Human Error Drives Cyber Insurance Claims, Data Shows
Insurance company CFC Underwriting, which conducts business in over 80 countries, reported that human error plays a part in the vast majority of cyber insurance claims.
CFC Underwritingreported that in 2018 the company responded to over 1,000 cyber insurance claims comprised of data breaches, theft of funds, ransomware and extortion, malware and more. In Canada alone, CFC Underwriting said that 32% of cyber insurance claims were about ransomware and extortion, 24% about non-malicious data breach, 20% about malicious data breach, 9% about theft of funds, 9% about malware and 6% referring to other cyber incidents.
“Whether a business suffers a data breach, a ransomware attack, or accidentally sends money to a fraudulent bank account, human error plays a part in the vast majority of the claims we see,” CFC Underwriting said.
In 2018, two important legislations came into play, the European Union’s General Data Protection Regulation (GDPR) and Canada’s Digital Privacy Act. While these legislations are important, CFC Underwriting said, cyber insurance claims shouldn’t be exclusively seen through this lens.
“It’s important to stress that while notification laws might prompt consideration of cyber amongst businesses and seem to be driving claims, cyber insurance is not just about covering the losses associated with a data breach,” CFC Underwriting said. “It’s much broader than that and our data shows it provides cover for a whole host of cyber-related risks, ranging from theft of funds and cyber extortion to system damage and business interruption.”
Common Causes of Cyber Incidents
According to CFC Underwriting, the following are the common causes of cyber incidents that led to cyber insurance claims:
1. Loss of Devices and Inadvertently Exposing Data to Public
Non-malicious data breaches, the insurance company said, are caused entirely by lost laptops and other devices or doing things such as inadvertently sharing sensitive data.
2. Phishing Attacks
The company added that malicious data breaches, ransomware and extortion claims often start with malicious actors gaining system access through phishing emails.
3. Failure to Follow-Up Urgent Wire Transfer Requests
The company said that many funds transfer fraud are due to employees failing to follow-up or verify urgent wire transfer requests.
In a phishing attack, a malicious actor uses an email as a weapon to launch a cyberattack. Phishing emails contain malicious attachments or malicious links that when downloaded or clicked install malicious software (malware) such as ransomware onto the victim’s computer. In a ransomware attack, malicious actors lock out users from their computer files and demand from their victims ransom payment to unlock the locked computer files.
In September 2018, the Town of Midland, Ontariopublicly admitted that its network was infected with ransomware. Six days after the ransomware attack, the Town announced that it decided to pay an undisclosed amount to the ransomware attackers. In paying ransom to the attackers, the Town said, “Although not ideal, it is in our best interest to bring the system back online as quickly as possible.”
Business E-mail Compromise (BEC) Attacks
Phishing emails are also used by malicious actors to launch funds transfer fraud, also known as Business E-mail Compromise (BEC). This type of cyberattack specifically targets organizations that conduct regular wire transfer payments. BEC attackers study their victims prior to the attack, accurately identifying the individuals and protocols needed to perform wire transfers within a specific business environment.
According to the Federal Bureau of Investigation (FBI), as of July 2018, BEC was a 12 billion dollar scam. Between October 2013 and May 2018, the Bureau said that 78,617 BEC cases were reported and victims reported a total loss of $12.5 billion.
The City of Burlington, Ontariodisclosed in June 2019 it fell victim to a phishing attack that led to funds transfer fraud. The City said that a phishing email was sent to a City staff requesting that the banking account information of an established City vendor be changed. This phishing email, the City said, led to a single wire transfer of funds worth nearly half a million dollars to the bank account controlled by attacker or attackers.
Best Practices to Prevent Cyberattacks
Here are some cybersecurity best practices in order to prevent or minimize the effects of human error:
1. Conduct Regular Inventory of All Devices Connected to Your Organization’s Network
A complete inventory of all computers and devices connected to your organization’s network is important in effectively monitoring, reporting and responding to cyber incidents.
2. Practice Email Hygiene
To prevent phishing attacks, it’s important to educate and train employees to exercise caution when opening email attachments or clicking email links. Along with staff education and training, it’s also important to automate the process of identifying and blocking malicious emails through email security solutions.
3. Verify Wire Transfer Payment Requests
One of the ways to prevent wire transfer fraud or BEC scam is by verifying the payment request in person. While it’s ideal to verify wire transfer requests by email or by phone, there have been cases in which these two methods didn’t prevent the commissioned of wire transfer fraud or BEC scam. With the current technology, both emails and phone calls can be spoofed by attackers.
4. Conduct Regular Back-up of Critical Data
It’s important that your organization conduct regular back-up of critical data. When your organization is diligent in backing up sensitive data, ransomware attackers won’t have leverage on your organization and their ransom demand can simply be ignored.
Avoiding cyberattacks and mitigating the risks is always less expensive compared to losses due to a successful attack. Our experts will equip you with knowledge, tools and processes, and will help avoid a disaster.