In our last column, we highlighted two types of coverage that are now found in most cyber-risk insurance policies, but which have traditionally been the subject of "property" and "theft and misappropriation" policies: business interruption and social engineering fraud.
This coverage is intended to compensate for the loss of income that an insured could suffer due to the interruption of business caused by a covered loss. Whereas under a property insurance policy, coverage would be triggered by the occurrence of a loss such as fire or water damage, this is not the case under a cyber-risk insurance policy. While the intent of the coverage is similar, it will be triggered by the occurrence of a network security breach that paralyzes the insured’s operations.
Some policies provide for a benefit period until the date the business resumes, subject to a maximum number of days (generally between 30 and 180), while others extend the benefit period until the insured regains the level of activity that would have occurred had the breach not occurred, again subject to a maximum period. Instead of a dollar deductible, a number of days deductible applies; therefore, the benefit period begins after this waiting period, which is generally 8 to 24 hours.
Some policies also include an “extra expense” benefit to cover expenses incurred by the insured to speed up the return to business and thus reduce the loss of income. These may include employee overtime expenses or prompt delivery charges, for example.
Do you think this is a somewhat unnecessary addition to a cyber risk insurance policy? This sample claim could convince you of its importance:
A clothing retailer, ABC Inc. has been the victim of a hacker who, by introducing malicious code into its operating system, has completely paralyzed its computer network. ABC Inc. makes 60% of its sales online. To add insult to injury, the attack on the network’s security occurred just before the holiday season, which is obviously a very busy period. Fortunately, ABC Inc. subscribed to an insurance policy against cyber risks that included Business Interruption coverage. By acting quickly, the insurer’s intervention team allowed ABC to resume operations 2 days later and compensated it for the loss of income, which amounted to nearly $40,000.
Social Engineering Fraud
Social engineering frauds, also known as “president’s frauds”, have become a real scourge in recent years and do not only affect large organizations known to the public. More and more small and medium-sized businesses are being targeted by fraudsters whose methods are constantly being refined.
Social Engineering Fraud coverage protects an insured against financial loss resulting from a transfer of funds made in good faith, but based on fraudulent instructions from an impostor. Typically, fraudsters target an employee of the targeted organization with the authority to transfer funds. They communicate with this employee, by telephone or by e-mail, posing as the CFO, for example. They will often invoke an unforeseen situation requiring an urgent transfer of funds or a change in a supplier’s bank account. The employee, thinking that he or she is carrying out their boss’s instructions, unwittingly participates in a misappropriation of funds to the bank account of a fraudulent organization.
While the intent of this coverage in an e-Policy is similar to that found in a “theft and misappropriation” policy, it is not triggered in the same way. Whereas with a “theft and hijacking” policy this coverage would be triggered if the insured can demonstrate that he or she has suffered a loss due to fraud, with a cyber-risk policy the fraud must be the consequence of a breach of security (usually unauthorized access to the operating system).
The best way to guard against this type of fraud is to have adequate procedures and controls in place, both in accounting practices and computer security, for example, confirming payment instructions through a communication channel separate from the channel through which the instructions were received.
In our next column, we’ll look at a few things that can make a difference in determining the extent of coverage provided by a cyber-risk insurance policy.