5 minute read
Coverage Corner
THE CRIMES, THEY ARE A-CHANGIN’
By Cathy Trischan, CPCU, CRM, CIC, ARM, AU, AAI, CRIS, MLIS, TRIP
Many businesses take steps to ensure the security of their premises with gates, alarms, and guards. How many, though, are as diligent about securing their funds, property, and data against theft by cybercriminals? Even with controls in place, cybercriminals often get the best of even the most careful business owners. What are some of these new crimes, and how can insurance protect our clients?
SPOOFING AND PHISHING
These techniques are used to trick unsuspecting victims into downloading malicious software (malware), disclosing confidential information, or sending money. The criminal often uses an email address or URL similar to a real one to convince the victims that they are dealing with a trusted source.
VISHING/SMISHING/PHARMING
These are variations of phishing. Vishing happens through voice calls, while smishing is done through a text message (SMS). Pharming occurs when malicious code on a computer directs one to a fake website. In all cases, the criminal tries to get the victim to disclose confidential information.
BUSINESS EMAIL COMPROMISE (BEC)
These losses are often referred to as social engineering losses, although the term social engineering includes any type of crime that exploits human behavior. Spoofing and phishing are the starting points of this crime. A cybercriminal impersonates a customer, vendor, or someone within an organization. The thief sends an email to the organization’s employee directing the employee to wire funds to a particular account. The employee, believing the instruction is a legitimate request, sends the money. After the fact, the employee learns he’s been duped.
FRAUDULENT IMPERSONATION
Business Email Compromise, as described above, is a type of fraudulent impersonation, but not the only type. Sometimes, a business receives a legitimate request for payment from a client or vendor. A criminal – impersonating the client, vendor, or another employee of the business – sends a request to change the payment instructions. The business, believing the change is legitimate, now sends or wires money to the criminal instead of to the client or vendor.
COMPUTER AND FUNDS TRANSFER FRAUD
In these schemes, a criminal directs funds from the victim’s accounts to its own account. The cybercriminal may access the insured’s computer system to transfer money to its own account. Alternately, the criminal may directly access the insured’s bank account, usually with stolen credentials, to transfer the money.
INVOICE MANIPULATION
This crime begins with the insured sending an invoice to its customer. Shortly after, a cybercriminal impersonating the insured’s employee contacts the customer and provides alternate wiring instructions. The customer unknowingly sends the funds to the criminal.
CYBEREXTORTION/RANSOMWARE ATTACK
Ransomware is a type of malware that is unknowingly loaded onto a computer, often when a person opens an email attachment or visits a website embedded with malware. The ransomware can prevent access to data, encrypt files, or otherwise damage a business’s systems. In exchange for payment of ransom, the extortionist promises that the business will regain access to its data and systems.
While a business’s first line of defense against these crimes involves good risk control measures, losses still happen. There are two policies that can be written to cover many of these losses: Commercial Crime and Cyber. Commercial Crime can be written to cover some of the exposures, and Cyber can be written to cover many more. There are a few things to remember, though, when arranging for coverage.
1. Crime and Cyber forms vary widely among insurers. Different coverages are offered, and different names are used to identify the coverages. It is important to carefully review the details of the coverage being provided before deciding on a policy.
2. The expected coverage may not apply if an insured does not take certain precautions. Some forms, for example, will not cover a BEC loss unless the insured takes steps to confirm the request in some way other than the method used in the request (e.g. phone call to confirm an email request).
3. Many Crime and Cyber applications contain warranty statements and become a part of the policy. It is critical that all information provided be accurate. If it is not, coverage will be compromised.
4. It is impor tant to make sure that, to the extent possible, there are no gaps or overlaps if both Crime and Cyber coverages are in effect. Other insurance clauses in each policy can produce unexpected results if both policies cover a particular claim.
Today’s crimes are different from the crimes of the past. Through good risk control measures and a wellconstructed insurance program, businesses can be better protected against today’s cybercriminals.
‘Til next time!
Cathy Trischan is IA&B’s commercial lines education consultant. She works with our CIC and CISR programs, as well as our live CE webinars. Catch her at one of our upcoming courses: IABforME.com/education.
