Insurers are increasingly looking to exclude social engineering fraud from standard crime cover as losses grow. Mark Rubidge of Arthur J. Gallagher, advises risk managers to make sure they are covered and take steps to lower rates.
There has been a significant increase in the number of social engineering claims made under crime insurance policies in recent years. In the last two years alone there has been a spike in this type of fraud, with reported losses in 2015 doubling to nearly US$1bn.
This trend has resulted in insurers looking closely at the cover afforded under traditional crime policies, with social engineering or fake president exclusions becoming more frequently applied to the standard policy terms.
What is social engineering fraud?
Social engineering fraud occurs when a fraudster is able to deceptively manipulate an employee within the business to induce them to part with money or securities, potentially gaining the confidence of the employee to such a level that they breach internal protocols. This commonly involves fraudsters posing as genuine suppliers or colleagues in order to request a funds transfer.
These are sophisticated schemes with fraudsters able to replicate company letterhead paper and email addresses to such a convincing degree that many businesses have been duped into parting with funds over several transactions. Whilst we would expect good accounting protocols (for example double signatories, verification of supplier account changes etc.) to be in place, the human element risk, especially where false managerial pressure is applied, means that businesses may still be vulnerable.
Loss scenario examples
The three most common examples of social engineering fraud are:
Mark Rubidge - Arthur J. Gallagher
Insurer response to social engineering fraud
Some insurers now seek to sub-limit or even exclude their exposure to social engineering fraud from their standard policy terms and conditions, with cover available by way of a policy extension, for which an additional premium is likely to apply. Furthermore, it is likely that a specific social engineering supplementary questionnaire will be requested to form part of the proposal to insurers prior to cover being afforded. This questionnaire will seek further information on the strength of the insured’s protocols to prevent fraudulent activity including:
The extent of responses to these queries will naturally vary, with clients that have few or no internal protocols subject to a higher premium or potentially not able to obtain cover at all.
The effect on capacity in the market
Due to the recent social engineering loss experience across several insurers, we have seen a number of markets looking to reduce their exposure to social engineering crime. Most insurers will still write at least £5m of cover; however, for limits exceeding £5m it is becoming more frequent to find a panel of insurers sharing the risk.
Premium rates still remain competitive, but we are mindful of the impact this reduction in capacity could have should losses continue to materialise at the current frequency.
Risk management advice
In order to help improve existing security measures against fraudulent activity, we would recommend reviewing internal risk management regularly, including:
In the current soft market, it is more crucial than ever that clients fully understand the scope of cover under existing policy wordings. With regard to crime policies, our recommendation is that full social engineering cover is agreed with insurers.
This is a developing risk and policies need to respond in full – any proposal from insurers to either sub-limit or exclude the social engineering risk should be refused. When setting up new policies, it is imperative that the full proposal, inclusive of the social engineering questionnaire, is completed and placed with an insurer that will provide full policy limit cover.
Mark Rubidge ACII is senior account executive at Arthur J. Gallagher.