Knowing the distinctions between the various Computer and Transfer Fraud insuring agreements is key to understanding the scope of potential coverage available under your commercial crime policy and will assist in filing a proof of loss should you experience one.
Computer based attacks committed by third-parties (non-employees) can come in a variety of different and constantly evolving forms, leaving some buyers of crime insurance wondering “where do I find coverage under my crime policy?”
This is a quick look at some of the less understood insuring agreements that can come into play when your company is the victim of a computer based attack that leads to direct financial loss.
Computer-to-Computer Systems Fraud
Most commercial crime insurance policies will include an insuring agreement called Computer Fraud or Computer-to-Computer Systems Fraud.
How it’s done – A pure computer-to-computer situation where a “hack” of the Insured’s computer systems by a third party gives them control of or access to the Insured’s computers. This access directly causes money or tangible property to be fraudulently transferred to a place or account not in the control of the Insured.
The direct access to the insured computer system needs to be what causes the loss. It won’t respond when fake emails cause you to initiate a transaction to transfer or otherwise part with your money, or if that access enables the third party to steal important or confidential information.
Be mindful – The penetration points here are the same weaknesses that hackers exploit when targeting your sensitive data. Companies are encouraged to, among other things, use intrusion detection systems, ensure patches are up to date and perform vulnerability assessments to know where your weak spots are. Network and System security is often spoken about in the context of “Cyber Liability” but it is hugely important here as well. Make sure that financial as well as other key operational systems are included within the “ring of protection” and not only your sensitive or confidential information.
In truth, we don’t see many claims fall under this insuring agreement these days because there are other ways of easily getting an Insured’s money that are far more effective.
Funds Transfer Fraud
The nearly universal adoption of online banking by commercial entities has made this a very important coverage for Insureds.
How it’s done – A third party directly sends fraudulent instructions to an Insured’s financial institution, purporting that the instructions came from the Insured – but where those instructions were transmitted without the Insured’s knowledge or consent.
The most common situation here is where a third party somehow gains access to the Insured’s banking credentials (username, password and in many cases access to temporary PIN or token credentials), and logs in to the website or portal to instruct the financial institution to move money out of the Insured’s accounts and into accounts held by the third party.
Be mindful – Access to the credentials are usually obtained by tricking employees into logging in to fake banking websites (designed to look authentic but are controlled by the fraudster) or by installing malicious software on the Insured’s computer to gather the necessary information for the third party – typically via phishing or scam emails sent to the Insured’s employees. The Insured is not aware of the transaction taking place until sometime after the financial institution has acted upon the fraudulent transfer instructions.
Fraudulently Induced Transfers
Commonly known as “Social Engineering Fraud”, this isn’t actually a computer based fraud but often gets lumped into the same discussion because email is currently the most common medium to carry out these frauds.
Only a few insurers including The Guarantee, will offer this particular coverage as an extension to a crime policy by endorsement, and nearly all are materially restricting the limits available. This industry wide restriction is due to the apparent lack of success Insureds have had in mitigating this threat. This coverage is not typically included in the base policies of most major crime insurers, but rather needs to be applied for and purchased separately.
How it’s done – This type of attack has the look and feel of genuine correspondence but will be a third party fraudulently impersonating a client, a vendor or an executive of the Insured, with the intent of tricking the Insured to transfer money to them under false pretenses. Due to the trust factor and credibility associated with the person being impersonated, the Insured authorizes the transfer, sending the money to the fraudster.
Be mindful – In order for this type of attack to be successful, it requires failure of the Insured’s due diligence in ensuring the instructions were authentic. This is the most common of the three fraud scenarios simply because fraudsters are having so much success with it. Many Insureds fall prey to this scam with either little knowledge that such a scam exists or where virtually no controls are in place to specifically address this exposure. The unsuspecting victims are the employees having to make value judgments, who are often operating in stressful and time sensitive environments.
For more information on Computer and Transfer Fraud or Commercial Crime Insurance, visit our website, connect with us or consult your broker.
Joshua Laycock is The Guarantee’s National Fidelity Product Manager responsible for the maintenance and development of underwriting standards, product innovation and supporting strategies for one of Canada’s largest Fidelity insurance portfolios. He started his career over 10 years ago working with a multi-national insurance brokerage in Toronto as a broker and client executive in the Financial Institution and Professional Services industry practice before moving to the company side five years ago. He has a BComm from the University of Toronto and holds the Chartered Insurance Professional (CIP) and Registered Professional Liability Underwriter (RPLU) designations.
Please be reminded that the following blog/article is intended to be used for informational purposes only and nothing contained herein shall be deemed to provide legal, technical or other professional advice or to represent actual or potential coverage under any insurance contract. At all times, the specific issued policy in its entirety including all definitions, conditions and exclusions is to be used when determining the scope of potential coverage under The Guarantee insurance products. The Guarantee Company of North America disclaims all warranties whatsoever.