Week 3: What do you mean, “my claim is denied?”

This is Week 3 of Cybersecurity Awareness Month 2022. We’re following ACME Co., a fictitious small business who lost $50,000 as a victim of fraud. As part of their recovery efforts, ACME submitted a cyber claim to their insurance provider.

IT’s Gone, Gone

A few weeks ago, ACME Co. was hit with a redirection of funds fraud and lost $50,000. Fred, the company’s finance guy, received a spoof email pretending to be from the owner, Joanna. The spoof directed Fred to wire the money to the bad guy’s account. Since Joanna was on vacation, he sent the money. It wasn’t until the following Monday that the two realized that something was amiss. Mark, ACME’s IT person, figured out that an email security setting wasn’t properly configured. This is what allowed the spoof email to come through.

The team contacted their bank’s fraud department as soon as they realized that fraud had occurred. To their dismay, the money was gone. As soon as it cleared the account, the money had been wired to another bank account... located in a foreign country.

Joanna had also contacted the company’s outside counsel, who was delighted to learn that an actual breach had not occurred. That no data was lost cleared up several concerns about privacy and notification requirements. The attorneys suggested contacting law enforcement to file a police report. A police report would be needed for the cyber insurance claim.

Joanna and her team first contact the FBI, since their bank indicated the money had gone overseas. Unfortunately, the feds would not open a case on such a small amount of money – not because they didn’t want to, but because it would not be pursued by the US Attorney in their district. Local law enforcement did allow ACME to file a police report for the fraud, but the locals did not have the resources to pursue criminals overseas. This left Joanna with one option: ACME’s cyber insurance policy.

Cyber Coverage

I’ve been suspicious of cyber insurance since it took hold as an industry in the early 2000’s. If your business has had a policy that long, you know the initial requirements for a cyber policy were minimal. A one-page questionnaire with a handful of questions answered in the affirmative? Great, someone will underwrite your cyber coverage of a million bucks. It’s no surprise that some insurance companies went under after multi-million-dollar breach recovery claims started coming in. The insurers who better understood the risk developed their products – and processes – accordingly. The most recent cyber insurance application I helped complete had a questionnaire over a dozen pages long and required the applicant to submit their business continuity plan. Don’t have multifactor authentication enabled? Then, no, you won’t get the coverage. My consulting company has started fielding calls from potential clients who have been pressed by their insurance companies to up their cybersecurity game so as to qualify for their pending renewal. As a security practitioner, it feels like vindication that another industry is backing up what we’ve been saying for so long. (So, thanks, insurance folks.)

Denied

Joanna had contacted ACME’s insurance broker early in the incident handling process, but she had not followed up directly since then. She did acquire the needed forms to submit a claim against the cyber policy. After their work with the bank, lawyers, and law enforcement seemed to generate no positive results, Joanna felt like the claim was the last line of defense against the fraud her company suffered.

What Joanna didn’t realize is that she made one mistake in dealing with her insurance company: she had not followed up with her broker after the incident was understood to be caused by a spoofed email. This seemed like a minor oversight to Joanna and her team, as her company still lost the money due to a fraudulent email.

To everyone’s surprise, the claim was denied! This was another wave of victimization against Joanna and her company! Once again, she had thoughts of denial, felt anger at the situation, and started crafting her response to the insurance company who had happily cashed her premium checks for so many years.

Having Good Insurance

When my wife and I moved back to Tennessee, we had an issue with our new home. Knowing we had opted for the “homebuyer’s warranty” and performed the inspection and testing required for the policy, we submitted the claim to the insurance company. An infuriating conversation took place about our claim. I distinctly recall the words, “we are choosing not to participate in your claim at this time.” I suppose that was their alternative, to “your claim is denied.” I wonder if they know that, seventeen years later, I’m still fuming over their sham insurance product.

The Good News

The insurance broker called Joanna shortly after she received the denial notice. “Hey Joanna,” the broker said, “I’m calling to explain what’s going on with your claim.” The broker informed Joanna that what happened to ACME was not covered by the cyber policy. The good news is that it was covered by another area of business insurance: the crime policy. ACME had not suffered a cyber attack. ACME had been a victim of social engineering, which is when someone is tricked – not hacked – into becoming a victim. The solution was simple: submit the same supporting documentation along with a different request form. The insurance company would cover the loss... minus the deductible, of course.

Join Us Next Week

The team at ACME Co. were victims of fraud, but their insurance company is coming through. Join us next week to see what ACME could have done to avoid being a victim.

Disclaimer: This story is 100% fictional and does not represent any person or company in any way. Insurance companies and their products differ, so experiences may vary. The above scenario, again, is totally fictional.