Policyholders left exposed to rising phishing lossesPosted On: Aug. 9, 2022 6:55 AM CST
Phishing scams continue to be a significant exposure for companies, with a surge in attacks over the past three years, but insurance coverage for the exposure is often capped by policy provisions.
Policyholders seeking coverage for phishing-related losses will find it available primarily in cyber liability or crime policies, but it is usually subject to sublimits, experts say.
Policyholders should examine other policies for additional opportunities to obtain coverage for phishing losses, they say.
A report issued by the FBI in May said sophisticated scams that target businesses and the individuals who handle transfer-of funds requests increased 65% between July 2019 and December 2021.
Disputes over coverage for the scams have ensued. In one case, the Illinois Department of Insurance in July filed suit against Hartford Financial Services Group Inc. and Munich Reinsurance Co. units seeking recovery of $3.98 million stolen in a phishing scheme that targeted two auto insurers that are in receivership.
Munich Re unit Hartford Steam Boiler Inspection and Insurance Co. paid $250,000 under the companies’ cyber policy’s social engineering coverage but denied the claim under their computer fraud coverage. Hartford Financial denied coverage under its financial institution bond.
“For all practical purposes, the sublimit is just an exclusion,” said Rukesh Korde, a partner with Covington & Burling LLP in Washington, who is not involved in the case.
In claims disputes, there is often a question as to whether a wire fraud loss is subject to a lower limit for coverage, said Scott Godes, a partner with Barnes & Thornburg LLP in Washington. Insurers sometimes say a loss is subject to a sublimit without conducting a thorough examination of the claim, he said.
Phishing coverage falls into a gap between cyber liability insurance, which typically responds to breaches, and crime policies, which cover money stolen from companies, and one of the ways insurers try to bridge the gap is with social engineering endorsements or coverages, said Michael S. Levine, a partner with Hunton Andrews Kurth LLP in Washington.
The attacks also raise other issues that can cause coverage disputes.
“Phishing attacks are kind of a gateway, because it can cause many types of cyber losses and claims,” including data breaches, forensic costs, recovery notification costs, reputational loss, ransomware and regulatory claims, said Gamelah Palagonia, executive vice president, cyber development, and regulatory leader with Willis Towers Watson PLC in New York.
The social engineering provision under which HSB agreed to provide coverage “is just one aspect of it,” she said.
“The question is, what does phishing lead to and what happens next,” said Patricia Kocsondy, New York-based head of cyber risks for Beazley PLC, which offers sublimited coverage under cyber liability and crime policies. “There’s a lot of nuance in the coverage,” and not all insurers respond uniformly to the same situation, she said.
Kevin Guillet, New York-based managing director and U.S. crime product lead for Marsh LLC, said that while cyber insurers saw the need to add sublimited phishing coverage to their cyber policies, “essentially its home is in a crime policy.”
“There’s still a fair amount of variation in the marketplace as to what’s available,” he said. If underwriters “don’t like the answers to the questions they ask, you might get very little coverage,” but they will be less strict if a company has good controls in place.
Some experts say the availability of phishing coverage is declining.
The decrease reflects the overall tightening in the market over the past two years, said Brian T. Himmel, a partner at Reed Smith LLP in Pittsburgh. “Five years ago, it was much more commonplace to see that coverage and have it be readily accessible. Now, you need to look for it and you’re probably going to have to negotiate for it.”
“It comes down to asking the carrier what they will provide” in terms of limits, Mr. Godes said.
“Like with any insured losses, you have to look at all potentially applicable policies,” Mr. Levine said. While there may be only limited amounts under social engineering endorsements, other coverages may apply.
Tamara D. Bruno, a partner with Pillsbury Winthrop Shaw Pittman LLP in Houston, said, “One way you can deal with social engineering sublimits is to see if you can negotiate with excess insurers to drop down and add additional coverage,” or see if social engineering endorsements can be added to commercial crime coverages.