Whether cyber insurance protects you from the prevailing scam affecting real estate companies today—social engineering—might depend on which state’s law governs your policy. It doesn’t have to be that way.
In the typical social-engineering scam, a hacker gains access to a stream of emails, normally through phishing (the use of fraudulent emails or messages that trick an authorized user into revealing his password). The hacker then sends messages that appear to be from a known source, directing the recipient to transfer funds to an offshore account the hacker has access to. By the time the fraud is discovered, the money is long gone. This is often called a business email compromise (BEC) scheme. BEC attacks are particularly prevalent against companies that regularly wire money–like many real estate entities do.
Phishing emails are often imaginatively deceptive. For example, one scammer changed a known, safe email address from the domain of yifeng-mould.com to yifeng-rnould.com, an alteration that even the most vigilant observer might miss. (A cheap way to reduce the risk of falling prey to that tactic is to avoid using the reply button; instead, use forward and then have the address auto-populate from your existing email contacts.)
Coverage for cyber policies often resolves around the question of how “directly related” the use of a computer was to the insured’s loss. The answer can depend on state law. For example, in one case, Medidata Solutions, Inc., v. Federal Insurance Company, a federal court in New York found that, under that state’s law, a company’s loss of money in response to a social-engineering scam was directly related to the use of the company’s computers and was therefore covered under the business’s cyber policy. But a federal court in Michigan, applying that state’s laws in a similar scenario, came to the opposite conclusion. Both decisions are currently on appeal.
The best approach is to read your proposed coverage carefully and ensure that it applies to social-engineering traps. Specifically ask your broker about the matter and then pinpoint the relevant language in the policy. If there is any ambiguity about the coverage, get the advice of a coverage lawyer.