicate a legitimate-sounding message that appears to come from a bank or other financial institution and directs the recipient to respond to “verify” confidential information.
  • ­Dumpster Diving and Forensic Recovery: Sensitive information is collected from discarded materials — such as old computer equipment, printers, paper files, etc.
  • ­Baiting: Malware-infected removable media, such as USB drives, are left at a location where an employee may find them. When an employee attaches the USB to her computer, criminals can ex-filtrate valuable data.
  • ­Tailgating: Criminals gain unauthorized access to company premises by following closely behind an employee entering a facility or by presenting themselves as someone who has official business with the company.
  • ­Diversion: Misdirecting a courier or transport company and arranging for a package/delivery to be taken to another location.

According to the FBI, from October 2013 to February 2016, more than 17,642 social engineering victims from across the U.S. were defrauded of almost $2.1 billion.  “Victims range from large corporations to tech companies to small businesses to non-profit organizations,” and most social engineers target businesses with foreign suppliers or a high volume of wire transactions.

How Do We Get Social Engineering Insurance?

Social engineering insurance is not a standalone product, and sits in a spot right between crime insurance and cyber insurance. Insured companies originally looked to their crime policies for coverage under the “computer and funds transfer fraud” line item, but courts have been mixed on whether or not coverage was afforded here.  Furthermore, crime policies never provide coverage for the theft or loss of data.  Similarly, cyber insurance policies cover compromise of networks and theft or loss of data, but traditionally no coverage is afforded for the loss of funds (the main loss from a social engineering attack).

Fortunately, we work with several insurers that provide specific social engineering endorsements and remove exclusionary wording in tandem with cyber coverage to eliminate any doubt as to what is and is not covered by the policy.  Given the rapid growth of fraud cases in this area — particularly those aimed at early stage companies — it is clear that social engineering insurance is becoming a crucial coverage for all companies.

Related Articles

data breach 2024
October 1 • Cyber Liability

Top 10 Cyber Security Data Breaches of 2024

Cybersecurity under attack in 2024! Discover the top 10 data breaches that rocked the world. Learn how major companies fell victim to cybercriminals. Understand the risks and take action to protect your business from cyber threats.

supply chain disruptions
August 27 • Cyber Liability

Cyber Attacks & Supply Chain Disruptions: Startup’s Worst Enemy?

Explore the evolving threat landscape for supply chain disruptions, mitigation strategies, and the importance of risk management in today’s volatile business environment.

cyber insurance pricing trends 2024
March 13 • Cyber Liability

Cyber Insurance Pricing Trends 2024

Uncertain about cyber insurance costs in 2024? Our article explores pricing trends, expert predictions on rate increases, and strategies to potentially reduce your cyber insurance premium.

cyber liability insurance premiums
March 4 • Cyber Liability

7 “Must Haves” For Cyber Liability Insurance in 2024

With cyber liability insurance premiums rising, business leaders must have the inside scoop to keep costs low. Our partners at Blacksmith InfoSec delve into those tips and tricks.

Cybersecurity Data Breaches
November 9 • Cyber Liability

Top 10 Cybersecurity Data Breaches of 2023

Today’s digital landscape is frightening for business leaders. Here’s a glimpse into some of the most cringe-worthy data breaches in 2023 — plus, how to avoid them.

Cyber Insurance Pricing Trends
July 19 • Cyber Liability

Cyber Insurance Pricing Trends 2023

After a hard-hit 2022, let’s explore the lessons learned, what currently impacts the cyber market, and cyber insurance pricing trends to expect in the future.