Insuring Cyber Podcast: Social Engineering Risks Rising, but Cyber Coverage Still Lacks
The COVID-19 pandemic has upended the work environment in many ways, and cyber experts say one unfortunate result of the switch to remote work is an increase in cyber crime, particularly around social engineering threats.
“The bottom line here is similar to how in the aftermath of any kind of natural disaster or major event, it really breeds scammers and fraudsters,” says Erin Kenneally, head of Cyber Risk Analytics for property/casualty industry technology provider Guidewire, on this episode of the Insuring Cyber Podcast. “They come out of the woodwork, and the COVID-19 crisis made good on this pattern of calamities that attract these opportunistic cyber criminals.”
Social engineering is a particularly malicious type of cyber crime that capitalizes on human error. Through psychological manipulation, social engineering techniques trick a user into providing compromising information about an organization or access to its computer systems.
A common form of this type of attack is phishing, in which email is typically used to solicit personal information by pretending to come from a trustworthy sender.
John Farley, managing director of the US Cyber Practice at Gallagher, says later in this episode that the risk of social engineering attacks has escalated during the pandemic because of increased reliance on email and social isolation.
“[Employees] don’t have people just down the hallway from them. They don’t have someone that they typically converse with. They’re kind of on their own,” he says. “Where do they escalate issues? Do you necessarily know who to talk to if you see something happened or a phishing email coming in or something that concerns you from a cybersecurity perspective? Just the sheer isolation of people prevents a lot of communication, or impedes it at least.”
What’s more is that despite the growth of cyber liability and data breach insurance, the cyber insurance industry overall has been cautious about stepping in to provide coverage for growing social engineering risks, Kenneally says. She adds that for some insurers, it’s simply a function of lacking new language to cover the losses. For others, concerns about risk selection and underwriting impede the coverage. Most insurers, however, still don’t consider social engineering a cyber risk at all, she says.
“From the insurance perspective, there’s no ‘direct fraud’ that has taken place, so the claim is that a hacker hasn’t penetrated a company’s systems and then effectuated the wiring of money to a fraudulent account, but rather the fraudulent transaction was actually given consent by a trusted employee,” she says. “Now, albeit this is under false pretenses, but that’s kind of how it’s broken down.”
She suggests that a separate endorsement needs to be deliberately added to a policy and rigorously examined to ensure it addresses social engineering risk.
Although concerns about social engineering have grown, particularly during the pandemic, Farley says an increase in cyber claims means that many carriers are continuously pulling back, rather than expanding, coverage.
“We’re seeing carriers are paying a lot more cyber claims than they ever did before,” he says. “The entire market is changing. It’s evolving along with the threats, along with the increased claims, and the terms and conditions change.”
Because of the hardening market, along with the looming risk of a cyber catastrophe event, Kenneally agrees that insurers will likely be reluctant to expand coverage into some of these risky areas like social engineering in the near future.
“The bottom line is I don’t really see carriers rushing to provide the coverage needed to address the quality and the quantity of risk on the ground for social engineering attacks in the near future,” she says.
Check out the rest of this episode to find out what else Erin and John have to say, and be sure to check back for new episodes every other Wednesday published along with the Insuring Cyber newsletter.