Community Banks

Wire Fraud at Your Bank: Is That a Cyber Claim or a Bond Claim?

5 min read

A controller at your bank gets an email from the CFO. It is urgent. A wire needs to go out today for a time-sensitive acquisition. The email looks right. The tone is right. The controller initiates the transfer.

Except the email was not from the CFO. It was a business email compromise attack. The money is gone. And now your bank has to file a claim.

This is where things get ugly.

The Finger-Pointing Problem

Your bank carries two policies that should cover this: a cyber liability policy and a fidelity bond. On paper, you are protected from both directions. In practice, you may be covered by neither.

The cyber carrier says: There was no hack. No malware. No unauthorized access to your systems. Nobody breached your network. An employee read a fraudulent email and voluntarily initiated a legitimate wire transfer through your normal banking systems. That is not a cyber event. Claim denied.
The fidelity bond carrier says: There was no employee dishonesty. The controller was not stealing. She was not corrupt. She was tricked. The fidelity bond covers dishonest acts by employees, not honest employees who get deceived. Computer fraud coverage requires unauthorized entry into your systems. But nobody entered anything. The employee used her own credentials and followed your own wire transfer procedures. Claim denied.

Both carriers are technically correct under their own policy language. The cyber policy was designed for security breaches. The fidelity bond was designed for employee theft and forgery. A social engineering attack, where nobody breaks in and nobody steals, sits in the gap between the two.

I see this pattern regularly when I review community bank insurance programs. Three policies on the books. Premiums paid every year. And when a wire fraud loss hits, two carriers pointing at each other while the bank absorbs the loss.

Why Deepfakes Make This Worse

Business email compromise has been the top threat to financial institutions for years. But AI-generated voice and video are changing the attack surface in ways most bank policies have not caught up with.

Attackers can now clone a voice from a few seconds of audio: an earnings call, a conference presentation, a short LinkedIn video. A finance employee at a multinational was tricked into transferring $25 million after a video call where every participant was a deepfake.

For community banks, where people know each other and trust a familiar voice, this is particularly dangerous. Most banks still rely on callback verification for high-value wire transfers. The employee picks up the phone, calls the requestor, hears a voice she recognizes, and confirms the transfer. When the callback itself can be faked, the control that is supposed to protect the bank becomes the attack vector.

The insurance gap: Most social engineering coverage was written for email-based scams. The policy language often references "fraudulent instruction" via "electronic communication." A deepfake phone call may or may not fit that definition. When the claim lands, that ambiguity becomes a denial.

What to Check in Your Policies

If you have not looked at how your cyber policy and fidelity bond interact on wire fraud, here are the specific things to review.

1. Find your social engineering sublimits.
Most cyber policies offer social engineering coverage as an endorsement, not a core coverage. Sublimits typically range from $100,000 to $250,000. If your bank processes wire transfers in the hundreds of thousands or millions, a $100,000 sublimit is not meaningful protection.
2. Check the definition of "social engineering."
Does it cover only written electronic communications (email, text)? Or does it include voice and video? If the definition is limited to "electronic communication" or "email," an AI-generated phone call or video deepfake may fall outside the coverage grant.
3. Check your fidelity bond for a social engineering rider.
Some fidelity bonds now offer social engineering endorsements. If yours has one, check the sublimit and the trigger language. Does it cover voice impersonation, or only written instructions? And does the sublimit stack with or replace your cyber policy's social engineering coverage?
4. Pull both policies side by side and look for exclusions that point to each other.
This is the most important step. In your cyber policy, look for language excluding losses "covered by" or "available under" a fidelity bond. In your fidelity bond, look for exclusions referencing "cyber events" or losses "arising from" electronic communications. If each policy excludes what the other one covers, you have the finger-pointing gap.
5. Review callback verification requirements.
Some policies require specific verification procedures as a condition of social engineering coverage. If your policy says you must "verify the instruction by telephone callback to a known number," and the caller on the other end is an AI-generated voice clone, did you satisfy the requirement? If nobody has an answer, that is the gap.

Close the Gap Before a Claim Forces the Question

The time to figure out which policy responds to a wire fraud loss is before the loss happens. Not during a claim dispute, when both carriers have financial incentives to point the other direction.

If your bank carries a cyber policy and a fidelity bond from different carriers, and you have not reviewed how they interact on social engineering and wire fraud, there is likely a gap. It may be a sublimit gap (coverage exists but is inadequate), a definitional gap (the attack method does not fit the policy language), or a structural gap (both policies exclude the claim entirely).

Any of those turns a covered loss into an uninsured one.

If you want someone who reads these policies for a living to walk through yours, get in touch.