Business Email Compromise (BEC) Insurance Coverage: What’s Actually Covered?

By Amanda Chen - Cyber Claims Specialist & Former Insurance Defense Attorney

Last month, I reviewed a claim from a construction company that lost $890,000 to a business email compromise attack. The attackers impersonated a subcontractor and redirected a legitimate payment. The company had cyber insurance. They assumed they were covered.

They weren’t.

Their policy had a $100,000 sublimit for social engineering fraud. After the deductible, they recovered $75,000 of their $890,000 loss. The CFO called me in tears.

After handling over 300 BEC claims in my career—first as an insurance defense attorney, now as a claims consultant—I’ve seen this scenario repeat endlessly. BEC is now the #1 cause of cyber insurance losses, yet it’s the coverage most businesses misunderstand.

Here’s what every business needs to know about BEC coverage—including the sublimit traps, exclusions, and policy language that determines whether you’re protected.

⚠️ THE BEC COVERAGE GAP

67% of businesses I audit have inadequate BEC coverage. Most don't realize it until they file a claim. The average BEC loss is $125,000—but average coverage is only $50,000-$100,000.

Understanding BEC: The #1 Cyber Insurance Loss

What is Business Email Compromise?

BEC attacks trick employees into transferring money or sensitive data by impersonating trusted parties. Common variants:

CEO Fraud: Attacker impersonates CEO, requests urgent wire transfer

“I need you to wire $47,000 to this account for a confidential acquisition. Don’t discuss with anyone.”

Vendor Impersonation: Attacker compromises vendor email, changes payment details

“Our banking information has changed. Please update your records and send the next payment to…”

Account Takeover: Attacker gains access to legitimate email account

(Using actual compromised account to request changes to payment instructions)

Invoice Manipulation: Attacker intercepts legitimate invoices, modifies payment details

BEC by the Numbers (2025)

Metric	Amount
Average BEC loss	$125,000
Median BEC loss	$50,000
Largest BEC loss I’ve handled	$4.2 million
% of cyber claims involving BEC	38%
% of BEC claims with inadequate coverage	67%

The Coverage Landscape: Where BEC Fits

BEC coverage can appear in several places—and the differences matter enormously:

Most common location. Typically includes:

Wire transfer fraud
Invoice manipulation
Impersonation schemes

Watch out for: Sublimits (often $50K-$250K, far below aggregate limits)

Alternative location. May provide:

Higher limits than cyber policy
Different triggering language
Potentially overlapping coverage

Watch out for: Coordination with cyber policy, “other insurance” clauses

3. Funds Transfer Fraud Coverage

Narrower coverage. Typically covers:

Fraudulent instructions received by your bank
Unauthorized EFT transactions

Watch out for: Often requires fraud at the bank level, not employee deception

4. Computer Fraud Coverage

Even narrower. Typically covers:

Direct manipulation of computer systems
Unauthorized access to transfer funds

Watch out for: May not cover “voluntary” transfers made by deceived employees

💡 KEY INSIGHT

The critical question: Does your policy cover voluntary transfers made by deceived employees? Many policies only cover unauthorized access—but in BEC, the employee voluntarily makes the transfer. They're just deceived about who they're sending it to.

The Sublimit Trap: Why Your Coverage May Be Inadequate

How Sublimits Work

Your policy might show:

Aggregate Limit: $2,000,000
Social Engineering Sublimit: $100,000

This means: Even though you have $2M in coverage, BEC losses are capped at $100K.

Real Examples from My Casework

Company	Aggregate Limit	BEC Sublimit	BEC Loss	Recovery
Manufacturing	$3M	$100K	$450K	$100K
Law Firm	$2M	$250K	$380K	$250K
Healthcare	$5M	$50K	$175K	$50K
Tech Startup	$1M	$1M (full)	$220K	$220K

The pattern: Companies with “full limit” BEC coverage recovered fully. Those with sublimits recovered pennies on the dollar.

How to Check Your Sublimits

Look for these terms in your policy:

“Social Engineering Fraud Sublimit”
“Fraudulent Instruction Coverage Limit”
“Voluntary Parting Sublimit”
“Invoice Manipulation Limit”

Pro tip: The declarations page summary may not show sublimits. Read the endorsements.

Coverage Triggers: When Do You Have to “Click” for Coverage?

Different policy language creates different coverage triggers:

The “Good Funds” Requirement

Some policies require you to verify the fraudulent instruction came through a “compromise” of the sender’s actual email system.

Problem: What if the attacker used a lookalike domain (company.com vs. c0mpany.com)? Some policies deny coverage because the real email wasn’t compromised.

The “Verification Procedures” Requirement

Many policies require you to have followed your own verification procedures.

Policy language might say:

“Coverage applies only if the Insured followed documented procedures for verifying changes to payment instructions.”

Problem: If you don’t have documented procedures, or didn’t follow them, claim denied.

The “Direct Financial Loss” Requirement

Policies typically cover “direct financial loss”—but what counts?

Usually covered:

The fraudulent transfer amount
Fees to attempt recovery

Often NOT covered:

Interest on borrowed funds
Reputational damage
Employee time investigating

Common Exclusions That Bite

Exclusion 1: “Voluntary Parting”

Language: “This policy does not cover loss arising from any employee voluntarily parting with money or property.”

Impact: The most dangerous exclusion. BEC by definition involves an employee voluntarily sending money—they’re just deceived.

What to look for: Policies that carve back coverage for “social engineering” despite the voluntary parting exclusion.

Exclusion 2: “Failure to Verify”

Language: “This policy does not cover loss if the Insured failed to verify the authenticity of instructions through a callback to a known telephone number.”

Impact: If you didn’t call to verify, no coverage—even if the attacker would have fooled you anyway.

Exclusion 3: “Known Parties”

Language: “Coverage applies only to instructions purporting to be from a Client, Vendor, or Customer with whom the Insured has an existing business relationship.”

Impact: New vendor impersonation? Not covered.

Exclusion 4: “Cryptocurrency”

Language: “This policy does not cover any loss involving cryptocurrency or digital assets.”

Impact: If attackers demanded payment in Bitcoin, or the funds were converted to crypto, no coverage.

The Callback Verification Debate

Many policies now require “callback verification” for coverage. Here’s the nuance:

What Policies Typically Require:

Phone call to a previously known phone number
Not a number provided in the suspicious communication
Documentation of the call

The Practical Problem:

Attackers know about callback requirements. They:

Intercept phone systems
Provide cell phones that they control
Time attacks for when verification is difficult

What Courts Have Said:

Some courts enforce callback requirements strictly
Others have found for policyholders if “reasonable efforts” were made
Jurisdiction matters significantly

✅ BEST PRACTICE

Document your verification procedures before you need them. Create a written policy requiring callback verification for any payment instruction change. Train employees. Log verification attempts. This documentation can save your claim.

How to Ensure Adequate BEC Coverage

Step 1: Audit Your Current Coverage

Find answers to these questions:

What is my BEC/social engineering sublimit?
Is “voluntary parting” excluded or carved back?
What verification requirements exist?
Does coverage extend to vendor impersonation?
Is there a “direct vs. indirect” loss distinction?

Step 2: Calculate Your Exposure

Consider:

Your largest single payment amount
Average payment size × payments per month
Working capital exposure
Vendor payment frequency

Rule of thumb: BEC sublimit should be at least your largest single payment OR 3× your average payment, whichever is higher.

Step 3: Request Coverage Improvements

Ask your broker about:

Increasing BEC sublimits
Removing or softening callback requirements
Adding “impersonation” coverage broadly
Eliminating voluntary parting exclusion for social engineering

Step 4: Implement Controls (Helps Claims AND Prevention)

Controls that support coverage:

Written verification procedures
Dual authorization for large payments
Out-of-band verification requirements
Employee training (documented)

The Claims Process for BEC Losses

Immediate Actions (First 24 Hours)

Contact your bank immediately
- Request recall of the wire transfer
- Time is critical—funds often move quickly
- Document all communication
Notify your insurer
- Call the claims hotline
- Provide preliminary details
- Don’t admit fault or speculate on coverage
Preserve evidence
- Screenshot all relevant emails
- Save email headers (IT can help)
- Document the timeline
Consider law enforcement
- File FBI IC3 complaint
- Local law enforcement report
- This supports your claim and recovery efforts

What Insurers Will Ask For

Prepare to provide:

Complete email chain showing the fraud
Verification procedures (if any)
Evidence of any verification attempts
Bank records showing the transfer
Any recovery efforts and results

Common Claim Challenges

Challenge 1: “You didn’t follow your procedures” Response: Provide documentation that procedures were followed, or argue procedures were ambiguous

Challenge 2: “The voluntary parting exclusion applies” Response: Point to social engineering coverage that carves back the exclusion

Challenge 3: “This wasn’t covered impersonation” Response: Demonstrate the communication met policy definitions

Policy Language Deep Dive: What to Look For

Good Policy Language (Favorable to You):

“Social Engineering Fraud means the intentional misleading of an Insured through the use of any communication… which purports to be from a legitimate source, resulting in a Transfer of Money.”

Why it’s good: Broad definition of “misleading,” includes “any communication,” covers “purporting to be” (doesn’t require actual compromise).

Bad Policy Language (Favorable to Insurer):

“Coverage applies only to fraudulent instructions received via compromise of a Third Party’s email system, provided the Insured verified the instruction through callback to a telephone number on file prior to the date of the fraudulent communication.”

Why it’s bad: Requires actual email compromise (not spoofing), strict callback requirement with timing limitations.

Red Flag Language:

“Actual compromise of Third Party systems”
“Verified through documented procedures”
“Known telephone number on file prior to the loss”
“Voluntary parting” without social engineering carve-back

BEC Coverage Comparison Checklist

Use this when evaluating policies:

Coverage Element	Policy A	Policy B	Your Current
BEC Sublimit
Requires email compromise?
Callback requirement?
Voluntary parting carved back?
Covers lookalike domains?
Covers vendor impersonation?
Covers new relationships?
Waiting period?
Recovery offset?

Action Items

This Week:

Pull out your cyber policy
Find the social engineering/BEC coverage section
Note the sublimit and key exclusions
Calculate if sublimit matches your exposure

Before Next Renewal:

Request BEC sublimit increase if inadequate
Document your verification procedures
Train employees on BEC recognition
Consider crime insurance as backup

Ongoing:

Review procedures quarterly
Update training as threats evolve
Audit verification compliance
Adjust coverage as business grows

Psychology of Social Engineering - Why employees fall for BEC
Cyber Insurance Claims Process - Filing your claim
Cyber Insurance Claims Denied - Avoiding denial
First 24 Hours After a Breach - Immediate response steps

BEC coverage is the most misunderstood area of cyber insurance. Don’t wait until you’re filing a claim to discover your coverage gaps. Audit your policy now, while you have time to fix any problems.