Last week, the Cyber Insurance Association hosted a webinar in efforts to address cyber fraud and the hardening cyber insurance market.
With ransomware hitting the headlines on an almost daily basis, the high cost of claims relating to cyber incidents is pushing rates to recover anticipated losses.
Policy pricing must factor in progressing and evolving ransomware and data breaches, and there is a need for communication surrounding this, together with aggregation risks, policy wording, coverage, and exclusions.
Panel members grouped to offer their insights on the factors behind these growing concerns, covering topics from fraud, social engineering, and ransomware attacks, to cyber insurance coverage and exclusions, and responsibility or blame. Moderated by Celso De Azevedo, STORM Guidance CEO, Neil Hare-Brown joined the panellists for ‘Funds Transfer Cyber Fraud and Insurance Issues’ discussing the following topics:
Authorised Push Payment Fraud (APP), Social Engineering, Malicious Misdirection and Payee Scams
Unauthorised Network Access, Email Spoofing, Ransomware and Phishing Attacks
Cyber Insurance Coverage and Exclusions
Cyber Crime and Liability Insurance Coverage
What did the panellists have to say?
Tom Egglestone ACII, Tokio Marine Kiln
Tom addressed the crossover with cyber coverage and stressed the importance of communication between insurers, brokers, and the insured. “Early and open communication can avoid consent issues and prevent incurring plenty of costs. Wire fraud coverage can vary drastically between insurers, so it is important to check the terms closely”. Tom also gave his thoughts on the responsibility of the insured. “The cyber risk landscape progresses so quickly, with threat actors often several steps ahead of us. What constitutes as reasonable protection against cybercrime shifts constantly as technology and protections evolve, so it’s difficult for insurers to prove recklessness”. Offering advice to businesses, Tom explained that all applications used should be up to date and that organisations should undergo regular and interactive cyber training.
Catalina De Zubiria, Willis Towers Watson
Catalina discussed with the panel the importance of considering policy wordings. “Cyber policies have Prior Consent Requirements which can make things complicated (if legal, breach, forensics, and settling claims costs are incurred), and contribution clauses, plus the definition of terms are other difficult issues when dealing with cyber insurance.” Also offering advice to the insured’s, Catalina suggested regular reviews of third-party providers and investing in security, making sure contractual agreements are clear in terms of contractual liabilities.
Deborah O’Riordan, QBE Insurance Risk, Solutions
Deborah explained that Business Email Compromise (BEC) is one of the most common attacks, with law firms most frequently targeted. She also stressed how often people do not know the extent of the damage until forensic investigations are carried out, and that when a business is hit, they must notify on all their policies. Touching on the insured’s responsibility and the perceived level of cybersecurity and cyber risk maturity, Deborah said, “the issue is down to the different interpretations of what implementing cyber risk management measures means”. To offer her thoughts on strategies businesses could implement in addressing their exposure, she said, “a layered control approach is important so that no one security measure falls on a single person. It is critical to have a layered approach to authorisation and verification as an extra check and security procedure”.
Neil Hare-Brown, STORM Guidance
Discussing data theft and ransomware, Neil explained that ‘phishing’ is the most common method used to steal credentials. “Criminals use these stolen credentials to gain access to systems, and the data is then copied off whilst ransomware is dropped onto the network to encrypt it - that’s where the extortion begins. It is a two-pronged attack (theft of data and encryption of data) with the added threat of exposure.” Neil explained that cybercriminals are now driven by significant organised crime, using high levels of surveillance, and increasing efforts and planning, as there is a low risk of being brought to justice. Explaining his thoughts on strategies that could be incorporated to address cyber risk exposure, Neil said, “all cybersecurity controls can deteriorate if they are not maintained adequately. One of the biggest issues is that businesses assume that there are cyber strategies in place when there are not. There are seven key strategies that organisations should have in place at board level, which support effective cyber risk management (https://www.cyberseven.global/). These need to be consistently monitored to protect against evolving threat”.
Neil highlighted the need for segregation of duties to ensure that nothing falls on just one person, together with keeping an eye on domain variants. “Often, attackers register and use domains that look like the victims (or like the organisations communicating with the victim), essentially attempting corporate identity theft.” Finally, Neil advised focussing on international payments, as the Confirmation of Payee (CoP) controls are gradually being introduced into the UK banking processes and are very good at stopping fraud. Fraudsters are looking for organisations with no Confirmation of Payee controls, so they are now targeting international payments.
Anthony Hess, Asceris
In looking at the history and evolution of cybercrime, Anthony detailed the progression of email fraud, from uncomplicated and often ‘obvious’ attempts distributed in bulk; to the more intricate spoofing methods that we see today, where payroll and communications systems are infiltrated.
He explained, “social engineering will always be a hard problem to solve, and the level of technical difficulty is increasing. Therefore, cyber policy coverage has become more difficult to gauge. There is a perception of small businesses being unable to stay on top of cyber risk management. However, they do not face the same complexities and challenges as larger organisations”.
He advised that the single most important thing to adopt in the protection against Business Email Compromise (and other types of incidents) is Multi-Factor Authentication (MFA).
The webinar
Listen to the webinar for more information and advice: