Nikki Johnson No Comments

Insuring Your Intellectual Property

Insuring Your Intellectual Property

As intellectual property becomes a vital part of more firms’ assets, businesses must consider the additional exposures they face. There are several types of intellectual property protected under federal law: trademarks, copyrights, patents, trade dress and trade secrets. To help protect your business, there are two types of intellectual property coverage available: the first protects a company sued for infringement by paying for legal defense, and the second helps pay the legal expenses of suing an alleged infringer.

If your company could be sued by a competitor for infringement or intellectual property theft, or you do not have the funds to cover legal fees associated with defending your patent or trademark, it is vital that you purchase coverage. Defending infringement litigation can cost hundreds of thousands of dollars, not including the cost of damages and prejudgment interest. In patent infringement cases, attorney’s fees can easily top $1 million.

Budgeting and planning for the protection of intellectual property rights may not only save your company a significant amount of capital; it may also help keep your business viable when legal bills accumulate rapidly. There are several options to cover these exposures: the “advertising injury” provision in the standard Commercial General Liability policy, endorsements to Errors and Omissions policies and specialized policies offered by certain insurers specifically designed for the protection of intellectual property rights.   

Commercial General Liability Policy – Advertising Injury

The Commercial General Liability Policy, or CGL, is a standard liability policy offering broad coverage. Coverage for an advertising injury often falls under Coverage B in a CGL. Any act by the insured that somehow violates or infringes on the rights of others (referred to in the policy as an offence) is the subject of personal and advertising injury liability coverage, although only those acts that are specifically listed in the policy are covered. The coverage under the “advertising injury” provision is limited to those injuries that are directly related to the advertisement. Therefore, the policy covers debts owed by the insured party due to claims filed against it.

Coverage B policyholders are sometimes covered in cases relating to trademark infringement; however, copyright claims are only successful where they are directly related to advertising, and patent claims are rarely covered under the “advertising injury” provision. The cases which allow for coverage in a patent infringement case are generally limited to instances in which a court finds contributory infringement or inducement to infringe through an advertising medium. Since the “advertising injury” provision in a standard CGL is rather limited, many businesses consider additional coverage.

Special Endorsements and Policies

Beyond the CGL, specialized policies can be better suited to a business’s unique exposures. These are Errors and Omissions liability policy endorsements that can vary in focus from media and communications to patent infringement. Note that these policies have not been the subject of much litigation, and therefore, judicial guidance on coverage determinations is comparatively limited. It is important to consider multiple carriers, since available coverage varies widely from carrier to carrier.

Infringement Defence and Abatement Insurance

A third option relates primarily to patents, though riders for copyrights and trademarks may be available. Carriers have developed policies specific to intellectual property, generally with patents in mind. In relation to patents, there are three basic policy types: defense and indemnity, defense only and offensive, or infringement, abatement insurance.

A defense and indemnity policy provides defense coverage in a patent infringement suit and, if the party in question is found liable, pays for damages, including prejudgment interest. A defense only policy, much like it sounds, covers only the cost of defense and does not cover damages awarded to the successful party. In addition, an offensive policy covers only the costs of pursuing an infringer. Certain carriers will amend some of the above-mentioned policies to include endorsements for trademark and copyright infringement for an additional premium.

Exclusions to Coverage

In addition to special exclusions, there is a general exclusion to the CGL stating that there is no coverage “for an offence committed by an insured whose business is advertising, broadcasting, publishing or telecasting.” With the increase in claims, many carriers are drafting exclusions that specifically omit coverage for copyrights that fall outside of infringement of copyrighted advertising materials, patents, trademarks and the like.

It is important to be aware of the exclusions to any policy that you purchase. The most common exclusions specified in intellectual property policies are for willful infringement, anti-trust violations, infringement existing or known on the effective date of the policy and criminal acts.

Asserting Coverage

To maximize coverage, there are a number of steps that your company should follow. Failure to investigate the existence of coverage in a timely manner can absolve a carrier of liability and create grounds for a malpractice case against the intellectual property legal counsel. While courts have held outside intellectual property counsel liable for failure to pursue coverage determinations, companies should still proactively recognize and review the potential for insurance coverage for protection of their intellectual property assets.

  1. If a claim has been asserted against your company, you have a duty to notify your carrier. In fact, notifying your carrier immediately is in your best interest because a delay could be grounds for denying coverage. In the case where a formal complaint has been served on the company, the following six steps are recommended.
  2. The policy or policies should be analyzed by counsel to determine under which policies the claim may be covered. In this step, the complaint should be closely examined for types of issues raised and should be compared to the relevant policy clauses.
  3. The company should promptly tender defense to the carrier. In the tender, all policies that may provide coverage should be identified, including the specific clauses.
  4. Demand a prompt response to the tender. If a sufficient extension of the time to answer is not granted, it is possible that a response to the complaint will be due prior to the issue of coverage being resolved. If that is the case, then defense counsel should be retained until the issue of coverage is determined.
  5. Review the carrier’s response to the company’s tender. The carrier may accept defense; it may defend under a reservation of rights; the carrier or the policyholder may seek a declaratory judgment for a coverage determination; or it can reject tender.
  6. If there is a conflict in the interests of the carrier and the policyholder, the policyholder should insist on the right to control the litigation and should further insist upon independent counsel.
  7. Be diligent about which documents are shared with the carrier, especially in cases where the carrier has reserved its rights to deny coverage. While the policyholder has a duty to cooperate with the carrier, in a case where a reservation of rights to deny coverage has been tendered, the production of certain documents to the carrier could result in the waiver of the attorney-client privilege as to the subject matter of the produced documents.

Comparing Policies

Insuring your company’s intangible assets and its liability is a vital part of risk management. Insurance for both infringement of intellectual property and for an assertion of infringement against your company can provide financial security and peace of mind.

Reith & Associates will compare your desired coverage to the specifically named offences in policies based upon enumerated risks and will examine any exclusions that may weaken the coverage you seek. We are skilled at identifying the perils associated with intellectual property and high-technology companies, and we can assist you in selecting the right policy. Let us help you protect your most precious assets. Contact us today to ensure that the coverage you buy meets your needs in today’s marketplace

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com
Dan Reith BA(Hons) CAIB

Nikki Johnson No Comments

Penetration Testing & Minimizing Cyber Attacks

Penetration Testing & Minimizing Cyber Attacks

Keeping workplace technology up and running is vital to any organization’s success. While this task seems feasible, it’s growing harder and harder each year as cybercriminals expand their reach. It’s not enough to simply protect workplace technology with software and security protocols. It’s also critical for your organization to test the overall effectiveness of these protocols on a regular basis. That’s where penetration testing can help.

Essentially, penetration testing consists of an IT professional mimicking the actions of a malicious cybercriminal to determine whether an organization’s workplace technology possesses any vulnerabilities and can withstand their attack efforts. Conducting a penetration test can help your organization review the effectiveness of workplace cybersecurity measures, identify the most likely avenues for a cyberattack and better understand potential weaknesses.

Review this guidance to learn more about what penetration testing is, the benefits of such testing and best practices for carrying out a successful test within your organization.

What Is Penetration Testing?

Put simply, penetration testing refers to the simulation of an actual cyberattack to analyze an organization’s cybersecurity strengths and weaknesses. This testing usually targets a specific type of workplace technology, such as the organization’s network(s), website, applications, software, security systems or physical assets (e.g., computers and smart devices). Penetration testing can leverage various attack methods, including malware, social engineering, password cracking and network hacking, among others.

Generally speaking, penetration testing is often performed by a professional from a contracted IT firm who is not associated with the organization being assessed in any way. This helps the cyberattack simulation seem as authentic as possible. Penetration testing is typically either external or internal in nature. The primary differences between these forms of testing are as follows:

  • External penetration testing requires the IT expert to attack an organization’s external-facing workplace technology from an outside perspective. In most cases, the IT professional won’t even be permitted to enter the organization’s physical establishment during external penetration testing. Rather, they must execute the cyberattack remotely—often from a vehicle or building nearby—to imitate the methods of an actual cybercriminal.
  • Internal penetration testing allows the IT expert to attack an organization’s internal-facing workplace technology from an inside perspective. This form of testing can help the organization understand the amount of damage that an aggrieved employee could potentially inflict through a cyberattack. 

In addition to these testing formats, there are also two distinct types of penetration tests. How much information an organization provides the IT professional prior to the cyberattack simulation will determine the penetration test type. Specifically:

  • An open-box test occurs when the IT expert is given some details regarding the organization’s workplace technology or cybersecurity protocols before launching the attack.
  • A closed-box test occurs when the IT expert is provided with no details other than the organization’s name before conducting the attack.

Ultimately, the penetration testing format and type should be selected based on the particular workplace technology elements or cybersecurity measures that an organization is looking to evaluate.

Benefits of Penetration Testing

Penetration testing can offer numerous advantages to your organization, including:

  • Improved cybersecurity evaluations—By simulating realistic cyberattack situations, penetration testing can help your organization more accurately evaluate its varying security strengths and weaknesses—as well as reveal the true costs and of any security concerns.
  • Greater detection of potential vulnerabilities—If any of your workplace technology or other cybersecurity protocols fail during a penetration test, you will have a clearer picture of where your organization is most vulnerable. You can then use this information to rectify any security gaps or invest further in certain cyber initiatives.
  • Increased compliance capabilities—In some sectors, organizations are legally required to engage in penetration testing. For example, the Payment Card Industry Data Security Standard calls for organizations that accept or process payment transactions to execute routine penetration tests. As such, conducting these tests may help your organization remain compliant and uphold sector-specific expectations.
  • Bolstered cybersecurity awareness—Mimicking real-life cyberattack circumstances will highlight the value of having effective prevention measures in place for your employees, thus encouraging them to prioritize workplace cybersecurity protocols.

Penetration Testing Best Practices

Consider these top tips for executing a successful penetration test within your organization:

  • Establish goals. It’s crucial for you to decide what your organization’s goals are regarding the penetration test. In particular, be sure to ask:
  • What is my organization looking to gain or better understand from penetration testing?
  • Which cybersecurity threats and trends are currently most prevalent within my organization or industry? How can these threats and trends be applied to the penetration test?
  • What specific workplace technology elements or cybersecurity protocols will the penetration test target?
  • Select a trusted IT professional. Consult an experienced IT expert to assist your organization with the penetration test. Make sure to share your organization’s goals with the IT professional to help them understand how to best execute the test.
  • Have a plan. Before beginning the penetration test, work with the IT expert to create an appropriate plan. This plan should outline:
  • The general testing timeframe
  • Who will be made aware of the test
  • The test type and format
  • Which regulatory requirements (if any) must be satisfied through the test
  • The boundaries of the test (e.g., which cyberattack simulations can be utilized and what workplace technology can be targeted)
  • Document and review the results. Take detailed notes as the penetration test occurs and review test results with the IT expert. Look closely at which cybersecurity tactics were successful during the attack simulation and which measures fell short, as well as the consequences of these shortcomings. Ask the IT professional for suggestions on how to rectify security gaps properly.
  • Make changes as needed. Based on penetration test results, make any necessary adjustments to workplace technology or cybersecurity protocols. This may entail updating security software or revising workplace policies.
  • Follow a schedule. Conduct penetration testing at least once every year, as well as after implementing any new workplace technology.

For more risk management guidance and insurance solutions, contact us today.

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Dan Reith

Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com
Dan Reith BA(Hons) CAIB

Nikki Johnson No Comments

Liabilities of Non-Profit Board of Directors

Liabilities of Non-Profit Board of Directors

Non-profit organizations provide essential social services that benefit communities and their members. The vast majority of these organizations cannot survive without a volunteer board of directors assigned to elect officers, adopt policies and make major financial decisions for the organization. Although members of the board are volunteers, there is a certain amount of risk involved in holding one of these positions. Specifically, even when acting in good faith, board members are subject to personal liability, which may affect their personal financial status because of their management decisions. The role of a volunteer board member does come with certain legal responsibilities and certain legal ramifications when things do not go right. 

It is imperative that your organization and board of directors understand the risks involved with their responsibilities as board members and the ways in which they can protect themselves from personal liability.  Every community organization has a duty to educate prospective and sitting board members on their legal duties and obligations on an annual basis.  That said, ignorance is not a defence at law and where the organization fails to provide information it is ultimately the personal responsibility of each board member to educate themselves before accepting a volunteer board position and/or continuing to serve on a board.  Having one’s name on the letterhead does bring real ramifications.  

Risks and Responsibilities

To combat the chance of affecting the personal liability of board members, non-profit organizations should assess the risks involved with holding these positions. Your organization should first develop a volunteer risk management committee to identify all risks and pose solutions to minimize potential harm. In addition, you need to ensure that the board members understand their governance responsibilities. Your non-profit should educate its board on their legal duties, fiduciary duties and decision-making roles. Furthermore, the risk committee should ensure the following:

  • The organization is working within its stated mission.
  • Funds are spent according to the mission and spending decisions are known to donors. The organization does not accept donations with conditions.
  • Individuals advancing personal agendas counter to the organization’s mission are not allowed to sit on the board.

Once the risks are assessed and the board of directors is aware of those risks, board members must also understand the responsibilities associated with the positions they hold. Legally, board members have three main duties:

  1. Duty of Care: The individual should act in the way that a reasonable person would act in a similar position and under similar circumstances. Acting under good faith is an essential part of the functions of the board.
  2. Duty of Loyalty: The individual should place the organization’s financial interests as the primary responsibility. As a board member, one should not use his or her position for personal gain, financially or otherwise. In addition, individuals should be honest about business ventures that pose a conflict of interest when acting as a representative of the organization.
  3. Duty of Obedience: The individual should try to further the mission of the non-profit by supporting board decisions and implementing policies as they are outlined.

Board members who fail to fulfill their duties as outlined above may be held liable for their actions or inactions.

Protections

Since there are risks involved with being part of a non-profit board of directors, there are several protections available to minimize personal liability. First, most non-profit organizations have indemnification provisions in their bylaws. These provisions explain that the organization will cover or reimburse the legal expenses accrued by board members in the event of a lawsuit. However, it should be noted that indemnification is only as good as an organization’s financial ability to pay it. If an organization does not have excess funds, it may not be able to support this provision.

Incorporated organizations are required by law to indemnify their directors for such losses. There is no such obligation imposed upon unincorporated groups, but most groups do offer indemnities because it is a good policy to do so.

Finally, non-profit organizations should purchase directors and officers (D&O) liability insurance to cover their board members in situations that fall outside of the indemnification provisions or in the event that their financial situation does not allow them to cover extensive legal expenses.

Beyond providing a financial backing to indemnification provision, D&O liability insurance is essential since most individuals will not volunteer on a board with the knowledge that they are risking their personal assets in the event of litigation.  Further, D&O can include coverage to protect board members from claims made against them for hiring/termination decisions, failure to make statutory remittances and costs of investigations.  The potential for personal loss is real! 

More Information

Proper insurance coverage and other risk management strategies can help ensure that your organization and its board of directors is protected against liability. For more information about appropriate insurance coverage, contact Reith & Associates Insurance and Financial Services Limited at 519.631.3862 today.

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Dan Reith

Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com/
https://www.linkedin.com/in/dan-reith-ba-hons-caib-b7a11b20/

Nikki Johnson No Comments

DATA BREACH: A Concern for Director’s & Officers of ANY Entity

DATA BREACH:  A Concern for Director’s & Officers of ANY Entity

A data breach can be a devastating event, affecting a company or not-for-profit financially and damaging its reputation. As a director or officer, you face litigation risks based on the decisions made following a breach and on how you influenced cyber security policies, as these are often considered board-level issues. This is true for directors and officers of small/medium incorporated enterprise (the directors, officers and owners/shareholders are typically the same) and volunteer directors and officers of not-for-profit groups as well. 

If a suit is filed against you after a data breach occurs, based on your position as a board member, you will not be protected by your commercial general liability policy or your cyber liability policy. Your best source of protection is from your directors and officers (D&O) policy, as long as your policy is tailored to include protection after a data breach. Sadly, the majority of privately owned small/medium businesses in Canada do NOT make D&O cover part of their insurance program.  Either due to naïve skepticism or concern over additional cost.

DATA BREACH THREATS

The biggest threat from a data breach is loss of information, whether it is information regarding your company’s finances or the personal identification information of your employees and customers, such as Social Insurance numbers, banking and/or credit card information.

Losing sensitive information belonging to your employees/customers or company can have a devastating effect on your reputation. If the credit card information of your customers is stolen, your customers would need to cancel their cards and get new ones—an inconvenient process and one that can damage your company’s image in the eyes of customers.

DATA BREACH RESPONSE

Following a data breach, you may be legally required to notify certain people about it. For example, if your company is publicly traded, guidelines say you must report cyber security incidents to stockholders. The cost of notification after a breach is generally covered by a cyber liability policy; and, depending on the number of people you need to notify, the cost can be quite high.

Notification should be taken very seriously, as the way a company responds to a data breach can lead to exposure and legal action beyond lawsuits from customers—the company could be subject to regulatory action.

DATA BREACHES AND D&O COVERAGE

Insufficient cyber security that leaves your company vulnerable to a data breach can be seen by your customers or shareholders as negligence or a breach of duty. Your customers and shareholders may seek to hold you responsible for the damage, as the board is responsible for making decisions on behalf of the company. Because of this, you need protection in the form of a D&O policy.

In past legal cases following a data breach, directors and officers have been accused of:

  • Failing to take reasonable steps to protect customers’ personal and financial information
  • Failing to implement controls to detect and prevent a data breach
  • Failing to report a breach in a timely manner

A cyber liability policy would not offer the legal protection needed by directors and officers after a data breach, whereas a D&O policy can.

A D&O policy provides coverage for a “wrongful act,” such as an actual or alleged error, omission, misleading statement, act of neglect or breach of duty.

CYBER SECURITY IS VITAL

A company’s directors and officers are expected to be involved in and knowledgeable about the company’s cyber security. It’s rapidly becoming a vital aspect of responsible business management and customer service.

The following are some techniques to improve the cyber security of your company:

  • Install a firewall—Companies with five or more computers should consider buying a network firewall to protect the network from being hacked.
  • Install security software—Anti-virus, anti-malware and anti-spyware should be installed on every computer in the network. All software should be up-to-date.
  • Encrypt data—All data, whether stored on a tablet, flash drive or laptop, should be encrypted.
  • Use a virtual private network (VPN)—A VPN allows employees to connect to the company’s network remotely without the need of a remote-access server. VPNs use advanced encryption and authentication protocols, providing a high level of security for your network.
  • Develop a data breach plan—Have a plan in place so when, not if, you experience a data breach, you can act quickly and minimize your loss.

DATA BREACH RISKS WITHOUT D&O INSURANCE

After a data breach, claims from shareholders and customers will most likely be made. Since you can be held personally responsible for the acts of the company as a board member, your plans and decisions need to be protected.

Without D&O coverage, your personal assets are at stake and could be forfeited to cover legal costs. You can protect yourself with a D&O insurance policy. Talk to your insurer about this type of coverage and be sure your policy is tailored to cover any gaps. Note, that not all D&O polices are the same.  It is important to look at the policy coverage and not the price when making a choice.  D&O is also a specialized form of insurance and not all insurance providers are well versed in the coverage and/or the nuance of policy wordings.  It is important that you select an insurance provider that is educated and knowledgeable about D&O and is able to provide choice and not just a one-size fits all policy.  Selecting the wrong provider and the wrong policy that fails to respond to the breach is also something regulators, shareholders, customers and employees could sue you for.

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Dan Reith

Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com/
https://www.linkedin.com/in/dan-reith-ba-hons-caib-b7a11b20/

Nikki Johnson No Comments

Liability Exposures in a Rough Economy

Liability Exposure in a Rough Economy

An economic downturn can be a turbulent time for businesses in every sector worldwide. Sinking revenues and economic uncertainty can exacerbate our already litigious society, and even companies that successfully weather economic downturns relatively unscathed can still face long-term uninsured risks. For this reason, Reith & Associates Insurance and Financial Services Limited has compiled these tips to effectively manage your company’s exposures as it adapts to the current business climate and moves into the next economic cycle.

Supply Chain Dependency

It’s no secret that in times of economic downturn, cutting costs is a necessity. However, it is important to remember that the financial security of your business can hinge on that of your partners, vendors and suppliers.

In a tough economic climate, do not rely on the insurance coverage of your business partners to protect your assets or prevent third-party liability claims. Any member of the supply chain can be held responsible for its counterparts’ torts. A distributor, for example, may be liable for a claim filed against its manufacturer when it goes out of business.

Therefore, in order to protect your company, it is a wise long-term investment to expand your coverage limits. While it may be tempting to cut costs by limiting coverage, this decision could expose you to severe liabilities due to your supplier’s shortcomings. If you currently deal with foreign manufacturers or if you’re considering outsourcing for the first time, talk to Reith & Associates Insurance and Financial Services Limited about covering the associated risks.

Rely on Solid Contracts

In times of economic change, it is more important than ever to ensure your protection with thorough, seamless contracts. They should clearly outline both parties’ obligations and discuss dispute resolution policies to avoid messy and expensive disagreements. An indemnity term can be included in contracts with foreign suppliers in which the supplier consents to the jurisdiction of Canadian courts and indemnifies its sellers here in the event of a claim involving one of its products. Remember, however, that this contractual indemnity is only as valuable as the manufacturer’s ability to pay.

It is essential that you effectively manage your company’s exposures as it adapts to the current business climate and moves into the next economic cycle.

It is never a good business decision to sign a contract hastily, so be sure to explore all the risks and legal ramifications, especially in difficult economic times. Small companies who partner with larger companies are often strong-armed into making decisions with which they are not completely comfortable.

Changing to Survive

For many businesses, change is an intelligent way of reacting to an economic crisis. It allows you to explore new customer bases and offer additional products or services. While expanding in either of these ways can revolutionize your business and keep you afloat in tough times, it could also expose you to additional liability you have not dealt with before.

When you begin to step into new lines of products or services, you will inevitably face a learning curve, which puts you at a larger risk of facing product liability claims. You may want to consider purchasing additional lines of coverage to protect yourself, as your surplus lines insurance policy may only cover claims arising from one particular product.

Shifting or expanding your customer base may also open you up to class action lawsuits. New markets may react differently to product failure. Thus, it is vital to be covered for potential liabilities resulting from a change in your business. Contact Reith & Associates Insurance and Financial Services Limited today to assess exposures that could be associated with your business plan.

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Dan Reith

Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com/

Nikki Johnson No Comments

Social Engineering & Fraud Insurance Coverage

Social Engineering Fraud
Social Engineering Fraud

Social engineering fraud (SEF) is a type of fraud that’s become increasingly common over the last several years. However, even though many instances of this fraud transpire over email communications, it’s a company’s crime policy—not a cyber policy—that would often provide coverage in the event of an SEF loss.

That’s why it’s especially important to understand your crime policy, how it might cover SEF, why it might not, and what endorsements you might want to obtain to make sure SEF doesn’t leave your company exposed.

How Social Engineering Fraud Works

There are a number of variations on the theme, but most instances of SEF involve the following elements:

  • A targeted approach. Criminals will research their targets, purchase authentic-looking domains, manufacture email chains and even resort to making phone calls, all in an effort to make their requests seem authentic.
  • A request. The preparation is in service of obtaining something from the target, either money (usually in the form of a wire transfer) or information (such as a list of vendors, routing numbers, etc.).
  • The application of social pressure. In order to bypass in-house safeguards and redundancies, the criminals apply pressure by imposing a time constraint, demanding secrecy or simply flattering the ego of the target by including him or her “in” on an important business transaction.
  • The disappearance of the hacker. Once the criminals obtain what they want, they disappear with the information or money—things that the company won’t miss until it’s too late.

Cyber Policy vs. Crime Policy

It may seem counterintuitive, but SEF is usually not covered by a cyber policy. Even though this fraud often involves emails and wire transfers, cyber policies are not designed to cover them:

  • Cyber policies cover losses that result from unauthorized data breaches or system failures. SEF actually depends on these systems working correctly in order to communicate with an organization’s employees and transfer information or funds.
  • Crime policies cover losses that result from theft, fraud or deception. Because the underlying cause of a loss in SEF is fraud, a company would claim a loss under its crime policy rather than its cyber policy.

Areas of Cover

A standard crime or fidelity policy contains a few provisions under which an SEF claim might be filed:

  • Computer fraud. This refers to losses stemming from the unlawful theft of money due to a “computer violation”—that is, the unauthorized entry into or deletion of data from a computer system by a third party.
  • Funds transfer fraud. This refers to losses stemming from fraudulent instructions to transfer funds made without the insured’s knowledge or consent.

Potential Vulnerabilities

Depending upon the specific language and definitions laid out in the crime or fidelity policy, the insurer might argue that SEF is excluded from coverage for a number of reasons:

  • There was no “computer violation.” Often, SEF doesn’t involve compromising network security in order to steal data. Instead, criminals “hack” human vulnerabilities in order to gain access. Because the system functioned as it was supposed to, and the criminal gained access due to human failure, an insurer might try to deny the claim.
  • The insured knew about and consented to the transfer. Again, it depends on the specific language of the policy, but an insurer might argue that SEF isn’t covered under “funds transfer fraud.” That’s because, in most social engineering scenarios, some agent of the insured willingly and knowingly authorized the transfer of funds to the intended account. Again, in SEF, the systems in place to transfer funds worked as intended; it was human failure that resulted in the loss.
  • The voluntary parting exclusion. Most crime policies have a voluntary parting exclusion that excludes coverage for losses that result from anyone acting on the insured’s authority to part with title to or possession of property. In other words, because the employee knowingly and willingly authorized the transfer, it wouldn’t be covered.

Social Engineering Fraud Endorsements

Because of this potential gap in coverage, some carriers have started offering SEF endorsements to their crime and fidelity policies. The insurance agreements might go by different names, but they’re all intended to make limits and liabilities explicit for both the insured and the policy issuer.

These endorsements are only offered by a handful of carriers, but with the increasing prevalence of SEF, more are likely to follow. To learn more about SEF, we have resources available for you. Ask about our “Risk Insights: The Fake President Fraud.”

To discuss your coverage options and learn what options are available to you, contact your insurance provider today!

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Dan Reith
Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com/