Cyber insurance and phishing - what it covers and what it might not


Whether you’re a multi-national business or a small start-up, all businesses handle high volumes of small value electronic transactions as part of standard operations. Alongside these transactions businesses will be storing the customer, supplier and employee details that relate to them. This constant ebb and flow of data in and out of businesses is what makes them ideal targets for cyber-attacks.

Given the increasing reliance of business on IT and the fact that the majority of many businesses’ assets are intangible rather than physical, cyber insurance is fast becoming as essential an insurance product as property cover or motor insurance.  Whilst the message is clearly getting through, many businesses have been slow to change long established practices and cyber fraud is responsible for millions of pounds of losses every year. 

Does cyber insurance cover online fraud and phishing?

There are various cyber insurance products that offer broad coverage to protect against certain types of cyber based risks. However, the rapid emergence of cyber insurance and the fact that until recently, there has been considerable variation between cyber wordings, means that there are a number of misconceptions regarding what a cyber insurance policy covers. 

The scope of cyber coverage available in the insurance marketplace will generally include a range of first party and third party covers which could protect your business against legal liabilities,loss of earners and breach response costs.

Cyber insurance can often overlap with different policies, your professional indemnity might cover you for loss of documents but not notification costs, telecommunications fraud could be provided under a crime policy and office insurance could cover the cost of losing a laptop but not the loss of data.

In our experience, one of the most common areas of confusion is Social Engineering causing a financial loss to individuals or organizations. Social Engineering is the broad term for any cyber-attack that relies on fooling people into taking action or divulging sensitive or confidential information; the most common case is phishing attempts.

Typically, a phisher sends an e-mail, instant message (IM), or text message or  makes a phone call that appears to come from a legitimate colleague or organization, trying to trick people into giving them confidential information, divulge sensitive data, or download a file that is infected with malware and will give the attacker access to sensitive or confidential information such as  passwords, bank information as well as giving them control over your computer or network with the potential to also impact the security of other organizations.

Social Engineering has the potential to cause different types of losses that may trigger different insurance policies, not just Cyber Policies.

How Cyber Insurance could protect against CEO email fraud 

A spoofed email is sent from high-level executive such as a CEO or partner instructing someone within a financial role to transfer funds out of the company or an email has been received from supplier for an invoice to be paid. In both cases the employee has acted on the email as the perpetrator has used an almost identical email address, using details gathered from public sources, to trick them into making a payment.

The above financial loss is typically excluded from the primary coverage provided by most cyber policies as the loss is not of an intangible asset (as would be the case for loss of data) but a direct financial loss. Even cyber policies where there is a potential cover for fraudulent wire transfer will very likely exclude the above scenario, as often Insurers have further restrictions if the Insured is involved in the wire fraud (whether or not they are aware of the fraud ) and require the Insured’s systems to be compromised to trigger cover.

The fact that a fraud is perpetrated by email does not in itself make the financial loss a cyber-incident. In these circumstances, the Insured is a victim of crime in the same way it would be if the Insured is persuaded to transfer money as the result of a fraudulent telephone call, meeting or letter.

If the fraudster had sent the email from a genuine internal account then the security of the company network could have been compromised or it could be the result of your data compromised as part of separate cyber-attack on a supplier then you might have a case against the supplier.

If your policy included fraudulent instruction that covered you against losses resulting from any payments made to someone impersonating a client, vendor or employee that is intended to mislead you then you should be protected from CEO email fraud.

Another outcome of invoice hijacking could be that you transfer clients funds to a fraudulent account which could be within hundreds of thousands for law firms and solicitors. Conveyancers regularly handle significant sums of money making them attractive target for fraudsters both in terms of the ease of identifying transactions to target and the potential returns. The same can be applied to private client teams handling trusts and estate administration work or family breakdown that involves transfers to a number of parties should remain alert.

The loss/theft of client funds are a matter of the loss and Professional indemnity insurance is intended to cover the insured for any liability it has to its client for loss of funds, again coverage will still very much depend on the policy wording.

What about phishing for data?

Not all social engineering attacks try to mislead you into making financial payments, data has become just a big a commodity as cash. An example data breach due to phishing could be an email coming in from a third party asking an employee to send them employees Tax returns/ Payslips or a fraudster impersonates a partner in a law firm instructing the client relationship team instructing to send him clients data base containing confidential information. Where data loss occurs, even as a result of Social Engineering, this would typically be covered under the Cyber policy sections concerned with Liability for Loss of Data and Breach Response Services.

Other Social Engineering losses that potentially could trigger a cyber policy an email is received containing an attachment or link to a compromised website. Clicking on either results in malware being downloaded to company's systems. Loss resulting from the compromising of the firm’s system resulting from the introduction of malware is the type of loss intended to be covered by cyber insurance.

While we’ve discussed in great depth the overlap of policies when it comes to social engineering and phishing there are other scenarios which are just as complicated. If you are looking to purchase cyber insurance we’d recommend you always consult your insurance broker before taking out any cover or if purchasing directly ensure you read the wording very carefully. For more information on the issues covered by this article visit our Cyber Insurance hub.

Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article.

This article has been compiled using information available to us up to 16/06/22.

Share this post