In decades past, crime was associated with physical attacks on persons and companies, such as theft of physical possessions or bank robberies at gunpoint. The increasing pace of technology has caused a marked shift towards a new criminal threat, cybercrime. Technology has allowed criminals to reach into our homes, businesses and bank accounts without ever leaving a computer screen. Businesses must now focus on how to protect themselves from crimes that are perpetrated digitally.
As digital crimes increase, cyber insurance claims have dramatically increased. Traditional data breach claims remain a main source of claims. However, there is a new focus on other types of cybercrime, including unauthorized wire transfers, theft of funds and ransomware.
Cybercrime on the Rise
Cybercrime generally refers to cyberattacks or cyber incidents. Cyber incidents can take many forms — phishing, insider theft, SQL injection, malware, denial of service, session hijacking, credential farming or just old-fashioned “hacking.” Although many of these attack vectors employ technical knowledge, some utilize deception to manipulate individuals into performing certain actions or divulging confidential information.
Commonly referred to as “social engineering,” a perpetrator can exploit human behavior to pull off a scam. Oftentimes this comes as an email, which appears to be from a trusted colleague, vendor or business partner, asking for a wire transfer to a particular account to settle a bill or provide payment for services.
Some of the most common social engineering scams include:
This is one of the most utilized social engineering scams. Phishing involves the fraudulent practice of sending emails purported to be from a reputable company or individual seeking passwords or other personal information. Once usernames and passwords are obtained, criminals not only have access to email and documents, but often attempt to access HR and payroll accounts to divert direct deposit payroll amounts or obtain tax return funds.
Attackers create a fake identity and use it to manipulate an individual into providing information. A common pretext is “vishing” or phishing over the phone. The attacker will call someone with a little bit of information, such as a date of birth and name, and use the information to obtain additional personal information or log-in credentials that can be used to perpetuate fraud.
This is a social engineering scheme that exploits human curiosity, such as leaving a flash drive infected with malware in a company parking lot. An unsuspecting employee picks up the infected flash drive and plugs it into their computer to determine who it may belong to. The malware deploys and infects the company’s system.
Social Engineering and Cyber Insurance Policies
To date, social engineering claims have often faced coverage denials under cyber or computer fraud insurance policies, with many insurance carriers insisting that the policies only cover hacking-type intrusions.
That tide may be starting to turn. In recent months, two separate courts have reversed the trend. Once by the Second Circuit in Medidata Solutions Inc. v. Federal Insurance Co. and once by the Sixth Circuit in American Tooling Center Inc. v. Travelers Casualty and Surety Co. of America.
In both cases, the court found in favor of the policyholder in a dispute over coverage for social engineering schemes. In Medidata, the insured brought suit claiming that its losses from an email spoofing attack were covered by a computer fraud provision in its insurance policy. The provision at issue covered losses stemming from any “entry of Data into” or “change to Data elements or program logic of” a computer system. The court reasoned that although no hacking occurred, the perpetrators crafted a computer-based spoofing code that enabled the fraudsters to send messages that appeared to come from one of Medidata’s employees.
Similarly, in American Tooling, a fraudster sent a series of emails, purportedly from a vendor, requesting that American Tooling wire transfer payments to new accounts. American Tooling wired over $800,000 before realizing that the emails were fraudulent. The court in American Tooling found that the loss was covered under the policy and that none of the asserted policy exclusions applied, finding that the emails were computer fraud that directly caused the loss.
The legal landscape around cybercrime and cyber insurance is changing. The recent case law above and the recent legislative focus on cybersecurity and privacy at the federal level forecast the potential for sweeping changes in the field of cybersecurity and privacy over the next several years.
Practical Steps to Avoid Loss and Ensure Your Policy Covers Attacks
Avoiding social engineering and criminal acts requires preparation. Education is key to that preparation. Some of the greatest challenges to preventing cyberattacks are a lack of knowledge or strategy to mitigate new risks that emerge as a result of increased complexity and interconnectedness of modern computer and technological systems. Business owners and executives should seek to educate themselves on the risks, threat actors, attack vectors and prior incidents involving social engineering and other criminal attacks. Preventing an attack will require not only improving the security of your business, but understanding the vulnerabilities both from a human and technical perspective.
Cybersecurity education is becoming a necessary part of both personal pursuits and business operations. The U.S. Department of Homeland Security, in partnership with the National Cyber Security Alliance, observes National Cybersecurity Awareness Month each year in October. This year’s theme is “Cybersecurity is our shared responsibility and we all must work together to improve our Nation's cybersecurity.”
In accordance with this year’s theme, all individuals within a company must work together to prevent cybercrime. Companies should understand the complexity and varied types of cyber incidents that they face, build in mechanisms to avoid engineering scams by validating proposed requests and review their cyber and crime insurance policies to ensure that they take full advantage of available insurance coverage. These recent cases also serve as a reminder to have a clear incident response policy in place and to quickly engage counsel who understands the complexities of the incident, as well as the insurance coverage, in order to minimize loss.
As for risk transfer, businesses should work with their risk management professionals to prepare contracts and find coverage tailored to their particular risks. The cyber market is in a highly competitive phase, and sophisticated brokers can locate broad coverage for a good price. Businesses can also use their bargaining power to negotiate for contractual risk transfer with vendors and other business partners, including defense and indemnity for first- and third-party exposures.
Cybercrime is unlike any risk the business community has faced before because it changes every day. Like a mutating virus, the criminals create a new path of attack just as authorities are figuring out the previous one. That said, the risk can be managed with appropriate internal procedures and transfer tools. Finally, if you face a loss, look to the risk management tools you may already have. As these two recent court decisions indicate, businesses may already own policies that can respond to a cyber claim.
The article, "2 Recent Decisions May Affect Your Cyber Policy," originally appeared on law360.com on November 2, 2018.