March 3, 2020 by Jason Contant
Your commercial client may think they are covered for all types of business email compromise (BEC) fraud automatically, but policy triggers are often nuanced, a speaker said recently at NetDiligence’s Cyber Risk Summit in Toronto.
“The biggest misconception of our clients is, they think that if they get this one endorsement on their crime or on their cyber policy, they’re covering all those situations, which is not the case,” said Brian Rosenbaum, national cyber leader at Aon in Canada.
An example of BEC could include the classic CEO fraud, in which a criminal impersonates an executive and tricks an employee into wire transferring money to the fraudster. But BEC encompasses so much more, including traditional computer fraud, fund transfer fraud, payment diversion fraud, and even organization-impersonation fraud.
“There’s an awful lot of confusion about this type of coverage and it’s very nuanced,” Rosenbaum said during the panel discussion Business Email Compromise and Wire Fraud. “When we’re talking about BEC, the traditional fact situation is such that you’ve got this fraudulent communication, and they’ve told you to send the money somewhere else, and of course you’re sending the fraudster the money.”
Brokers should look at policy wording to help clients understand differences in coverage. For example, look at what type of communication is included in the policy. Some are more limiting, with email or fax. “You want to have no limitations as to how that communication can be made,” Rosenbaum said.
Some policies limit who can be impersonated – a vendor, customer or employee, for example. They may use the word ‘owner’ or mention ‘new vendor’ or ‘existing vendor.’
What about property being transferred? Almost all policies will cover money and security, but what about actual property? Imagine a company that makes expensive widgets, or is working on a very expensive drug, and for some reason they’re trying to get you to ship it somewhere else, Rosenbaum said by way of example. “Some of that wording will cover those types of losses.”
For a client, confusion may arise because the fact situations may appear to be similar between traditional computer fraud, traditional funds transfer fraud, payment diversion fraud, or even organization impersonation fraud. But there are differences:
Human error is usually to blame for an incident, so safety nets need to be in place, said panellist Shelley Ma, director of digital forensics & incident response with Arete Advisors. “It doesn’t matter how much you educate: The user is always the weakest link, and they will always click on that phishing email.”
Ma offers tips for brokers advising their clients: