Advisen FPN

Advisen Cyber FPN - Friday, October 19, 2018

   
Getting railroaded by social engineers: The cybercrime that calls for both cyber, crime solutions

Advisen

Getting railroaded by social engineers: The cybercrime that calls for both cyber, crime solutions

The tales of con artists abound throughout history, with stories of thieves, counterfeiters, and other tricksters who rely on the fact that for as long as there have been humans, there’s been human error.

With the aid of technology, scammers have elevated their crime game. Knowing that the speedy pace of business, the shift to computers for most office tasks, and humans’ innate desire to be prompt and helpful means that mistakes are bound to occur, cybercriminals need little more than a few details and a confident approach to make off with money, information, or other business assets.

Social engineering attacks have been rising steadily in recent years. Advisen data show that social engineering losses skyrocketed between 2015 and 2016, remaining at a new high in 2017 (see chart).

The details of these events range from lost funds to compromised records and stolen credentials and they strike a wide range of industries, with the highest losses in the commercial services sector, followed by media organizations.

Seeking insurance

 Lost money or data is no small matter for businesses in any event, leading many organizations to seek address the risk with insurance protection. For the insurance industry, over the last few years, the question has arisen in courts and in coverage conversations – should social engineering scams, which frequently involve no hacking or outside access to computer systems – be covered by a cyber policy or a crime policy. News reports on cases like American Tooling Center v. Travelers and Medidata Solutions v. Federal Insurance have frequently termed the ruling as finding coverage under “cyber insurance” – a mistake that has contributed to confusion for insurance buyers on where their best options for coverage will be.

For the insurance industry, social engineering means cyber; for others it means crime. Cited by many as the biggest exposure many businesses currently face, the argument for finding coverage under crime policies has been that funds have been in essence stolen by nefarious means. The fact that a cybercriminal tricked

Insurers remain of two minds – many cyber policies include coverage for the impact of social engineering. At the same time, the crime insurance sector is beginning to offer affirmative coverage for funds transfer fraud, as the financial result of many social engineering efforts is typically called.

The Federal Bureau of Investigation has warned businesses – particularly smaller organizations to be on high alert for business email compromise, the most common outlet for social engineering. A July alert explained, “The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. The scam may not always be associated with a request for transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.”

The FBI reported that there was a 136 percent rise in BEC scams between December 2016 and May 2018 and 41,085 affected organizations with nearly $3 billion in funds lost or misappropriated in the last five years.

Cyber or crime?

According to insurance professionals, however, insurance buyers don’t care where the coverage resides in their programs, they just want to know that it’s covered somewhere. As it turns out, organizations may be able to pick the solution that works best for them, whether that is a cyber policy or a crime policy, or both.

Greg Bangs, senior vice president and regional leader for AXA XL’s crime unit, has focused on this issue for several years, having introduced the first social engineering fraud extension for crime policies in 2014, and explained that when it comes to loss of funds, social engineering should be a crime issue.

“Most cyber insurers are really looking at it as more of a liability perspective,” he told Advisen. “The crime insurers … are looking at what has been taken from the insureds in terms of money, securities, and property. If they steal money, securities, or property, it’s crime. If they steal data, it’s cyber.”

Bangs explained that cyber insurers offer sublimited cover for the actual theft of funds with more focus on the liability aspect.

While appeals courts have recently begun to find coverage under crime policies for funds transfer loss, the view had historically not been the case.

“It’s an interesting trend, because we had been seeing all these cases go the insurers’ way. I think that the insurance industry is going to have to take a step and rethink and readjust how they offer this coverage,” Bangs said. “Insurers such as ourselves are really stepping up and taking higher limits.”

He reported seeing much broader interest from customers seeking a solution and predicted more collaboration or combined solutions to address the risk.

“This is obviously a significant problem,” said Bangs. “It’s getting bigger, the numbers are gigantic.” He added that he is advising all clients, to “be absolutely sure that you’re addressing this problem internally and putting preventative measures in place.”

Specialist insurer Beazley has been sounding the alarm on the rise of social engineering and business email compromise for the last few years, aiming to educate organizations on avoiding losses.

 “I do think we’ve done a good job of educating people, but the bad guys have just gotten more sophisticated. That’s where technical control has to come in play,” said Brett Anderson, privacy breach response services manager with Beazley's Breach Response Services unit. Beazley expanded its social engineering coverage earlier this year, citing a continued rise in attacks of this nature. Anderson told Advisen that the first six months of 2018 showed “an aggressive pace” with about six out of every 10 claims involving some sort of social engineering or phishing.

Anderson added that costs to investigate social engineering attacks are rising, with new twists on an old tactic cropping up all the time. Social engineering for credential harvesting has become as popular as ransomware.

Increasingly, cyber insurers are expanding their social engineering coverage options and many feel that the cyber world is the appropriate home, despite recent court cases finding coverage under crime policies for lost funds. This is largely because social engineering “is not one nice, tidy thing,” according to Joshua Motta, founder and CEO of Coalition.

“The reason why that’s the ideal place for it is that loss exposure is oftentimes accompanied by other loss,” Motta said. The organization may have liability or legal obligations or require the forensic investigations commonly provided by cyber policies. Additionally, he explained, cyber claims departments are better equipped to define the extent of the breach.

“The traditional claims team doesn’t have the depth or expertise for what could be a very complex loss,” Motta said. He added that he would not be surprised if the solutions began to involve a blending of cyber and crime policies.

“If you only buy one, you’re not getting the full cover,” he said.

Editor Erin Ayers can be reached at eayers@advisen.com.

Bitsight
Experian
Sompo International
QBE
Chubb
Munich Re