Exclusively from Foa & Son
There have been several cases reported in the trade and general press about cyber fraud claims that insurance companies were able to successfully deny paying.
The stories in all were fundamentally the same: a cyber fraudster would contact a person responsible for handling funds in an organization and induce them through fraud and deceit to transfer (often large) sums of money to a fraudulent destination. With instructions for the transfer coming from an authorized person, the banks washed their hands and disclaimed responsibility; insurance claims were filed under commercial crime policies.
We have always recommended that our clients buy a couple of inexpensive endorsements to their employee dishonesty policies, one for Computer Fraud, and the other for Funds Transfer Fraud. Details of the cases were not reported, but the insurance companies apparently argued that although the authorized user was indeed duped, since they were in fact authorized to make such transfers, there was no fraud involved in the actual transfer.
The missing step in all the cases reported was that the authorized individual who made the transfers did not take the step of actually picking up the phone and talking to the higher up who was purportedly requesting the transfer; a thirty second conversation would have nipped the problem in the bud, but instead everything was done by email. Computer Fraud and Funds Transfer Fraud coverage remains an important part of your crime policy, and it’s too early to draw any conclusions from these few cases, but one lesson is clear: any organization needs to review it’s internal controls governing how money is sent or received, and make sure its sound.