Cyber insurance is still a relatively new product. Like many new products, it is being sold faster than it is being fully understood. Nowhere is that more evident than in the growing disputes over so-called “social engineering coverage.” As I discussed in yesterday’s post, The Illusion of Cyber Coverage: How a Court Narrowed Social Engineering Insurance, a recent Mississippi decision involving Spinnaker Insurance Company should put every commercial policyholder on notice that not all cyber insurance is created equal. 1
As indicated in an insurance industry article, Cyber Insurance Explained: Social Engineering Attacks and Cyber Crime, the insurance industry knows exactly what social engineering fraud is. It is not hacking, malware, or a breach of a computer system. It is deception. Someone pretends to be a trusted person posing as a vendor, an executive, or a client and tricks an employee into sending money. The loss occurs because a human being is misled.
Leading carriers like Chubb say this plainly in their advertising materials. They explain that their coverage applies to vendor impersonation, executive impersonation, and client impersonation. In other words, if someone pretends to be your client and convinces your employee to wire money, that is exactly the kind of loss the coverage is supposed to address. Chubb even goes further, acknowledging that these schemes often involve voluntary transfers of money, carving back the traditional exclusions that would otherwise bar coverage. That is what the insurance sales industry often tells commercial buyers they are getting.
The truth is, there are very different types of social engineering coverage in the marketplace. One is drafted broadly, designed to respond to the real-world risk of impersonation fraud. The other, while sold the same way, is drafted narrowly, filled with technical requirements about how the fraud must occur, who must be impersonated, and how instructions must be transmitted. They are sold under the same label but are clearly not the same insurance product.
The Spinnaker case exposes this divide. There, a law firm was tricked by an imposter posing as a client. The firm received what appeared to be a legitimate check, confirmed that it had cleared, and then wired funds out. It then learned the entire transaction was fraudulent. If you read Chubb’s description of social engineering coverage, this scenario fits like a glove. It is client impersonation, reliance, and a transfer of funds induced by deception.
Spinnaker and its attorneys took a very different position. 2 They argued, and the court accepted, that there was no coverage because there was no real client relationship. In essence, the argument was that because the “client” was fake, the loss did not fall within the policy’s definition of a covered event. That reasoning turns the concept of social engineering on its head. Social engineering fraud always involves fake relationships. That is the entire point of the scheme and why this insurance is needed.
The lesson is that the coverage gap between what is sold and what is delivered becomes dangerous. The marketing message says that impersonation fraud is covered. The policy language, at least in narrower forms, often says something very different. It says the fraud must occur in a particular way, through a particular communication channel, involving a particular type of relationship. If those boxes are not checked, the claim may be denied even if the insured suffered exactly the kind of loss the coverage was marketed to address.
The most troubling aspect of the Spinnaker decision is how easily the concept of “client impersonation” was dismissed. If a fraudster can become a “client” simply by engaging a firm under a false identity, then the coverage becomes illusory. A fake person does not become real simply because a contract was signed. Treating that fabricated identity as a legitimate client is not just strained reasoning, because it undermines the very purpose for which the coverage was purchased.
There is also a broader, unspoken reality in the insurance marketplace. Carriers that draft broader forms, like Chubb and other higher-quality insurers, tend to charge more and accept greater risk. Carriers offering narrower forms often compete on price. They limit exposure through definitions and conditions that are difficult for policyholders to fully appreciate until a claim is made. The result is a cheap insurance product that looks similar on the surface but performs very differently when tested.
Cheap cyber insurance can be the most expensive insurance a business ever buys. Coverage that does not respond when a loss occurs is not a bargain. It is a liability. It creates a false sense of security, which may be worse than having no coverage at all.
Commercial policyholders and their Chief Financial Officers, who often request this coverage, need to start asking better questions. What exactly is covered? Is “social engineering” broadly defined as discussed in the article above? Does the policy cover client impersonation in real-world scenarios or only in narrowly defined circumstances? Does it require email-only instructions? Does it carve back the voluntary parting exclusion? Are there better forms of coverage available? What training and performance requirements are there? What is the claims payment reputation of the insurer? These are not academic questions. They are the difference between a paid claim and a denied one.
Cyber insurance is very important in this age of increasing internet scams. It is not a commodity product. It is a highly specialized product with significant variation in coverage. If the policy wording does not align with the actual risk, it is not cyber insurance in any meaningful sense.
Thought For The Day
“Price is what you pay. Value is what you get.”
Warren Buffett
1 Gore, Kilpatrick & Dambrino, LLC v. Spinnaker Ins. Co., No. 4:25-cv-00107 (N.D. Miss. March 31, 2026).
2 Gore, Kilpatrick & Dambrino v. Spinnaker Ins. Co., 4:25-cv-00107 [Doc. # 1-9: Coverage denial letter from Defense counsel to Plaintiff/Insured] (N.D. Miss.).
