Cybersecurity Insurance – Are you covered? Part 3

Posted on Posted in Health, Network, Security No Comments
Mascot Bucky holding a laptop

In this series, we are looking at the built-in Cybersecurity Insurance traps for your business – no matter the size. Business Insurance Cybersecurity Riders aren’t the same as full Cybersecurity Insurance, but they are a good starting point to up your security game.

One of our partner companies – Ben Yarbrough from Calyptix – has posted an excellent article on ChannelPro Network for MSPs (like daviestrek) to evaluate their security stance and posture with clients to make sure the client AND the MSP are covered in the event of a disaster. “Cyber Insurance Litigation: 3 Pitfalls Every MSP Needs to Understand” is a great article with a number of points worth taking a second look at.

Mr. Ricky mascot with Calyptix security laptop

Trap #2: Social Engineering Fraud ≠ Funds Transfer Fraud

“Few cyber insurance issues generate more litigation than business email compromise and payment fraud. Insurers intentionally separate these losses into distinct coverage categories with different triggers, limits, and exclusions.

  • Funds transfer fraud coverage typically requires unauthorized system access that directly causes a fraudulent transfer.
  • Social engineering fraud applies when an authorized employee initiates a payment in good-faith reliance on fraudulent instructions. Typically, it’s subject to much lower sublimits and stricter conditions.

For MSPs, this distinction matters. Employee-initiated payments triggered by phishing frequently fall outside broader fraud coverage. Clients often assume “fraud is fraud.” Courts do not agree.

In Abraham Linc Corp. v. Spinnaker Insurance Co., hackers compromised a vendor’s email account and induced employees to authorize fraudulent ACH transfers. The insured sought recovery under a $2 million computer and funds transfer fraud endorsement

Because authorized employees initiated the payments acting in good faith, the court found the loss fell under the social engineering endorsement, capped at $100,000. Courts generally maintain this structure and refuse to recharacterize employee-authorized payments to access higher coverage limits.

Payee-side Social Engineering: A Hidden Risk

MSPs should also recognize that social engineering risk exists not only as the payor, but also as the payee. Losses arise when an insured’s customer is tricked into paying the wrong party leading to lost revenue, contractual disputes, and coverage litigation, even though no funds ever leave the insured’s account.

MSPs should urge clients to establish clear, documented procedures for both sending and receiving payments, including out-of-band verification for changes to banking instructions. Courts routinely examine whether payment change controls were in place. When they are not, coverage disputes and insurer subrogation claims often follow.”

Key Takeaway on Trap #2:

You assume “fraud is fraud.” It is NOT and the distinction is important – especially when dealing with Insurance Companies and their legal counsel. There are multiple fronts you need to consider when protecting your business, your home, or even your own ID. Protection isn’t free and sometimes it has to be strategically deployed over time to fit into your budget. Work with us and we can assist you in setting up that strategy.

Looking to up your security?

We can help! Personal, Business, or both.
Book some time for a chat

Leave a Reply

Your email address will not be published. Required fields are marked *

*