Cyber & Crime Policies: Protecting Against Social Engineering Fraud

Show Notes

Learn more about safeguarding your business against one of the most insidious threats today—social engineering fraud. Join us as we sit down with specialists, Lori Wheeler and Jackie Leslie from CRC's ExecPro Practice Group, who share their invaluable insights into the growing prevalence and sophistication of these cyber threats. Gain a thorough understanding of how these scams have surpassed even ransomware in frequency and the severe financial toll they can take on businesses, especially smaller ones. Discover the critical steps your organization can take to secure adequate insurance coverage and protect against potentially crippling losses. Lori and Jackie also shed light on how AI technology is being weaponized to mimic voices and orchestrate fraudulent transactions. From accounting departments under pressure to real estate transactions, explore the urgent need for heightened awareness and robust safeguards in our increasingly connected world.

Visit REDYIndex.com for critical pricing analysis and a snapshot of the marketplace.

Do you want to take your career to the next level? Join #TeamCRC to get access to best-in-class tools, data, exclusive programs, and more! Send your resume to resumes@crcgroup.com today!

Chapters

• 1:34: What is social engineering fraud and why is it becoming more prevalent?
• 6:11: Does A.I. play a role in the increase?
• 7:16: Both Cyber and Crime policies provide coverage, but cyber policies are often sub-limited. Talk us through sublimits…where do they need to be and what do businesses need to understand about how they work?
• 12:40: Can you share an example of a social engineering attack and how the right—or wrong—insurance played a role?
• 21:20: How does working with CRC benefit agents and their clients?
• 24:59: Rapid Fire!

Transcript

Amanda Knight: 0:23

Welcome back to the Placing you First podcast, where we tackle today's hottest topics in insurance. I'm Amanda.

Scott Gordon: 0:29

And I'm Scott. Social engineering fraud has become one of the most sophisticated and costly threats facing businesses today.

Amanda Knight: 0:37

That's right, and today we're exploring how businesses can protect themselves against this kind of risk and how to navigate the often confusing choice when it comes to cyber and crime policies, and how those work together.

Scott Gordon: 0:50

How are we going to do this, you might ask? Well, joining us are two specialists in the field, Lori Wheeler and Jackie Leslie, both directors with CRC's ExecPro Practice Group. Welcome to the podcast, everyone.

Amanda Knight: 1:04

This is the Placing you First podcast from CRC Group.

Scott Gordon: 1:07

This podcast features news and insights from a vast knowledge base of over 5,100 associates.

Amanda Knight: 1:14

Who write more than $35 billion in premium annually. Plus, we give you the latest information on what's happening at CRC this, this, this is the Placing.

Scott Gordon: 1:23

You First podcast.

Amanda Knight: 1:24

And now the hosts of the podcast, Amanda Knight and Scott Gordon.

Scott Gordon: 1:29

Let's start with the basics, I guess. So for listeners who may not be familiar, can you guys explain what social engineering fraud is and why it's becoming much more prevalent these days?

Jackie Leslie: 1:43

Sure, social engineering is basically financial loss. You lost money as a business when one of your employees is manipulated through a deceptive tactic to transfer funds. The loss is caused by the good faith transfer of money. Basically, they thought that they were sending it to the correct person and securities or other property could be a direct result of this fraudulent instruction given by a person.

Lori Wheeler: 2:12

So it's become so prevalent in the last gosh, probably since 2011, when the first losses started popping up in the industry and we had no coverage anywhere for it and the losses were few and far between and brokers were really struggling to find coverage under crime policies back then. And as the criminals got more sophisticated and things evolved, we are now seeing social engineering claims more prevalent and more frequent than ransomware claims, and everyone has heard about ransomware. It's well advertised in the insurance marketplace how important it is to quote ransomware coverage for your insurance under a cyber policy, and social engineering has been the sleepy claim that the industry really hasn't focused on. So, if you look at the stats, really hasn't focused on. So, if you look at the stats, 98% of cyber incidents today involve some form of social engineering, which is the manipulation of the insured's employees to wire money to a bad guy. Business email compromise or social engineering losses accounted for $2.9 billion in losses last year, according to the FBI. And if we look at the numbers since 2021, ransomware claims were 29% of the losses seen in the insurance marketplace, social engineering was close at 27% and the average financial loss for social engineering claim was like $350,000. We moved to 2022 and now social engineering outnumbers ransomware 36% on the social engineering, 25% on ransomware, and the average loss for the social engineering claim is now $375,000.

Lori Wheeler: 4:41

So we go to 2023. Again, social engineering's in the mid 30% of all losses, ransomware's sitting in the low 20s, but now the average social engineering loss is sitting at $824,000. Wow, that's high. And so these losses are hitting every type of insured. These losses are hitting every type of insured. If you use a computer to move money, you are exposed to this. Ibm actually did a breach report in 2023, and they added legal fees, they added forensic cost and the average social engineering claim. According to them, when you add up the loss of your funds and all of the other expenses that go around it, it averaged out to $4.5 million. A small nonprofit organization and you suffer one of these losses, it is detrimental to your ability to continue as a viable organization. There are a lot of private companies that can't suffer these type of losses uninsured and survived. So this is why this coverage is so important is because the losses are so expensive.

Amanda Knight: 6:11

Sure, and do we have any idea why it more than doubled at that one point between 20, was it 22 and 23? From 375 to 800?. Does AI play a role in that? Because they're getting trickier and smarter? What's happening?

Lori Wheeler: 6:27

AI was not playing a role in that. Previously, it has reared its ugly head, and we'll talk about an AI example. When we talk about some examples of claims, what it is is the bad guys got very good at what they were doing and so they became more sophisticated in their attacks and they were able to get more money. They were able to get not just one wire transfer, but we were seeing multiple wire transfers going to the bad guys before our insureds were figuring out that they had been duped.

Amanda Knight: 7:06

Oh, that's heartbreaking. And I know once that money is wired it's my understanding it can be very difficult to get it back any of it, let alone a substantial portion. So let's talk about protection, right? Both cyber and crime policies provide coverage, but cyber policies are often sublimated. So let's sort of talk through some of the sublimits, or where those sublimits maybe should sit, where they should be, where we'd like them to be, Because I feel like maybe there are some smaller private companies out there that don't fully understand how cyber and crime policies work together. You think, if you've got a cyber policy, well I'm good. This was something that happened over my computer. I mean, I feel like that might be something you hear frequently, or at least that our retail agent partners hear a lot.

Jackie Leslie: 7:51

So most of your cyber policies, the main exposure that they're looking to cover is not that cyber crime, social engineering, right, it's first party, third party, which first party would include the loss of those funds. But they're really looking to sublimit that to $250,000. Some have started offering $500,000, but that's the max. We can't seem to negotiate higher than that. That is what they are willing to offer. You could have a cyber policy that is $20 million in limits and you might still just have that measly 250,000 sublimit, which will not protect most of these large businesses, whereas on a crime policy you can negotiate higher limits. They are more apt to understand the coverage, to underwrite the coverage and charge for the coverage. So that can go up as high as $20 to $30 million. In a domestic market carrier that we have CRC has actually we have an exclusive product where we can go up to $150 million for social engineering. That's awesome. So again, you can go up to $150 million in coverage or you can be capped at $250,000.

Amanda Knight: 9:10

That's a big difference.

Lori Wheeler: 9:12

So your crime policies do not have aggregates. They have a per loss limit. So if we have a crime policy with social engineering coverage, let's say we've got a million dollars, that would be a million dollars for every social engineering loss you have during the policy period. On the other side, we have cyber coverage, which is written on a policy aggregate. So on the cyber policy, if you have a 250 sublimit, that is the max that the carrier is going to pay out for the entire policy period, regardless of the number of losses. And, amanda, it's really interesting that most agents again, because this is a sleepy type loss that's not well advertised most agents will accept the sublimits on their policies and not even think about it.

Lori Wheeler: 10:14

What we are trying to get across to our agents is you've got to talk to your insureds. What is your largest average monthly wire transfer that you send out, monthly wire transfer that you send out? And we as an agent should be placing the insurance to cover that loss. So if I wire my office supply vendor every month $100,000, I have to make sure my social engineering limit is going to cover that. I have one insured that wires up to $200 million in one wire and they do this frequently during the month. It gives me just a heart attack to think that that money is being wired.

Lori Wheeler: 11:12

And in this case I'm in the domestic markets and they made the decision to purchase $20 million. That's all they have from a wire standpoint. So every year I'm showing them higher limits that the protection is available to them, especially now with the new InsureTrust CRC product, I can get you those higher limits. It's not cheap, but also having a $200 million wire go awry is also going to be not cheap. So as agents, we really have to talk to our insureds and it's very easy to find out. So, as agents, we really have to talk to our insureds and it's very easy to find out what's your biggest wire every month and that's where you've got to set that limit. So if they have that catastrophic loss, we've got it covered.

Amanda Knight: 12:14

I think it's really easy for people to assume that I know I do this, sometimes like I would never fall. For that I am, you know, I know what to do, or this wouldn't happen to me. But I feel like cyber criminals are getting more and more sophisticated. They change tactics and if you're think about this time of year, if you're in accounting or payables, it's insane, right With year-end close and all the things people have going on. I don't know that it's that we're not smart, it's that we're busy and distracted and then it's easy to make a mistake and then it's too late. I think that we were going to talk next about some real world scenarios. Can either of you think of an example of a social engineering attack, how it went right or wrong when it came to the insurance in the scenario?

Lori Wheeler: 12:54

Yeah, I've got a good claim example. That really is just a very typical social engineering attack. It was one of my insureds non-profit university looking to purchase a bus to move their athletic teams around. They were spending about $750,000 on the bus. The CEO of the university I mean, this is not an accounting employee, this was the CEO was communicating back and forth with the salesman at the bus company. There is a cyber criminal sitting and watching the communication between the two parties and the CEO asked when they could get delivery of the bus and the bad guy jumped in and intercepted that email to the salesman, responded, as the salesman, and said well, if you'll wire the funds to the following account, we will bring you delivery of the bus on Monday. So the CEO's like great, I'll get the CFO involved. Blah, blah, blah. We look forward to seeing you Monday morning.

Lori Wheeler: 14:08

Monday rolls around no bus CEO calls the salesman and says hey, when are you going to be delivering the bus? And the salesman's like well, we can't deliver until we receive payment. You know, when do you want to do this? And he's like what do you mean? When do I want to do it we were set up for. This morning they discover that the money's been wired to the bad guys. And Amanda, to your point, once funds hit a US bank they can be immediately swept out of that account. The European banking system is a little different than the US banking system. There is a delay there where you can't sweep funds immediately, but in the US, once they hit, they're live and active, you can sweep them out. That money was well gone. So the university again, a nonprofit small university lost $750,000 and no bus.

Lori Wheeler: 15:04

I was going to ask if they got any of it back, and I bet the answer is no, they got $50,000 back because that was what was on their crime policy, and you know this was a hard lesson learned as a broker that you know. Again, this is when I started asking my insureds tell me about your wire transfers. What kind of money are we talking about? And you know and here's your AI example Amanda, and this is-site having an off-site board meeting. An accounts payable employees back in the office gets a Zoom request from one of the board members for a meeting. They join the meeting. There's all of the board members. We're discussing a potential merger that the company wants to participate in. The board instructs this payable employee that we need to move $9 million in US dollars to this account in order to get this transaction going. The board members are speaking to her. She is looking in their faces, they are interacting and every bit of that board meeting the board members was all AI generated.

Lori Wheeler: 16:48

That employee thought they were talking to their board CEO, cfo there is no one to walk down the hall and verify this with, because I'm looking at you and speaking to you wired that money and it was gone, and so this is where we are at. They are even just simply digitizing or doing the AI on people's voices and giving telephone instructions to employees. So I, as a CEO, am out of the office. A bad guy is monitoring my emails, knows that I'm out of the office. At that point they take my voice, call my accounts payable clerk and say hey, I'm out of the office. I need you to wire $100,000. I'll give you the instructions later.

Lori Wheeler: 17:40

You know the documentation later, but go ahead and wire this money. It is my voice, I'm not in the office, so she knows she can't walk down the hall and verify it. She wires the money. So the AI factor in today's world is becoming an issue that crime and cyber underwriters are having to address. When it comes to social engineering, we do have one carrier who specifically endorses their policy to say that an AI social engineering scheme will be paid. Other carriers have taken the position. This is again just a fraudulent instruction meant to manipulate your employee to transferring funds, and so they say it's already covered. But it's definitely an issue that, as an industry, we're going to have to keep an eye on.

Amanda Knight: 18:33

Wow, I'm a little terrified now, and I don't even transfer money via wire.

Lori Wheeler: 18:39

Well, getting off topic of commercial insurance, this is rampant in real estate as well, where they are trying to get individuals you and I when we purchase a house. They are trying to get individuals you and I, when we purchase a house to wire transfer our escrow down payments to the bad guys. And it is rampant and in 2018, when I was purchasing a house, it happened to me, but I'm so in tune with this whole social engineering. I looked at the email and laughed because it was not my title agent's email address, it was not my real estate email address and I knew immediately it was a fraud. And they told me I'd get a 5% discount if I wired my escrow money early. You and I aren't insured for that and if I would have lost that money early you and I aren't insured for that and if I would have lost that money, I would have been homeless. I can't regenerate that money to get into a house. It's really sad.

Amanda Knight: 19:41

Yeah, it absolutely is.

Scott Gordon: 19:43

Wow, for those of you just joining us, that was Lori Wheeler. She was not reading the plot for the latest Mission Impossible movie. She was not reading the plot from the latest Mission Impossible movie. That was real stuff. That's actually happening and that's crazy. I mean, think about it. People used to have to rob banks and trains and everything. Now it's all just a click away if you can break that code or pose as that person no-transcript.

Amanda Knight: 20:15

actually, you know safe deposit boxes where you have a key and the bank employee has a key and it's time to make a wire transfer Do we have both keys. Yeah, got to be physically present to make a wire transfer because everybody is so sneaky.

Lori Wheeler: 20:23

I used to laugh at my mother, who was in her 80s, and she got to the point to where either my sister and I were paying her bills on a monthly basis and both of us said mom, we're going to go online and just pay your bills online. And boy did she rip us a new one that was on her watch. She said I don't care what you people think about how easy it is to pay bills online. She goes here is my checkbook and you better write this checkout and mail it the old fashioned way. She wouldn't use an ATM, she wouldn't use a debit card. My mother was writing checks until the very end and, quite honestly, she wasn't wrong.

Amanda Knight: 21:12

I was going to say I kind of think maybe your mom was on to something. She wasn't.

Lori Wheeler: 21:16

No one was going to steal her money that way. That's true.

Scott Gordon: 21:20

How does working with CRC benefit agents and their clients when it comes to this stuff?

Lori Wheeler: 21:25

I think it's really important that if you're going to do a good job for your insureds, that when a broker is representing you we don't want to just represent you on the crime, we want to also represent you on the cyber, because the coverage sits on both of those policies. It's very important that when Jackie and I are placing your insurance that we see both of those policies and we know how the other insurance clause in both policies work. Because if I've got a crime policy with a five mil social engineering limit but with a $25,000 deductible and then I have a cyber policy with just that 250 limit and they've got a $75,000 deductible, I honestly want my crime policy to respond first because the deductible is lower and I want my payment to come out of there, and then if I have anything left like it was a $6 million loss then I want to go over to my cyber policy. Have it be excess of the coverage I had with my crime carrier and I want them to recognize that my insureds already paid their $25,000 deductible. They've already paid out $5 million from an insurance proceed and I want that to erode my cyber deductible of 75K and their coverage to just kick in and pay their 250 limit, and so it's coordination of coverage that's so important, and if I'm only handling your crime, I'm going to be blind as to what's happening on the cyber.

Lori Wheeler: 23:23

So CRC can be invaluable to a retail agent. If you let us look at handle these two coverages in particular for you, so that that coverage coordination is there. We also have access to that facility, which is unique in the industry. Guys in the industry guys Getting $150 million worth of social engineering coverage is almost impossible here in the US with domestic carriers, but the ability to go into London and have a group of syndicates that are all prepared and ready to go for our insureds is invaluable, and that's something that is unique to CRC and we're quite proud of it.

Lori Wheeler: 24:12

The other thing is, when you come to CRC, who specializes in these coverages, we can manuscript that coordination of coverage between the two carriers for you. Even better, we can try to coordinate your crime coverage and your cyber coverage potentially with the same carrier, and so there's no finger pointing there. If the same carriers on crime and cyber, we all know we're on that claim right. And so, again, coverage coordination, the ability to manuscript and our unique facility is the reason why you want to access us for this coverage I know you guys sell yourselves, man, I love it.

Scott Gordon: 24:57

Good job so I feel like that we've learned a lot about our subject today, and we can either get out of class a little early or we can play a fun game that Amanda and I like to call rapid fire.

Jackie Leslie: 25:11

Okay, let's do it.

Scott Gordon: 25:13

That's two for fun games. We're the hosts, so we outrule y'all. You guys have to answer the questions, though, and the first one is what food can you not live without?

Amanda Knight: 25:22

Bread Same Chocolate, oh also same. I'll take that chocolate on some bread In bed. Same Chocolate, oh also same. I'll take that chocolate on some bread, yeah, in bed. So chocolate croissants, yes.

Scott Gordon: 25:32

My grandmother used to always say you can't live on bread alone, and I was like watch me. So and okay, question number two what was the last thing that you binge watched? Shrinking If you have Apple TV. Shrinking is an an amazing show and the soundtrack is on point. Yes, it is, and harrison ford is a treat and a delight.

Lori Wheeler: 25:54

Ladies and gentlemen, I'm as shocked as the next guy well, I actually binge watched all this week the new episodes of queer eye for the straight guy that were in vegas. But if you need a more politically correct answer, bridgerton Bridgerton was the last thing, the last season of Bridgerton, or the British Bake Off. So those are the three. I just finished British Bake Off, which I adore, queer Eye the new Las Vegas episodes have been really good and then Bridgerton.

Scott Gordon: 26:30

How's the new guy on Queer Eye? Because I really liked Bobby and he's no longer there.

Lori Wheeler: 26:35

The new guy is lovely. He gets so emotional this whole series, every time someone walks in and sees his work and the actual person they're redoing. I mean he has had every single one of them in tears. When they walk into their house and he gets so emotional he just starts crying and all the other guys are over there hugging him and he's so emotional over it. It's really sweet this year. I mean, the people they made over were really good.

Amanda Knight: 27:12

Social engineering fraud is a serious risk, but with the right knowledge and preparation, businesses can protect themselves. Lori and Jackie, thank you so much for sharing your time and expertise with us today. You are very welcome, thank you. Thank you for having us on. You can visit CRC Group's website or reach out to your CRC broker for tailored advice and support, and don't forget to follow us on LinkedIn for regular updates and insights. Thanks for tuning in to the Placing you First podcast. We'll see you next time.