In recent years, cyber fraud has emerged as one of the most significant threats facing organisations of all sizes. Cyber attacks (such as data breaches and hacks) result in devastating damage to small and medium sized businesses, such as business disruptions, revenue loss, legal fees, reputation damage, and more. Although the average business loss is £35,000, it can vary widely with some UK companies reporting losses of up to £18.5million according to the nation’s fraud and cyber-crime reporting centre, Action Fraud.
As a result Cyber liability insurance has fast become an essential component to every businesses risk management programme. However, due to the considerable variation between cyber policy wordings, several misconceptions have arisen on what a cyber insurance policy does and doesn’t cover.
Does Cyber Insurance Cover CEO Fraud Email Scams?
One of the most common areas of confusion is around phishing scams that trick people into taking action or divulging sensitive or confidential information. A variety of cyber-attacks are considered to be phishing scams, but the CEO fraud email scam (also known as ‘bogus boss’, ‘whale phishing’, ‘insider spoofing’, company exec spam and business email compromise) can be the most expensive and problematic.
This is because cyber liability insurance coverage will address the first and third-party risks associated with e-business, the Internet, networks and informational assets – protecting your business against exposures arising out of online breaches and cybercrime. But phishing attacks – which involve a large element of human error – have the potential to trigger different insurance policies, not just Cyber Policies.
By understanding the risks involved with the CEO email scam, you can boost your defences to better protect your company from cyber-criminals…
CEO Fraud Case Study
The following case study based on a real-life medium-sized company that fell victim to a CEO fraud scam illustrates the insidious and subtle nature of the crimes.
An accountant at the company received a phone call from an unknown source, who told the accountant that she should expect to receive an email from the CEO with explicit instructions to conduct a financial transaction. The accountant then received an email that appeared to be from the CEO that explained the company was purchasing a business in Cyprus and that the accountant was to expect a phone call from a consultant, who would explain where to transfer the money.
The accountant received several more emails and phone calls, all of which demanded that she act quickly to ensure that the deal did not fall through. Due to the fraudster’s repeated urgings, the accountant authorised £372,000 to be transferred to the fraudster’s account. While the company’s bank held up three of the approved wire transfers, one worth nearly £100,000 was still approved. This all happened within three hours, which is typical of a CEO fraud email scam. Fraudsters will try to pressure employees to act quickly without hesitation.
In this situation, the financial loss from the fraud would be excluded from the company’s primary coverage provided in its cyber policies because there was no loss of tangible business assets such as the loss of customer data involved.
The fact that a fraud was carried out by email does not in itself make the financial loss a cyber-incident. In these circumstances, the Insured is a victim of crime in the same way it would be if the Insured is persuaded to transfer money as the result of a fraudulent telephone call, meeting or letter. Rather, this incident would be viewed as a crime as an accountant was persuaded to transfer the money via a fraudulent phone call and email.
If the policy included fraudulent instruction that covered against losses resulting from any payments made to someone impersonating a client, vendor or employee that is intended to mislead then the company would be protected from CEO email fraud. Likewise if the fraudster had sent the email from a genuine internal account then the security of the company network could have been compromised and then company would have had a case.
