Does Your Insurance Cover Social Engineering Cybercrime Fraud?

I am re-posting this article from a news article that is emailed by Stu Sjouwerman, Founder and CEO of KnowBe4.  KnowBe4 is a Gartner’s Magic Quadrant Leader.

Learn more at the KnowBe4 Blog site:

Your Cybercrime Insurance Policy May Not Cover You for Social Engineering Fraud

I have talked about this potentially extremely expensive and very disappointing “CEO fraud” or “Business Email Compromise” problem several times before.

Your cybercrime policy may not include damage caused by sophisticated scams that “hack your humans” using social engineering tactics.

This is true worldwide, and last week another example came up in Canada where an article about a legal case appeared in Canadian Underwriter, asking insurance brokers to make sure that their customers were covered for social engineering fraud.

The insurer denied coverage for a 224,000 dollar claim because the end-users were duped by a social engineering scam. More details at the KnowBe4 blog, and a link to an extremely useful complimentary CEO Fraud Prevention Manual:

Proposed New Legislation: “Train Your Users or Go to Jail”?

OK, it may be hyperbole, but since 91% of data breaches are caused by successful spear phishing attacks, it’s not entirely crazy to say: “step your users through new-school security awareness training or go to jail…” when you read the following.

A new-but-old U.S. bill introduces prison time for execs who conceal data breaches, and it’s not the first time senators try to regulate breach disclosure.

This is the second time a bill like this has been introduced. Four senators, including Nelson, tried to push a previous version of this bill in 2014, during the Obama administration, but failed to get the support they needed.

The 2014 bill came shortly after the Target and Neiman Marcus breaches, and its main objective was to force companies to store data in a more secure manner and ensure all customers receive breach notifications in due time.

This new bill comes as a response to the recent Uber debacle, where the company paid 100,000 dollars as hush money to two hackers to keep quiet about a security incident that took place in late 2016. The company came clean about the breach a year later, after a change in management, revealing that hackers stole details for almost 57 million drivers and customers. More detail and links at the KnowBe4 Blog:

New CyberThreat Survey Confirms: Biggest Security Obstacle Is Low User Security Awareness

The CyberEdge Group is an award-winning research firm that serves information security vendors and service providers. They recently surveyed 1,100 qualified IT security decision makers & practitioners, all from organizations with more than 500 employees, representing 15 countries and 19 industries.

The 37-page report was sponsored by vendors like Symantec, HP, SecureWorks and Webroot and is excellent ammo for your IT security budget requests.

The Results Are Eye Opening

The percentage of respondents affected by successful attacks has risen the last three years from 62% in 2014, to 71% in 2015, to 76% in 2016, and to 79% in 2017 with no end in sight.

When asked about perceptions and concerns, here are the top problems:

  • Employees still the weak link: Low security awareness among employees continues to be the greatest inhibitor to defending against cyberthreats, followed closely by a shortage of skilled personnel and too much data for IT security teams to analyze (page 17).


  • Threats keeping us up at night: Malware, phishing, and insider threats give IT security the most headaches (page 13).


  • Ransomware’s bite out of the budget. Six in 10 respondents said their organization was affected by ransomware in 2016, with a full third electing to pay the ransom to get their data back (page 14).


  • Ransomware’s biggest nightmare. The potential for data loss is the greatest concern stemming from ransomware, while the potential for revenue loss trails the field (page 15).


  • Microsoft leaving the door open? With two-thirds of respondents not fully satisfied with Microsoft’s security measures for Office 365, the door remains open for third-party security solutions (page 16).

When asked to assess on a scale of 1 to 5, the adequacy of their organization’s capabilities (people and processes) they scored “User security awareness / education” third from the bottom.

The report observed: “Far less surprising is the appearance of user education/ awareness and secure application development/testing at the bottom of the rankings. The former is consistent with the later finding of users being the greatest inhibitor to achieving effective defenses.

Their comments on this topic could have come straight from my mouth:

“Once again, respondents cited users as the greatest obstacle to their organization’s establishing effective defenses, as “low security awareness among employees” topped the chart for a remarkable fourth consecutive year.

“Ahem… enterprise security teams, can you hear us?” Given the consistency of this finding, don’t you think it makes sense to try investing a bit more in all of those human firewalls at your disposal? Call us crazy, but armed with the proper knowledge, we think they could easily flip the script, and go from being your biggest security burden to your biggest security asset.”


Please visit the KnowBe4 website, sign up for training and read knowledge articles to be the most knowledgeable person in your organization with the latest cyber prevention tactics.

Kind Regards,

Richard Lucky Quatier
CEO, QuixTec, LLC