At least 67% of small and medium size businesses have experienced a social engineering, spear phishing attack or business email compromise (BEC).1 In these exploits, malicious actors deceptively gain the confidence of an employee, persuading him/her to part with money or confidential data by posing as a trusted vendor, banks or colleague’s email.

If you’re the next victim, understanding potential gaps in your insurance program is critical. Your cyber policy may not be enough. Cyber policies, while key to have in place in the case of a data breach, cover loss of intangible assets only, including loss of data and damage to the network’s assets. While cyber criminals use cyber-based tools in social engineering and phishing, the loss is ultimately a loss of money and securities, which falls under a crime policy, not your cyber policy.

And, since victims of social engineering, phishing and BEC release money WITH consent, coverage is not triggered under a commercial crime policy. Crime policies are only triggered when tangible assets like money and securities are transferred or stolen WITHOUT consent.

The social engineering endorsement

The social engineering endorsement or coverage extension is the best way to address this type of loss. Both crime and cyber policies offer such coverage extensions. Often times, the coverage offered by both policies can be duplicative, which can cause settlement issues at the time of the claim. Each policy has “other insurance” provisions in their policy language, stating that each policy is offered excess to the other, creating a potential gap in coverage or restricting total limits deployed.

It’s important to work with your broker to determine what your policy language says, and understand how the two policies interact with each other. There are many things to understand and consider. Ask the following questions:

  • Is there a gap between the cyber and crime policies? If so, is it possible to negotiate that language?
  • Are limits, terms and conditions on one type of policy broader on versus the other?
  • Is pricing more favorable but the self-insured retention is much larger?
  • Are the social engineering triggers broader on the cyber policy and not offered on the crime policy?

Most often, adding a social engineering endorsement to either or both your cyber and crime policies will eliminate the duplication of coverage and close gaps. The social engineering endorsement coverage is often per occurrence, with no annual aggregate, offering a variety of limits. When adding this endorsement, you’ll want to make sure it has broad all-risk language as to not exclude any single potential avenue of social engineering.

Employee training is a first step in cybercrime prevention

Social engineering, phishing and BEC actors use any information that’s publicly available to target their victims, including business email addresses, corporate titles and executive’s names for impersonation. Train employees to:

  1. Verify all requests for a change in payment type/location. BEC actors will request changes to the original recipient’s financial information. For example, a request to change payments originally scheduled for check dispersal be made via wire transfer.
  2. Don’t take an email requesting payment changes at face value. Establish a secondary means of communication for verification purposes.
  3. Consider two-step authentication. Victims of BEC scams report receiving phone calls from the hackers themselves requesting personally identifiable information for verification purposes. Consider establishing code phrases that are only known to the two legitimate parties.
  4. Contact your bank when a fraudulent transfer is discovered. Contact your financial institution immediately and request a recall of funds. Then, call your local FBI office and report the fraudulent transfer.

Contact your HUB cyber specialist for more information on combatting cybercrime and transferring your risk.


1https://www.securitymagazine.com/articles/89586-nearly-70-percent-of-smbs-experience-cyber-attacks