Cyber Insurance Does Not Always Cover Phishing Attacks

Not ALL Cybercrime Insurance Policies Cover Phishing Attacks

Data security needs to be the main concern for all businesses in these times. Attacks are becoming more sophisticated and hitting major businesses at a more frequent rate. Even though you might be under the impression your business is insured for ALL cybercrime attacks through your current plan, you could be wrong.

Repeatedly ICS has warned our partners and friends about “Social Engineering Attacks”. This is a type of attack in which the attacker singles out venerable employees in order to trick them into turning over sensitive business data or network access. The attacker can initiate this attack in person, through email, or over the phone.

There are thousands of different methods to a social engineering attack, some include impersonating a CEO of the company, spoofing emails from key business employees, or sending a spoofed email with the purpose stealing credentials through phony log on links, etc.

Please be aware, these types of attacks are very frequent and not covered under all cybercrime insurance policies. We highly recommend reviewing your policy if you have any doubt about your coverage for social engineering attacks.

Recently, in Alberta, there has been a court ruling on this exact issue. The employee of a business was duped into transferring money to a social engineering attacker. The Alberta courts ruled that their cybercrimes insurance policy did not cover this attack due to the employee willingly sending over the money. On the other hand, If the attacker would have gained access to the network and sent it himself this would have been covered. See the court ruling below.

Funds Transfer Fraud’ applies only when the fraudster implements the transfer without the knowledge or authorization of the insured company’s employees, wrote Ryan Burgoyne, a Fredericton-based insurance litigation lawyer with Cox & Palmer, in a paper, A New Realm: Cyberspace, Cyber Liability and Cyber Liability Insurance, announced Nov. 17.
This ruling states that coverage does not apply when the employee of the company knowingly transfers money without knowing they have been tricked. This ruling was handed down in Alberta Court of Queen’s Bench’s ruling in Brick Warehouse LP v Chubb Insurance Company of Canada.

This case is from August 2010. In this case two Brick employees were targeted by attackers through a social engineering attack. These employees were duped into transferring money into the account of their attackers who were at the time pretending to be suppliers of Brick. The company lost $224,000 before putting a halt to the attack.
While filing a claim with their insurance provider Chubb, they were told the following.

“the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent.”
The court ruled the transfer was done with the insured’s knowledge and consent because a Brick employee did give instructions to the bank to transfer funds out of the company’s account.

ICS must warn everyone, you can have all the latest security features implemented on your network, but the end user is always the weakest link. Social engineering attacks target the end user. Please take time to review your Cybercrime insurance policy and make sure you are utilizing Integrated Computer Services Security Awareness training to prevent attacks like these in the first place.

.