Insurance solutions for covering loss and liability stemming from cyber scams
Real estate transactions are a target for sophisticated fraud scams and when those frauds succeed, brokerages in turn are often potential targets for litigation. According to the findings in Cyber and Fidelity Insurance Report for Real Estate Brokers, a study commissioned by the National Association of REALTORS®, three different types of insurance coverages may be needed to protect the brokerage from these threats:
*Errors and omissions;
*Cyber insurance; and
There are various lines of coverage available in response to a fraud scheme. In the typical scheme, a party to the transaction receives fraudulent information from a fraudster impersonating another participant in the transaction such as the seller. The party may then provide the incorrect instruction to a third party, bank or lawyer, who uses the information to direct the payment to the fraudster’s banks account, which leads to a loss.
The real estate professional typically does not incur a loss themselves from the fraud scheme. However, they may be involved in the suit for the loss sustained. If it is found that the salesperson was negligent because the fraudster breached the brokerage’s computer network to gather intelligence about the transaction, an E&O policy should provide a defense to the salesperson and the brokerage. However, the lost funds will not be covered by the brokerage’s E&O insurance because the salesperson was not the party making the fund transfer.
Businesses are facing an endless stream of attempted and often successful deceptive funds transfers. Although most people instinctively consider these to be cyber losses, they have not to date been uniformly covered by most cyber insurance policies or crime policies.
There are at least seven potential scenarios for deceptive funds transfers, three of which fall under the special heading of “social engineering” due to the fraudster’s manipulation of unsuspecting humans into performing acts or divulging confidential information. The social engineering coverage that insurance companies are currently providing only covers a loss where the financial loss has been sustained by the entity making the payment based on the fraudulent information. Coverage for losses stemming from social engineering scenarios is currently a particular industry challenge.
Potential Coverage Solutions
*Each real estate professional should at a minimum have E&O insurance with either a cyber endorsement or a separate cyber policy, and a crime policy is recommended.
*Real estate professionals should make sure the coverage is tailored to their specific needs. For example, if the real estate professional is holding funds in a transaction, then crime coverage is needed.
*The most common way of getting social engineering covered is through adding an endorsement to a crime policy which is available through most major carriers.
The actual offer of coverage is determined at the carrier and agent level. All insurance programs and coverages should be discussed with an insurance professional.
> Download a complete copy of Cyber and Fidelity Insurance Report for Real Estate Brokers by Aon Risk Solutions for the National Association of REALTORS®.
The Deadly Seven
There are at least seven variations of potential scenarios for deceptive fund
1. The transfer is effected entirely by a hacker independently penetrating a computer system or a user's personal device like a smart phone, and making the transfer;
2. The hack and transfer are enabled by employee negligence;
3. The fraudster convinces an employee to reveal credentials, enters the network by using them, and then transfers funds;
4. The fraudster gets an employee to open an attachment or click on a link, thereby allowing the network to be penetrated, and allowing the transfer of funds;
5. The fraudster, through e-mails or telephone calls or both, posing as a company’s executives, vendors or customers, convinces an employee to transfer funds;
6. An employee enters data believed to be accurate, but which in fact is fraudulent; and
7. A rogue employee makes an improper transfer or enters fraudulent data.
Scenarios 3, 4, and 5 are variant methods of social engineering.