Are your clients covered for social engineering fraud?

Brokers should not assume that a client who has bought a cyber or crime policy is covered for the risk of innocent employees who are duped into making fraudulent money transfers.

‘Social engineering fraud’ is a broad term describing scams in which criminals try to trick, deceive and manipulate victims into giving out confidential information and funds, as Interpol states on its website.

Endorsements are available for covering social engineering fraud, but brokers will need to inquire about them, lawyers warn. Some social engineering schemes may not be covered as part of a standard crime policy for ‘Funds Transfer Fraud.’

For example, an Alberta court case recently confirmed that coverage for social engineering under a crime policy for ‘Funds Transfer Fraud’ applies only when the fraudster implements the transfer without the knowledge or authorization of the insured company’s employees, wrote Ryan Burgoyne, a Fredericton-based insurance litigation lawyer with Cox & Palmer, in a paper, A New Realm: Cyberspace, Cyber Liability and Cyber Liability Insurance, announced Nov. 17.

Coverage does not apply when the insured company’s employees knowingly make the fraudulent transfer without being aware that they have been duped into doing so. This is the fact situation laid out in the Alberta Court of Queen’s Bench’s ruling in Brick Warehouse LP v Chubb Insurance Company of Canada.

In August 2010, two Brick employees were contacted by people claiming to be from a supplier, Toshiba. One Brick employee indicated that Toshiba was changing its bank account to the Royal Bank of Canada. The bank account did not actually belong to Toshiba, but rather a victim of fraud, who was duped into transferring money to someone else.

The Brick changed Toshiba’s banking information. As a result, more than $300,000 was paid into the RBC account before The Brick discovered the fraud and reported it to policy. The Brick was able to recover about $114,000 and filed a claim of about $224,000 with Chubb.

Chubb denied coverage for the claim. In the policy Chubb wrote for The Brick, Chubb defined funds transfer fraud as “the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent.”

Anne Juntunen, an associate with Lerners LLP, which represented Chubb, said the insurer’s wording for the crime policy written for The Brick is “fairly close to the standard wording” in commercial crime policies.

Alberta’s Court of the Queen’s Bench upheld Chubb’s denial of coverage. The court found the transfer was done with the insured’s knowledge and consent because a Brick employee did give instructions to the bank to transfer funds out of the company’s account.

“What we are learning from what the courts are telling us is that the traditional wordings that have been out there for decades aren’t really designed to cover a social engineering scenario, which is a relatively new pattern that’s been coming up recently,” Anne, told Canadian Underwriter Monday. “You might have coverage – maybe – for social engineering if you buy a standard standalone cyber policy.”