Demand for social engineering fraud coverage on the risePosted On: Feb. 16, 2021 7:00 AM CST
A rise in crime committed via social engineering is prompting a growing number of businesses to add coverage for related exposures through their commercial crime insurance policies, experts say.
The COVID-19 pandemic has led to an increase in cyber-related crime as fraudsters use social engineering techniques to exploit systems and procedures made more vulnerable by remote working, they say.
While figures for 2020 are not yet available, some 23,775 business email compromise complaints resulted in $1.7 billion in losses in 2019, according to the FBI’s Internet Crime Complaint Center.
Business email compromises are a form of social engineering fraud whereby attackers impersonate a CEO or executive authorized to conduct wire transfers and induce employees to transfer money to a fake client account.
The FBI on Jan. 14 warned of an increase in “vishing” or voice phishing attacks targeting employees working remotely in the pandemic and of the heightened risks companies face when network access and broadening of online privileges may not be fully monitored.
The commercial crime market now offers affirmative coverage to address losses from social engineering attacks, said Bill Jennings, focus group lead-crime, at Beazley PLC in New York. Beazley has offered expanded coverage in response to the growing wave of social engineering attacks since 2017.
While the vast majority of commercial crime losses used to come from employee theft, Beazley is now seeing an equal split between social engineering losses and employee theft in terms of frequency and severity, Mr. Jennings said.
“No longer can we look at our losses and say 90% is going to come from an internal employee, and it’s employee theft. Now, we see about 50% of them come from employee theft, and 50% come from outside third-party actions by way of social engineering coverage,” he said.
The price of social engineering coverage varies by risk and limit, but typically it can be added to a crime policy for an additional premium of 25% to 50%, Mr. Jennings said.
From a pricing standpoint, the commercial crime market generally follows the ups and downs of the broader management liability market, but with much less amplitude, he said.
“In a directors and officers hard market you’ll see rates doubling or tripling and in a crime hard market you’ll see them increasing by 10% or 20%,” Mr. Jennings said.
Demand for computer fraud and social engineering coverage is growing, said Mike Henning, Chicago-based executive lines broker at Risk Placement Services Inc., the wholesale broking and managing general agency unit of Arthur J. Gallagher & Co.
Social engineering coverage is “a very relevant coverage as of late because the losses have increased substantially over the last two to three years,” Mr. Henning said.
A growing number of commercial crime submissions come from companies that started up in the past five years and want crime and social engineering fraud coverage, said Melissa Schwartz, product manager-commercial crime at Amtrust Exec, a division of New York-based AmTrust Financial Inc.
“I’ve been seeing a lot of payment service provider submissions coming in,” Ms. Schwartz said.
“It seems like everyone wants to set up their own payment service provider app,” she said. Some well-known digital payment providers include Zelle, Stripe and PayPal.
With so many fraud vulnerabilities during the pandemic, those types of accounts can raise underwriting concerns from a cyber, social engineering and computer theft standpoint, she said. “I usually don’t write those, but I have been seeing an uptick in those types of accounts,” Ms. Schwartz said.
Agents and policyholders often struggle to find adequate capacity for social engineering coverage because it usually carries a sublimit, Mr. Henning said.
“Typically, if you have a $1 million crime policy, social engineering most times is limited to $100,000 or $250,000, or maybe $500,000, because the loss with social engineering can be very large,” he said.
The typical crime loss is like “death by a thousand cuts,” he said. Two to three fraudulent transactions within a month can easily add up to six-figure losses, Mr. Henning said.
RPS offers full-limit social engineering coverage, so if a policyholder has a $1 million crime policy, it would have $1 million of social engineering coverage, he said.
RPS’ crime policy coverage applies excess of any valid coverage found under a cyber policy.
Brokers are asking for higher limits for social engineering coverage and “with additional underwriting, additional questions and if we can get comfortable with the controls our insured has, we can provide additional limits like $1 million or maybe $5 million,” Mr. Jennings said.