Cyber Insurance Explained
Social Engineering and BEC Cover: The Endorsement Most Policies Leave Out
When fraudsters convince one of your staff to wire money to the wrong account, the question that decides whether you recover the loss is narrow and unforgiving: did your cyber policy carry a named social engineering endorsement, and did your team follow the verification controls written into it? If the answer to either part is no, the claim usually fails, even on a multi-million-pound policy.
This is the single most misunderstood part of cyber cover in the UK. Most buyers assume a large headline limit sits behind a business email compromise loss at full value. It almost never does. Social engineering and BEC cover is an optional, separately priced, heavily capped add-on that many policies leave out entirely. This guide explains exactly how that cover works, why claims get denied, and what your policy needs to say before you rely on it.
What “social engineering” means on a cyber policy
Social engineering, in insurance terms, is fraud that targets a person rather than a system. An attacker impersonates a supplier, a senior executive, or a trusted contact, and persuades an employee to send money or change payment details. No firewall is breached. The employee, believing the request is genuine, authorises the payment themselves.
The UK’s National Cyber Security Centre (NCSC) groups the common variants under business email compromise and payment diversion fraud:
- CEO fraud / impersonation: an email appears to come from a director, asking finance to make an urgent payment.
- Invoice or mandate fraud: a fraudster posing as a real supplier asks you to update their bank details, so the next genuine invoice pays into the criminal’s account.
- Fake vendor / supply chain fraud: a spoofed or compromised supplier mailbox sends a doctored invoice.
The NCSC’s guidance on business email compromise and payment diversion fraud sets out these patterns and the controls that reduce them. The insurance point is simpler: all of these involve a deceived but willing employee, and that detail is what most base policies are built to exclude.
Why your standard cyber policy does not cover it by default
A typical cyber policy is designed around a system compromise: ransomware, data breach, network interruption. Those events involve an intruder doing something to your systems. Social engineering does not fit that shape, because the loss flows from a payment your own staff authorised.
So most UK base policies handle it one of three ways:
- Exclude it outright. The policy responds to hacking and data loss, not to voluntary payments induced by deception.
- Add it back by endorsement. Cover is restored through a named insuring agreement, usually called a “social engineering,” “fraudulent instruction,” “eCrime,” or “funds transfer fraud” endorsement. These names vary by insurer; they describe the same family of cover.
- Include it but sub-limit it. Even when present, the cover is capped well below the headline policy limit.
The practical takeaway: the existence of a cyber policy tells you nothing about whether BEC is covered. You have to find the specific endorsement and read its sub-limit. Our guide on how to read a cyber insurance policy walks through where these clauses sit and how to spot a sub-limit.
The “voluntary parting” trap
Here is the clause that catches people out. Plain crime and fidelity policies, and unendorsed cyber policies, often exclude loss where the insured “voluntarily parted with” money or property. The logic insurers apply: because a trusted employee, acting without duress, chose to make the payment, there was no direct theft of your funds. The money was sent, not stolen.
That reasoning is why a contractor who wires a large sum after a spoofed supplier email can find both routes closed: the cyber insurer says there was no system breach, and the crime insurer says the employee voluntarily authorised the transfer. The loss falls into the gap between the two.
A proper social engineering fraud endorsement exists specifically to remove the “voluntary parting” exclusion, so the policy will respond when an employee is tricked into paying. Major brokers, including Aon and Gallagher, describe the endorsement in exactly these terms, and explain why an unendorsed policy turns these claims away. If your policy does not name social engineering or fraudulent instruction cover, assume the voluntary parting logic applies and the claim will be declined.
Social engineering fraud vs funds transfer fraud
These two terms get used loosely, but the difference decides which limit you get.
| Social engineering fraud (SEF) | Funds transfer fraud (FTF) | |
|---|---|---|
| What happens | An employee is deceived into authorising the payment | The attacker compromises a system or account and moves money directly |
| Is a person tricked? | Yes, the employee acts voluntarily | No, no deceived employee |
| Typical limit | Often sub-limited, below the headline figure | Often available at, or closer to, the full limit |
Funds transfer fraud is treated more like a direct theft, so it frequently attracts the full policy limit. Social engineering fraud, because it depends on an employee’s voluntary act, is the one insurers cap. When you read a quote, check that both are addressed, and check the limit attached to each separately. A policy can offer generous FTF cover while sub-limiting SEF to a fraction of it.
The wider first-party and third-party split is covered in first-party vs third-party cyber cover; social engineering loss is a first-party loss, money out of your own account.
The sub-limit problem: why your full limit is not available
This is the figure most buyers never check until they claim. Social engineering cover is routinely capped far below the headline limit.
In practice, a policy carrying a large aggregate limit will commonly cap social engineering or funds transfer fraud recovery at a sub-limit that is a small fraction of that figure. The exact cap varies by insurer, sector and the controls you have in place, but the pattern is consistent: the social engineering line is a small carve-out, not the whole limit.
Two further mechanics usually come with the sub-limit:
- Extra premium. The endorsement is priced separately. Removing it is one of the quiet ways a cheaper quote gets cheaper.
- A higher, separate deductible. Social engineering claims often carry their own retention, set higher than the policy’s standard excess.
So before you treat BEC as covered, find three numbers in the schedule: the social engineering sub-limit, the deductible that applies to it, and whether SEF and FTF carry the same or different caps. For more on how exclusions and sub-limits reshape what a policy actually pays, see what cyber insurance covers and its exclusions.
Conditions precedent: the controls that decide if you get paid
A sub-limit only matters if the claim is admitted in the first place. The most common reason a BEC claim is denied is not the sub-limit; it is a breached condition precedent. Underwriters write specific controls into the endorsement as conditions of cover. Miss one, and the claim can be declined regardless of limit.
The controls insurers most often require:
- Callback verification. Any new or changed bank details must be confirmed by phoning the supplier on a number you already hold or independently verify, never a number supplied in the suspect email or invoice.
- Dual authorisation. Payments above a set threshold need two people to approve them.
- Segregation of duties. The person who sets up a payee should not be the person who releases the payment.
- Multi-factor authentication on email and finance systems.
- Email authentication: SPF, DKIM and DMARC. The NCSC has pushed DMARC at quarantine or reject as standard practice.
- Staff phishing training and simulations, evidenced and current.
These read like good practice because they are, but on an endorsement they are contractual. If the proposal form said you operate dual authorisation and callback checks, and a payment went out without them, the insurer can treat the warranty as breached. That is how a genuine, well-documented loss still ends in a declined claim.
The lesson is procedural, not just legal: the verification step that protects the money is the same step that protects the cover. For the broader distinction between a cyber policy and a standalone cyber liability wording, see cyber insurance vs cyber liability explained.
Cyber policy or crime policy: where should the cover sit?
Social engineering cover can live in either a cyber policy or a commercial crime policy, and many businesses hold both. That creates two risks worth planning around.
Crime policies often offer higher limits for social engineering than cyber policies, which tend to sub-limit it. So if the loss is large, the crime policy may be the better-funded route. But when both policies could respond, their “Other Insurance” clauses and separate retentions can either leave a gap or force you to absorb two deductibles for one event.
If you carry cyber and crime cover, get your broker to confirm three things in writing: which policy responds first to a BEC loss, that the sub-limits and retentions are coordinated, and that there is no overlap clause leaving the loss to fall between them. Industry coverage from brokers such as Gallagher explains why the crime market has grown into this risk and how the two products interact.
The PSR reimbursement scheme will not save most businesses
There is a common assumption in the UK that the new reimbursement rules cover business losses. For most firms, they do not.
Since 7 October 2024, the Payment Systems Regulator’s mandatory reimbursement scheme requires banks to refund authorised push payment (APP) fraud. In the first months of the new rules, around 86% of in-scope APP fraud by value was returned to victims, though across the full year the overall reimbursement rate was lower. The scheme has limits that matter for a business reading this:
- It is capped per claim at £85,000, so a large BEC loss far exceeds what the scheme returns.
- It is aimed at consumers, microenterprises and charities. Larger businesses generally fall outside it.
- It applies to Faster Payments within the UK, not to international wire transfers.
That last point matters because international payment fraud is rising fast: UK Finance reported international payment fraud losses up around 93% in 2024, to roughly £50 million, and those sit outside the reimbursement scheme entirely. You can confirm the scheme’s exact cap and eligibility on the Payment Systems Regulator’s own pages before you rely on it; treat it as a backstop for small payments, not as a substitute for insurance on a serious BEC loss.
The scale of the problem in the UK
The numbers explain why insurers are so careful with this cover. UK Finance’s Annual Fraud Report 2025 puts total UK fraud losses at £1.17 billion in 2024. Authorised push payment fraud, the category BEC sits in, accounted for £450.7 million, of which non-personal (business) losses were £84.9 million. Case volumes fell, but the international and business-targeted end of the problem did not ease in the same way.
You can read the underlying figures in UK Finance’s Annual Fraud Report 2025. Globally, the FBI’s IC3 reported around $2.77 billion in business email compromise losses in 2024, though that is US-led data and the UK picture is the one to plan around.
What to check on your own policy this week
Pull your schedule and wording, and answer these:
- Is there a named social engineering, fraudulent instruction, eCrime or funds transfer fraud insuring agreement? If not, BEC is almost certainly not covered.
- What is the sub-limit on it, and how does that compare to your headline limit?
- Is there a separate, higher deductible for social engineering claims?
- Are SEF and FTF both covered, and at what limits each?
- What conditions precedent does the endorsement impose: callback verification, dual authorisation, MFA, DMARC, training? Are you actually doing all of them, and can you evidence it?
- If you hold a crime policy too, which one responds first, and are the limits and retentions coordinated?
If you cannot answer these from the documents, your broker can, and it is a far better conversation to have now than during a claim. If you are still deciding whether you need cover at all, start with do I need cyber insurance.
If you do suffer a BEC loss, report it to Action Fraud on 0300 123 2040 and tell your bank immediately; fast reporting improves the chance of recalling the payment before it is moved on.
Frequently asked questions
Does cyber insurance cover business email compromise? Not by default. A standard cyber policy is built around system compromise, so a payment your own employee was tricked into authorising usually falls outside it. BEC is only covered if the policy carries a named social engineering, fraudulent instruction or funds transfer fraud endorsement, and even then it is typically capped below the headline limit.
What is the difference between social engineering fraud and funds transfer fraud cover? Social engineering fraud (SEF) is where an employee is deceived into voluntarily authorising a payment. Funds transfer fraud (FTF) is where an attacker compromises a system or account and moves the money directly, with no deceived employee. FTF is treated more like a direct theft and often attracts the full limit, while SEF is the one insurers tend to sub-limit.
Why was my BEC claim denied? Common reasons are: no named social engineering endorsement on the policy; the “voluntary parting” exclusion, because the employee authorised the payment; a breached condition precedent, such as skipping callback verification or dual authorisation; or the loss exceeding the social engineering sub-limit. The denial often comes down to a control that was promised on the proposal form but not followed on the day.
Why isn’t my full policy limit available for a social engineering loss? Because social engineering cover is almost always sub-limited. A policy with a large aggregate limit commonly caps social engineering or funds transfer fraud recovery at a small fraction of that figure. The exact cap varies by insurer, but the principle holds: the social engineering line is a carve-out, not the whole limit.
Do I need a separate crime policy or is the cyber endorsement enough? It depends on your exposure. Crime policies often offer higher limits for social engineering than cyber policies, so for a large potential loss a crime policy may be the better-funded route. If you hold both, coordinate them: confirm which responds first and that the “Other Insurance” clauses and deductibles are aligned, so you neither double-pay a retention nor leave a gap.
What controls do insurers require before they will pay a BEC claim? Typically callback verification of any new or changed bank details using an independently held number, dual authorisation for payments above a threshold, segregation of duties, multi-factor authentication, email authentication via SPF, DKIM and DMARC, and current staff phishing training. On an endorsement these are conditions of cover, so failing to follow one can void an otherwise valid claim.
Does the PSR reimbursement scheme cover my business? For most businesses, largely no. The Payment Systems Regulator’s mandatory reimbursement scheme is capped per claim at £85,000 and aimed at consumers, microenterprises and charities, so larger firms generally fall outside it. It also applies to Faster Payments within the UK, not to international wire transfers, which is where a lot of BEC money goes. Confirm the current cap and eligibility on the PSR’s own pages, and treat the scheme as a backstop for small payments rather than cover for a serious BEC loss.
Is CEO fraud or invoice fraud covered? They are covered under the same social engineering endorsement question. CEO fraud (a fake instruction from a senior figure) and invoice or mandate fraud (a fraudulent request to change supplier bank details) are both forms of social engineering. If your policy carries the relevant endorsement and you met its verification conditions, they should respond, subject to the sub-limit; if it does not, they generally will not.
