One type of attack, known as a ‘man-in-the-middle’, targets companies which regularly make or instruct large money transfers. It’s an area of vulnerability for brokers. The risk is exacerbated by the fact that many firms might believe they are adequately insured, but could learn, when it comes to the crunch, that third-party losses from a man-in-the-middle attack are not covered under their Professional Indemnity policy. 

Such attacks are cunningly sophisticated. In one form, hackers gain access to the victim company’s systems, usually through an act of social engineering which successfully encourages an employee to reveal their login details (maybe with a phishing e-mail). They then implant malware which identifies and intercepts e-mails related to a bank transfer. When one is found, a new, bogus email is despatched which gives the recipient a new set of bank details. Worryingly, once the malware is implanted it can operate without further action by the thieves. They simply wait for the cash to roll in. 

Here’s the challenge, increasingly more professional indemnity insurers are now looking to exclude losses arising from social engineering, on top of the usual IUA Cyber Exclusion Clause. It does not matter who fell for the hackers’ con. It could have been the insured’s broker, a loss adjuster, or anyone else involved in paying claims. New and renewing PI policies increasingly refuse to cover any loss facilitated by social engineering, and we’ve noted specific exclusions applied to clients in the insurance business. 

Underwriters are being extra cautious due to their concern about granting ‘Silent Social’ engineering cover. The breadth afforded by a Civil Liability wording extends to cover the Broker’s fiduciary duty of looking after client money. Any depletion of these client funds, arising from a social engineering attack would therefore currently be covered by the broker’s PI policy.  The market has realised this, prompting insures to begin to err on the side of caution, and exclude Silent Social.

This new trend towards exclusion does not mean PI coverage for cyber losses involving an act of social engineering is unavailable, or even difficult to acquire. It simply underlines the need for all professionals, including insurance advisors, to put stand-alone cyber coverage into place. Without doubt, brokers would be on the hook for monies lost through man-in-the-middle hacks, since it lies within their duty of care to ensure monies are paid to the correct recipients’ accounts. 

Losses can be sudden and substantial, so must be covered. Most non-cyber losses arising from a payments-related transgression or error would be covered under a PI policy, but the new Social engineering exclusions mean the client costs of a man-in-the-middle attack could be excluded. At the very least, clients should expect a potentially arduous battle with carriers over arcane details such proximate causes and the infiltration of systems.

Our advice is to buy cyber insurance as well as ensuring your PI insurance is fit for purpose. A comprehensive cyber policy will cover social engineering, as well as many other potential causes of IT-related loss and grief, including ransomware attacks like those recently suffered by CNA and Colonial Pipeline, data breaches, and other serious risks. Get the broadest cover under both policies. In the event of a claim, double coverage is a better problem to have than none at all. 

Finally, we strongly advise that the whole job is done by the same professional brokers, so no coverage gaps slip through. If you would like to assess the coverage you have in place, and what gaps may come back to cost you, I would be happy to talk it through with you.