By: Ethan Powsner, Esq., VP of Technology and Market Development, Fidelity National Title Group.
Those of you who follow CertifID® and your respective title underwriters’ bulletins, as well as trade journals and the publications of the Michigan Land Title Association, are up-to-speed on the types of cyber frauds and their evolving nature. You and your staff members are, we hope, ever-vigilant when reviewing all communications relating to wire transfers, whether incoming or outgoing. What you may not be aware of are the changes in the nature of and types of coverage that exist within your own agency’s insurance policies – the policies you are relying on to protect you from the fallout from a cyber-fraud incident.
The purpose of this article is not to name names or criticize any particular E & O and Cyber insurance carrier. Rather, the purpose is to notify you of some important changes in coverages that have occurred in the past year or so. The coverages that you think you have and what you may now actually have could be very different.
As a result of incurring substantial losses, many cyber insurance carriers have exited the title agent marketplace and those remaining are either excluding or restricting/limiting coverage for email wire fraud losses. One cyber insurance carrier, with whom I am particularly acquainted with, has dropped inbound and outbound wire transfer coverage from its cyber liability policy. The cyber liability policy now limits itself to matters relating to data issues such as ransomware, NPI loss, customer notification/credit monitoring, and the like; this list is not exhaustive.
Does this carrier offer no coverage for inbound and outbound wires? Actually they do, but not in the cyber liability policy; instead, in the E & O policy. The wire protection coverage offered is bifurcated as follows: A) outbound wires have two different coverage limits based upon whether callback verification procedures were performed; and, B) inbound wires are not covered, per se, but there is a limited defense cost coverage contingent upon the title agent’s possession of a buyer acknowledgment form as well as callback verification. Again, this is meant to be a brief description and is not the actual policy language.
A different carrier offers social engineering fraud coverage to protect the Insured Entity’s funds that were misdirected due to fraudulent transfer instructions. However, a close reading of their coverage leaves a potential loophole as big as a barn door. The loophole is based on an interpretation of whether the title agent (the Insured Entity) “owns” the funds that were misdirected. Most of us in the title business would argue that the funds in our escrow accounts are never “our” funds, rather they are the property of the lender, buyer or seller. Thus, a plain reading of the social engineering fraud coverage makes it look like the coverage provision is inapplicable because the Insured Entity (the title agent) doesn’t own the funds.
The purpose of this brief article is to encourage you to take a slow and careful look at your cyber liability and your E & O insurance policies and discuss them with your insurance agent in light of the comments presented above.