The risk of social engineering and spear phishing cyberattacks continues to rise but the industry still struggles to place the risk, an expert has said.
Samuel Rogers, national practice leader for cyber risk at
JLT, said that targeted attacks aimed at duping employees into making payments is still challenging for the industry.
“The question is: do we want to cover clients?” he told
Insurance Business. “As a broker, my job is to get the best coverage I can for my clients, and obviously I would like them to, but I can understand the difficulty for underwriters in covering social engineering fraud.”
Social engineering fraud is more commonly linked to crime policies than cyber policies, Rogers said, as it is easier for underwriters to understand the cyber incident from a fraud sense.
“A cyber insurance policy generally doesn’t cover pure financial loss, however, and that is normally the end result from your average social engineering attack,” Rogers said. “An attacker is trying to dupe the victim into transferring funds of their own volition.
“Normally, a fraud loss is covered under a crime policy but if you look at the actual methodology involved in it, it doesn’t always necessarily fit within the definition of a crime policy because a crime policy in its most rudimentary form is designed to cover an employee taking bills out of the till.
“Ultimately, it is the insured making that transfer rather than having the money stole from them… so it is quite challenging for the insurance market to get their head around that because the losses that can be incurred there can be quite significant.”
Rogers said that some cyber policies, often in the SME market, can include an extension to cover social engineering fraud but it is more common to adjust a crime policy with sub-sections and sub-limits to cover the risk.
In a bid to manage the growing risk, Rogers said that he expects insurers to take a keen interest in the procedures businesses are putting in place to ensure that they have control over financial transactions.
“What I think we are likely to see is an increased focus from insurers on dual factor authentication, or co-signatures for significant financial transfers,” Rogers continued. “There is going to be an increased expectation on insureds to take steps to mitigate their own exposure to this kind of thing and ensure that they have proper procedures in place so that if there is that kind of transfer, it is signed off by at least two people.”
Related stories:
Marsh warning about Hurricane Katrina-scale losses from cloud breach
Global report highlights two major Australian issues
