1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Liability

Cyber Policy Wordings Myths

For buyers of cyber insurance, these are confusing times. The news is peppered with stories purporting that cyber policies aren’t fit for purpose and even worse, that cyber insurance claims aren’t getting paid.

The CFC article below is setting the record straight. Cyber is an incredibly important line of cover for modern businesses of all types and sizes, and cyber policies are evolving rapidly to meet their needs. Below you’ll find some of the main policy coverage misconceptions, and CFC’s response to them.

  1. The myth: Cyber events caused by human oversight or error won’t be covered. The reality: While it’s true that cyber insurance was primarily developed to deal with malicious cyber events, policies go far beyond this today, covering a wide range of losses caused by human error or oversight, such as lost laptops or social engineering scams. In fact, about 75% of the cyber claims that CFC pays are for events originally caused by some kind of human error.
  2. The myth: Only the legally required costs associated with a data breach will be covered. The reality: Cover for data breaches is actually incredibly mature, having been an established part of cyber insurance policies for the last decade. Should a cyber event lead to a privacy breach, nearly every policy will pick up the costs associated with regulatory fines and penalties, breach management like the production and posting of letters, post-breach remediation, and crisis communications, even if you are voluntarily notifying costumers.
  3. The myth: System interruption cover will only cover the period of actual system downtime. The reality: Recognizing that business interruption can be felt well beyond the period of actual system downtime, cyber insurance providers have developed this cover considerably over the last few years. CFC’s policy, for example, automatically provides a 12-month indemnity period to pick up losses incurred in the long aftermath of a cyber event, and most other providers offer 3-6 months as standard with the option to extend.
  4. The myth: If an outsourced technology provider experiences an issue that leads to a cyber event, it won’t be covered. The reality: This is a relatively outdated concern. Today, any established cyber insurance policy will cover cyber events and system downtime experienced by the insured themselves and at least their third party technology service providers, if not the full supply chain encompassing non-technology service providers too. In addition, data hosted with third parties is also typically covered.
  5. The myth: If a system has been recently updated, it won’t be covered. The reality: Not only are systems updates part and parcel of most business’ operations, but it is not in the interests of cyber insurers to discourage businesses from bringing their systems up to date. After all, updates and new system implementation can improve security. For that reason, reputable cyber policies will not look to exclude events arising out of systems that are new or recently updated.
  6. The myth: If a contractor causes a cyber event, such as a data breach, it won’t be covered. The reality: The majority of cyber policies are designed to cover the entirety of business operations. Just as with outsourced technology providers, CFC’s policy is designed to cover claims caused by third party contractors. In fact, we take it one step further and cover our policyholders’ data wherever it is hosted and whomever it is breached by.
  7. The myth: It’s difficult to get cyber incident support and notify claims. The reality: It’s in the interests of insurers to encourage quick and easy engagement with policyholders if a cyber event occurs. If the last two decades of underwriting this class has taught us anything, it’s that good incident response is key in containing the loss to a business and the subsequent cost of a claim. CFC – along with much of the industry – is taking steps to make reporting a claim as easy as possible through 24/7 hotlines or innovations like our cyber incident response app.
  8. The myth: In the event of a cyber incident, businesses cannot choose the IT, legal, or PR specialists they work with. The reality: While we can’t speak for the entirety of the market on this matter, this is certainly untrue for CFC. While we offer policyholders quick and easy access to a global panel of high-quality incident response partners, we understand that some businesses have their own providers and therefore don’t typically limit our policyholders to working with our panel alone.
  9. The myth: Cyber insurance doesn’t pay out. The reality: Cyber insurance most certainly does pay out. At CFC, cyber insurance actually has a lower claims declination rate than most other lines of insurance. In 2018, we paid over 1,000 cyber claims and we expect that number to increase by 50% in 2019. In short, the number of these claims continues to rise and insurers are paying them.

Source: www.cfcunderwriting.com

 

 


Customer Payment Fraud

Funds transfer fraud – whereby fraudsters dupe innocent businesses and individuals into transferring what they believe are legitimate payments to fraudulent bank accounts – is becoming an increasingly common problem.

In an insurance context, most cyber policies with crime cover in place will provide some form of protection for situations where policyholders lose their own money in this way. For example, if a fraudster manages to impersonate the policyholder’s CEO and gets a member of the finance team to send a payment over to a fraudulent bank account, the policyholder’s business will have suffered a financial loss. All being well, this loss can then be recovered under their cyber policy.

However, it’s not always the policyholder’s business that suffers a loss in this way, but the policyholder’s customers. Customer payment fraud describes a situation in which a business is impersonated by a fraudster, who then dupes some of the business’s customers into making payments to a fraudulent account.

To make this concept a little easier to digest, let’s take a look at a real-life example.

We recently dealt with a claim involving an insurance brokerage that is primarily involved in arranging property and casualty insurance cover for SME businesses. One of the brokerage’s employees had their email account compromised by a fraudster, which allowed the fraudster to monitor the broker’s inbox and identify an opportunity to misdirect funds. The broker had been working on the renewal of a package policy with one of the brokerage’s existing clients and all that remained was for the client to transfer the premium over to the brokerage, who would then pass it on to the insurer.

Having chosen a suitable target, the fraudster then sent an email from the broker’s account and explained that the premium would have to be sent to an international account due to an audit on the brokerage’s usual account. Assuming that this was a legitimate request, the customer duly transferred the premium over to this fraudulent account. It was only when the broker chased the customer about the payment some weeks later that the scam was uncovered. This meant that the premium still remained unpaid, but as the fraudulent communications appeared to come from the broker, the customer put the blame on the brokerage and refused to pay the premium twice. Given this, the brokerage accepted responsibility for the incident and decided to pay their customer’s premium from their own funds.

In this case, the primary victim of the loss was not the brokerage but their customer. As it wasn’t the brokerage that was tricked into transferring funds, the crime cover on most cyber insurance policies would not be triggered, unless there is some form of specific cover for customer reimbursement in place. However, under CFC’s cyber crime insuring clause, losses of this nature are covered up to a maximum of $50,000, providing a valuable safety net and helping to maintain good customer relations for policyholders who are impersonated in this way.

Click here to Read CFC’s latest study about funds transfer fraud.

Source: www.cfc.com


Cyber-Threat Awareness Requires Training and Vigilance

Employees need training when it comes to recognizing potential cyber threats. They should be on notice that, no matter their position within an organization, they too are responsible for doing their part in maintaining security standards and following proper reporting protocols.

Consider this real-life example. An organization in Scotland is suing an employee for failing to spot a CEO spoofing scam, but the employee claims she never received any real training in how to recognize fraudulent emails.1 Though the employee appears to have acknowledged a brief warning, this case demonstrates the need for organizations to clearly and consistently set expectations when it comes to cyber training and awareness.

When it comes to training programs, employees often express the same kind of nonchalant attitude that pervades the entirety of their organization’s mindset on cyber security. If cyber-security culture is not prioritized, employees are not going to pay particular attention to a deck of slides and a short true-or-false quiz at the end to demonstrate their “mastery” of the material. In the case of the Scottish employee, her organization insists that she clicked a box acknowledging that she had been warned about the threat of CEO spoofing. When cyber-security efforts are merely boxes to be checked, it is unclear how much more useful they are than nothing at all.

Personalized Cyber-Security Training Is Key

Cyber-security awareness and training must be personalized. Namely, employees need to be provided with the tools to develop knowledge to achieve a better understanding of the critical cyber threats they come into contact with every day. More complex technologies, newly implemented systems, and harder to understand technologies, such as cloud infrastructures, may require specialized training for specific stakeholders or responsible parties. While training may not look exactly the same for each employee, compliance with security protocols and procedures should be.

Perhaps unexpectedly, compliance with security protocols should strengthen and support an employee’s ability to think critically and have a questioning mindset. In an organizational setting, it may seem counterintuitive to expect employees to take on a critical eye. But once an employee has received training of relevant systems and procedures, a questioning employee is going to have a better chance of spotting red flags and knowing when and how to report them.

Training programs should emphasize the need for employees to trust their gut when it comes to suspicious activities and act with caution even if something seems to correlate to company policy. Recognizing the type of CEO spoofing email mentioned above is a good example.

Training must evolve and be administered with the understanding that technology changes regularly as well as your organization’s usage of technology. Just as security procedures must never be a “set it and forget it” affair, continuing education also needs to reflect policy.

Cyber Training Needs To Be Useful and a Priority

The usefulness of different training programs should also be assessed regularly. It is possible that with this sort of feedback, it would have been understood that having an employee check a box is not an effective training tool in acknowledging emerging cyber threats. Instructing employees on where to find relevant cyber-security policies is also important in ensuring compliance as well as providing a point of contact for all related questions and reporting. This responsible party may also be the individual held accountable for evaluating compliance, the usefulness of certain training programs, and assessing when changes need to be made and retraining needs to take place. Communication is key when it comes to keeping training useful and not a checked box formality.

To ensure that training remains a priority and that initiatives are funded adequately, cross-organizational communication channels need to exist. Knowing what key threats an organization faces as well as understanding which assets need to be most protected are impossible tasks without interdepartmental communication, especially with the information technology department. Cyber-security leaders within an organization must also be sure to keep upper management apprised of what is considered most important when allocating cyber-security resources. In the case of the company mentioned in this article, in-depth training sessions focusing on the “human element” of security and the threat of social engineering attacks might have prevented the disaster.

Conclusion

While the jury is still out as to whether or not a lack of adequate training or negligence is to blame in the case of the employee falling for a CEO spoofing scam, either way, it points to an increasing need for organizations to implement, and strongly document, their training and education programs for their employees. Ultimately, the effectiveness of a training program is only going to be as strong as the overarching attitude toward cyber security that an organization has. Additionally, employees need to recognize their individual responsibility for upholding their organization’s cyber-security protocols. When it comes to cyber security, everyone is a stakeholder.

1Company Sues Worker Who Fell for Email Scam,” BBC, February 5, 2019.

Source: www.irmi.com


It’s Not Too Late, Start Your Cyber Resolution Today

CFC has put together a few top cyber-related resolutions for this year.  Check them out and have a secure 2019!

  1. I will change all default passwords on my personal and work devices.
  2. I will regularly check for updates to the operating systems of my laptop, computer and mobile phone.
  3. I will install strong anti-virus software and keep it updated.
  4. I will think twice before clicking on unknown links or attachments in emails.
  5. I will authorize payments to new transfer partners via telephone to minimize risk of fraud.
  6. I will not share sensitive information on social media that could be used against me in phishing attacks.
  7. I will back up my entire system at least once a week on an external hard drive.
  8. I will encrypt my mobile phone and all of my other devices.
  9. I will talk to my kids (or parents) about how to stay safe online.
  10. In the event that resolutions 1-9 fail, I’ll have a cyber insurance policy in place to save the day!

Source: www.cfcunderwriting.com


Cyber Claims Case Study: CEO Swindle

One of the most common types of social engineering is CEO fraud. This is typically a targeted attack where a fraudster impersonates the CEO or another senior executive within an organisation and instructs a member of the finance department to make an urgent payment to a particular account for a specific reason. Even traditional businesses who might not think they have a strong cyber exposure can lose thousands in attacks like this.

CFC’s latest cyber claims case study tells the story of a manufacturer who fell victim to CEO fraud and the financial fallout the company experienced as a result.

The key takeaway points are:

  • CEOs and senior executives are prime targets for cybercriminals. They tend to act as the face of their respective companies and have bigger profiles on company websites and social media accounts, allowing cybercriminals to gather valuable information about them. Cybercriminals also know that employees are instinctively less likely to question instructions from senior executives. CEOs and senior executives therefore need to be especially conscious of sticking to good cybersecurity practices, and employees need to be particularly alert to suspicious emails and have robust authentication procedures in place.
  • Cybercriminals are becoming increasingly sophisticated. In the past, it was not uncommon to see blatant attempts at funds transfer fraud over email, with an urgent appeal for help or bogus prize give-aways being just two examples. Now, however, we are seeing far more nuanced attacks, with fraudsters sending convincing credential phishing emails to gain access to email accounts, setting up forwarding rules on email accounts to avoid detection and making use of seemingly legitimate invoice templates to add authenticity to their scams.
  • Lots of businesses don’t think they need to purchase cyber insurance because they believe they have good IT security in place, such as firewalls and anti-virus software. But this ignores the fact that people are often the weakest link in an organisation’s IT security chain. With increasingly sophisticated attacks like this on the rise, it makes it difficult for employees to tell the difference between a real email and a fake email or a real invoice and a fake invoice, and it makes the chances of a successful social engineering attack against a business increasingly likely.

Read the full case study here

Source: cfcunderwriting.com


Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.



ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook

Connect with us on LinkedIn