Phishing scams continue to be a significant exposure for businesses, with an increase in attacks over the past three years, but insurance coverage for the exposure is often limited by policy provisions.
Policyholders seeking coverage for phishing-related losses will find it available primarily in cyber liability or tort policies, but it’s usually subject to sublimits, experts say.
Policyholders should explore other policies for additional opportunities to obtain coverage for phishing losses, they say.
A report issued by the FBI in May said sophisticated fraud targeting businesses and the individuals handling money transfer requests increased 65% between July 2019 and December 2021.
Disputes about coverage for the frauds have arisen. In one case, the Illinois Department of Insurance filed a lawsuit in July against units of Hartford Financial Services Group Inc. and Munich Reinsurance Co. to recover $3.98 million stolen in a phishing scheme that targeted two bankrupt auto insurance companies.
Munich Re unit Hartford Steam Boiler Inspection and Insurance Co. paid $250,000 under the companies’ cyber policy social engineering coverage but denied the claim under their computer fraud coverage. Hartford Financial denied coverage under its financial institution bond.
“For all practical purposes, the sublimit is just an exception,” said Rukesh Korde, a partner with Covington & Burling LLP in Washington, who is not involved in the case.
In claims litigation, there’s often a question of whether a wire fraud loss is subject to a lower coverage limit, said Scott Godes, a partner with Barnes & Thornburg LLP in Washington. Insurers sometimes say a loss is subject to a sublimit without conducting a thorough investigation of the claim, he said.
Phishing coverage falls into a gap between cyber liability insurance, which typically responds to breaches, and crime policies, which cover money stolen from businesses, and one of the ways insurers are trying to bridge the gap is with social engineering endorsements, or coverages, said Michael S. Levine, a partner with Hunton Andrews Kurth LLP in Washington.
The attacks also raise other questions that could cause coverage disputes.
“Phishing attacks are kind of a gateway, because it can cause many types of cyber losses and claims,” including data breaches, forensic costs, recovery notice costs, loss of reputation, ransomware and regulatory claims, said Gamelah Palagonia, vice president, cyber. development and regulatory leader with Willis Towers Watson PLC in New York.
The social engineering provision under which HSB agreed to provide coverage “is just one aspect of it,” she said.
“The question is, what does phishing lead to and what happens next,” said Patricia Kocsondy, New York-based director of cyber risk for Beazley PLC, which offers under-limited coverage under cyber liability and crime policies. “There are a lot of nuances in coverage,” and not all insurance companies react uniformly to the same situation, she said.
Kevin Guillet, New York-based managing director and head of US crime product for Marsh LLC, said that while cyber insurers saw the need to add sub-limited coverage for phishing to their cyber policies, “essentially its home is in a crime policy.”
“There’s still a lot of variation in the market in terms of what’s available,” he said. If insurers “don’t like the answers to the questions they ask, you could get very little cover”, but they will be less strict if a company has good controls in place.
Some experts say the availability of phishing coverage is decreasing.
The decline reflects the overall tightening of the market over the past two years, said Brian T. Himmel, a partner at Reed Smith LLP in Pittsburgh. “Five years ago, it was much more common to see that coverage and have it readily available. Now you have to look for it and you’re probably going to have to negotiate for it.”
“It’s about asking the carrier what they’re going to provide” in terms of limits, Mr. God’s
“As with any insured loss, you need to look at all potentially applicable policies,” Levine said. Although there may only be limited amounts under social engineering endorsements, other coverages may apply.
Tamara D. Bruno, a partner with Pillsbury Winthrop Shaw Pittman LLP in Houston, said, “One way you can deal with social engineering sublimits is to see if you can negotiate with excess insurers to drop out and add additional coverage,” or see whether social engineering recommendations can be added to commercial crime surveillance.