CYBERCRIME: CYBER POLICY, CRIME POLICY OR BOTH?
Coalition webinar breaks down five core attack types
By Christopher W. Cook
Protecting your clients against cybercrime can be confusing, and the specific actions of a threat actor can affect which type of policy could cover a claim.
And nowadays, cybercrime is everywhere. A recent webinar by Coalition, a cyber insurance provider, stated that according to the FBI, $27.6 billion had been lost to cybercrime over the past five years; $10 billion of that total was lost in 2022 alone.
“It’s not an exaggeration to say that cybercrime is a billion-dollar problem, and it’s the billion-dollar problem your clients aren’t thinking about,” said Julia Thompson, senior product marketing manager at Coalition. “Cybercrime can have a huge impact on your clients’ businesses, and it affects businesses of all sizes.
“Cybercrimes against large businesses tend to make the headlines, but the unfortunate reality is that small businesses are seen as easy targets because they often have limited resources or expertise to manage their technology and train their employees.”
The webinar, titled “Cybercrime Simplified,” identified five core attack types and discussed how they are triggered, who the key threat actors involved are, and what type
of policy covers each event.
“Not all incidents are covered by the same policy,” Thompson said. “Policy language can be confusing because it’s not exactly clear how each incident can be covered or if it’s covered at all.”
“On one side, you’ve got crime policies that are built to protect against traditional types of crime. On the other side, you’ve got cyber insurance policies that are built to protect against digital cyber threats,” added Mike Volk, senior product marketing manager at Coalition.
“Cybercrime often falls someplace in between and can show up on both policies. This can sometimes be challenging when trying to figure out exactly … which type of policy it should fall on.”
While all carriers and insurance providers have different policies with different language, for the sake of this article, we’ll be referencing policies offered by Coalition.
Wire transfer fraud
“Wire transfer fraud is not necessarily the most sophisticated type of attack, but it’s one that’s especially lucrative and generally pretty easy for cybercriminals to execute,” Volk said. “It starts when a cybercriminal [gains] information that allows them to authenticate to the financial institution of an organization. This is particularly tough for the financial institution and the organization that owns the account because it looks like legitimate activity.”
Oftentimes, an organization doesn’t find out about the theft until they get a notification from their bank about an unknown transaction.
“The key here is that the entity initiating this type of transaction is an external actor, so it’s not somebody within the organization making the transfer,” Volk said.
Dale Schulenberg, senior manager of claims at Coalition, shared an example of a client that experienced wire transfer fraud. “Once the threat actor got into the email account, he was able to reach out to the bank and get added as a payroll administrator,” he said. “This essentially allowed the threat actor to initiate two wires from the bank account that totaled about $125,000. This wasn’t caught in time; the bank thought it was legitimate because this person was added as a payroll administrator.”
So, is wire transfer fraud covered by a cyber policy, a crime policy, or both? Coverage for this type of event can be found on either a cyber or crime policy.
“Cybercrimes against large businesses tend to
make the headlines, but the unfortunate reality
is that small businesses are seen as easy targets
because they often have limited resources or
expertise to manage their technology and train
their employees.”
—Julia Thompson
Senior Product Marketing Manager
Coalition
Social engineering fraud
“[Social engineering fraud] can be sophisticated depending on what the fraudster is doing, but it’s also one that’s easy for a criminal to scale up pretty quickly,” Volk said.
There are numerous ways a cybercriminal can commit social engineering fraud, but the typical way starts by researching what vendors and suppliers an organization uses and who in the company is internally responsible for handling finances.
“With this information, the fraudster—without access to the network in most cases—is going to start crafting communications to impersonate vendors, suppliers or other third parties that the organization is used to doing business with,” Volk said. “Because this looks to the employee [whom they’ve researched] as a normal transaction from an entity that they’re used to doing business with, if they’re not being vigilant, paying close attention to, or they’re trying to do things quickly as most of us do, they can easily make a payment against a fraudulent invoice from an entity that is not who they think it is.
“Some of the more sophisticated attackers are good at crafting messages to look legitimate. Of course, there are techniques to prevent this; one of the biggest is training. Another is making sure that if anybody ever asks to change payment instructions, it’s verified by a phone call and not by email.”
When it comes to coverage, policy language is important, because unlike wire transfer fraud, where a cybercriminal is doing everything externally, here an employee of the company is being tricked and making the transaction internally.
“An employee or somebody inside the organization executes the payment, but they’re doing it because they were tricked or misled by the cybercriminal,” Volk said. “The key here is that the employee is not stealing from the company intentionally.”
“Social engineering is the most common when it comes to a [funds transfer fraud]-type of coverage,” Schulenberg said. “We had a policyholder that ended up sending about $6.4 million to an account; an email chain with their investment advisor had been compromised.”
In this case, after a forensic investigation and an attempt to recover the funds, law enforcement contacts tracked the money to a Hong Kong bank account.
“It’s not easy once funds go to an international account,” Schulenberg said. “All but about a million dollars was frozen and it was transferred into a secure account.”
As for insurance, social engineering fraud can be covered by a cyber or crime policy.
Invoice manipulation fraud
“[Invoice manipulation fraud] is a perfect storm
of security failures. On one end, you’ve got an
email account that was compromised. On the
other side, the client is not necessarily trained
to know that you don’t change payment
instructions without verifying it.”
—Mike Volk
Senior Product Marketing Manager
This type of fraud can also be done in numerous ways, but typically it involves a cybercriminal hacking into someone’s email and then duping their clients into misdirecting funds.
“Once a criminal gains access to email accounts, they start scanning inboxes for things that say payment instructions, invoice, or anything related to financial transactions,” Volk said. “At that point, they set up external email accounts where they’re auto forwarding messages to that account and deleting them from the inbox of the user. They manipulate the invoices or instructions before they’re sent to the intended recipient, [who sees] the email coming from a legitimate user. It looks like the normal invoice, but they’ve asked them to change the payment instructions.”
Usually, the organization will discover that something has happened when they approach the client about paying an invoice and they respond that they already did.
“This one is a perfect storm of security failures,” Volk said. “On one end, you’ve got an email account that was compromised. On the other side, the client is not necessarily trained to know that you don’t change payment instructions without verifying it.
“When you look for this in a policy, it can be a little bit tricky. A unique element here is that the organization that’s losing money is a third party; it’s the client of the insured organization. Now, the insured organization also loses the money because they can’t collect those funds.”
For example, “We had a [client that was a] manufacturer and they received a legitimate order from a customer that they worked with before,” Schulenberg said. “They started working on their product and issued an invoice—25% of what the total cost would be. However, their email account had been compromised, so that invoice was intercepted and changed with fraudulent wire details.
“The customer received the invoice and sent the funds to who they thought was the insured, but it went to a fraudulent account. The customer was unable to recover those funds from their own bank account and so the insured was now out of those funds. Ultimately, we ended up reimbursing them for their net costs of that 25%. The insured finished their product and sent it to the customer, so they were happy. The insured lost nearly $132,000.”
Since invoice manipulation is a relatively new type of cybercrime, Coalition is seeing it added to cyber insurance policies at this time.
Electronic and service and telecom theft
The last two attack types are similar, “up until the criminal actually steals something from the organization,” Volk said. “With both electronic theft and service and telecom theft, the attack starts by a cybercriminal gaining access to a network. Once they have that level of access, they’ve got the ability to take one path and steal money from the organization—and there are different ways they could do that—or they could go the other direction and use their data for nefarious purposes.”
“Once the threat actor got into the email account,
he was able to reach out to the bank
and get added as a payroll administrator. …
[T]he bank thought it was legitimate.”
—Dale Schulenberg
Senior Manager, Claims
Coalition
For example, a cybercriminal could hack into and use an organization’s VoIP system, and “at the end of the day, the organization will get a bill for that usage [that] was used by a cybercriminal for executing some type of crime,” Volk said.
“When you’re trying to find coverage for both, … the trigger is a security failure and the actor is external, so it’s not somebody being tricked like with social engineering fraud. Where the coverage is going to differ: For electronic theft, the criminal is using that access to steal money and securities, but they can also use that level of access to … steal property or change shipping information.
“On the service and telecom theft side, instead of stealing money, they’re stealing computing resources. Those two types of coverages will be different depending on the circumstances.”
For example, “We had an insured that ended up having a pop-up on their computer that advised them that [it] had been infected with malware and to call a number,” Schulenberg said. “They did call that number and, ultimately, [the cybercriminal] installed UltraViewer, which allowed the person on the phone to access the insured’s computer.”
Luckily, the insured noticed their mouse moving around on the screen without their controlling it and was able to uninstall UltraViewer before any damage could be done.
So, when it comes to coverages, electronic theft events can be covered by a cyber or crime policy. Given that service and telecom theft incidents are typically initiated by unauthorized access to a computer system or network and typically result in a theft of computing resources—instead of a more direct theft of funds or goods—Coalition is seeing coverage often align more closely with cyber insurance because of the other coverages that could potentially be triggered by this type of attack.
The best protection
We’ve looked at numerous scenarios, all dependent on how the crime takes place and what the criminal does. Is a cyber policy, a crime policy or both appropriate for your clients?
“The best ways to safeguard your clients is by making sure they have both crime insurance and cyber insurance,” Thompson said. “This is a power duo that provides the most robust protection against cybercrime, because your clients are then covered against a broader range of risks than what’s covered by either policy by itself. They also get additional coverage for overlapping claims.
“In general, a policy is either primary or excess and primary policies pay accepted claims first, and excess policies pay out after that if the losses exceed the limits of the primary policy.
“If both policies are primary, or both are excess, the policies work together and pay proportionally based on the coverage offered by each policy. That’s why it’s important to have coverage with one insurer; it makes it easier to coordinate claims,” she concluded.
For more information:
Coalition
www.coalitioninc.com