☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Liability

Social Engineering Fraud Coverage

Posted on by

Background concept wordcloud illustration of social engineering

Social engineering fraud (SEF) is a type of fraud that’s become increasingly common over the last several years. However, even though many instances of this fraud transpire over email communications, it’s a company’s crime policy—not a cyber policy—that would often provide coverage in the event of an SEF loss.

That’s why it’s especially important to understand your crime policy, how it might cover SEF, why it might not, and what endorsements you might want to obtain to make sure SEF doesn’t leave your company exposed.

How Social Engineering Fraud Works

There are a number of variations on the theme, but most instances of SEF involve the following elements:

  • A targeted approach. Criminals will research their targets, purchase authentic-looking domains, manufacture email chains and even resort to making phone calls, all in an effort to make their requests seem authentic.
  • A request. The preparation is in service of obtaining something from the target, either money (usually in the form of a wire transfer) or information (such as a list of vendors, routing numbers, etc.).
  • The application of social pressure. In order to bypass in-house safeguards and redundancies, the criminals apply pressure by imposing a time constraint, demanding secrecy or simply flattering the ego of the target by including him or her “in” on an important business transaction.
  • The disappearance of the hacker. Once the criminals obtain what they want, they disappear with the information or money—things that the company won’t miss until it’s too late.

Cyber Policy vs. Crime Policy

It may seem counterintuitive, but SEF is usually not covered by a cyber policy. Even though this fraud often involves emails and wire transfers, cyber policies are not designed to cover them:

  • Cyber policies cover losses that result from unauthorized data breaches or system failures. SEF actually depends on these systems working correctly in order to communicate with an organization’s employees and transfer information or funds.
  • Crime policies cover losses that result from theft, fraud or deception. Because the underlying cause of a loss in SEF is fraud, a company would claim a loss under its crime policy rather than its cyber policy.

Areas of Cover

A standard crime or fidelity policy contains a few provisions under which an SEF claim might be filed:

  • Computer fraud. This refers to losses stemming from the unlawful theft of money due to a “computer violation”—that is, the unauthorized entry into or deletion of data from a computer system by a third party.
  • Funds transfer fraud. This refers to losses stemming from fraudulent instructions to transfer funds made without the insured’s knowledge or consent.

Potential Vulnerabilities

Depending upon the specific language and definitions laid out in the crime or fidelity policy, the insurer might argue that SEF is excluded from coverage for a number of reasons:

  • There was no “computer violation.” Often, SEF doesn’t involve compromising network security in order to steal data. Instead, criminals “hack” human vulnerabilities in order to gain access. Because the system functioned as it was supposed to, and the criminal gained access due to human failure, an insurer might try to deny the claim.
  • The insured knew about and consented to the transfer. Again, it depends on the specific language of the policy, but an insurer might argue that SEF isn’t covered under “funds transfer fraud.” That’s because, in most social engineering scenarios, some agent of the insured willingly and knowingly authorized the transfer of funds to the intended account. Again, in SEF, the systems in place to transfer funds worked as intended; it was human failure that resulted in the loss.
  • The voluntary parting exclusion. Most crime policies have a voluntary parting exclusion that excludes coverage for losses that result from anyone acting on the insured’s authority to part with title to or possession of property. In other words, because the employee knowingly and willingly authorized the transfer, it wouldn’t be covered.

Social Engineering Fraud Endorsements

Because of this potential gap in coverage, some carriers have started offering SEF endorsements to their crime and fidelity policies. The insurance agreements might go by different names, but they’re all intended to make limits and liabilities explicit for both the insured and the policy issuer.

These endorsements are only offered by a handful of carriers, but with the increasing prevalence of SEF, more are likely to follow.

©  Zywave, Inc. All rights reserved.

Majority of Cyber Attacks Launched by Company Insiders

Posted on by

Business, technology, internet and networking concept. Young businessman working on his laptop in the office, select the icon cyber security on the virtual display.

According to figures released by IBM, nearly 60 per cent of all cyber attacks in 2015 were launched by “company insiders,” based upon data gathered from 8,000 of their clients’ devices. Though industry experts have warned for years that a company’s employees may inadvertently make systems vulnerable, IBM found that 44.5 per cent of attacks were, in fact, malicious.

It’s important to note that IBM defined an “insider” as anyone who had either physical or remote access to a company’s assets. While this would certainly include employees, it would also include business partners, contractors and vendors.

While insider threats can be difficult to detect, businesses can still work to prevent them. Above all, it’s important to have a cyber security plan in place—one that manages passwords in a mindful way and protects shared documents.

© Zywave, Inc. All rights reserved

Dyn DDos Attack Serves as a Cyber Security Wake-up Call

Posted on by

Security concept: blue opened padlock on digital backgroundIn late October, Dyn—a cloud-based internet performance management (IPM) company in the United States—had its server infrastructure compromised following distributed denial-of-service (DDos) attacks.

In essence, DDos attacks work by overwhelming targeted machines and servers with junk traffic, often causing website crashes. In this case, the attacks disrupted popular sites like Twitter, Spotify, Netflix and Amazon.

While DDos attacks are common, experts are concerned at their growing effectiveness, as Dyn is a large firm that services many Fortune 500 companies. It’s clear that cyber attacks are becoming more and more sophisticated, and hackers are no longer simply IT-student pranksters, but rather nation states and other large entities with malicious agendas.

Because of this fact, the looming threat of a cyber attack is more a matter of when than if, and businesses will need to turn to cyber liability insurance for the necessary protection. What’s more, as a reliance on cloud services becomes increasingly important for successful business operations, the value of a strong cyber liability insurance policy will only continue to grow.

A typical cyber liability policy can help protect you from costs associated with a data breach, copyright or trademark infringement, data loss due to hacking and business interruption.

For additional protection, it’s critical that you create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a description of all systems used at the organization based on their importance to the organization, and the data stored and processed within them.

Experts recommend that businesses review their cyber risk plans on an annual basis and update them whenever there are significant changes to their information systems or the facilities where systems are stored, or other conditions occur that may impact the organization.

© Zywave, Inc. All rights reserved

Canada Ranks Poorly in Lost Revenue and Continuity After Ransomware Attacks

Posted on by

Skull and crossbones on binary code with message of infection. Eps10. RGB. Global colors

Ransomware is a type of malicious software that is specifically designed to block systems or files until a victim—typically a company or high-ranking professional—has paid a sum of money to regain access. These types of attacks can be costly, sometimes averaging up to $50,000.

According to the recent report, the State of Ransomware, by malware remediation company Malwarebytes, Canadian businesses were among those most likely to pay ransomware demands. Additionally, the report, which examined 5,400 IT staff across Canada, the United States, the United Kingdom and Germany, showed that Canadian businesses ranked among the highest for lost revenue and business interruption following an attack.

In total, around 75 per cent of Canadian businesses admitted that they would pay an attacker to regain access to key systems and functionality. Other interesting findings from the report included the following:

  • Ransomware can impact more than the original infected system or file. In the report, Canada ranked the highest for ransomware penetration, as close to half of attacks affected 26 per cent or more of a company’s extended network.
  • Executives and senior-level staff are typically the targets of ransomware schemes.
  • On average, ransomware attacks in Canada were twice as expensive as those in the United States.
  • Business applications were found to be the most common vulnerability to ransomware in Canada. While email attacks are common in other countries, Canada’s strict anti-spam laws could be contributing to the lower number of email attacks.
  • Despite Canada ranking poorly in terms of business interruption and overall cost as it relates to the impact of ransomware attacks, 51 per cent of surveyed businesses claimed they were confident in their ability to stop an attack.
  • Health care and financial services were found to be the most common industry targets for ransomware attacks.

Ransomware attacks are a serious concern—one that continues to impact Canadian businesses. In the past year alone, more than one-third of security attacks in Canada were ransomware-related. To protect themselves from this ongoing threat, organizations should consider having a risk assessment done to determine and remediate potentially vulnerabilities.

© Zywave, Inc. All rights reserved

The Risks of Allowing Employees to Use Tablets

Posted on by

iStock_cell & tablet-000022454376SmallTablets and other such devices have become increasingly common in the average workplace. And, while these devices can be important for your employee’s daily work, they also represent a cyber risk if they are not properly managed.

The following are just a few of the major risks associated with having tablets in the workplace:

  • Mobile malware. Tablets are typically infected by malware via malicious apps and phishing scams. When this happens, a cyber criminal can gain unauthorized access to the device and associated network systems. In general, iOS tablets like iPads are safer from malware than Android tablets. However, mitigating the risk of malware typically comes down to the user. Workers should avoid downloading unfamiliar apps.
  • Loss of data. Following a security breach, data loss is inevitable. For tablets, this could mean that users are locked out of their devices altogether. To protect your business, employees should always back up their data, and ensure that no sensitive or proprietary information is stored on it.
  • Unsecured networks. Unsecured networks are a particular concern for tablets because they are easy to take on the go into areas with free and public Wi-Fi connections, like cafés and airports. These connections are not always secure and can be easily hacked by cyber criminals. To prevent this, employees should be reminded that no public Wi-Fi is safe. For further protection, offer a virtual private network (VPN) that your employees can utilize to safely use the internet off-site.
  • Theft. In addition to virtual threats from hacking and phishing scams, cyber criminals could just as easily steal the tablet itself. This could give them unlimited access to proprietary or personal information. To combat this, employees should never leave their devices unattended. Using a secure password can also help prevent theft of information.

Above all, employers should have a personal device policy in place that accounts for security threats. Employees should know what they can and cannot do with their devices and how to protect the sensitive information contained within. These policies should be extended to other personal devices with internet access, such as smartphones.

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN