Modern Insurance Magazine


Lessons learnt from dealing with cyber fraud


Lessons learnt from dealing with cyber fraud

Back to Listings

Cyber fraud is still a relatively new and emerging threat.  Some broker contacts have acknowledged they’re not aware of all the risks and are conscious of this.  There’s a terrific appetite to learn more about the issue, given they’re charged with the responsibility of arranging cover. For the majority of the British public, exposure to cyber fraud issues has been around hacking, for example people having bank account information compromised, being the victim of scams, or even
having their data stolen when organisations are breached.  There are plenty of examples of the latter of course, some more newsworthy than others.

However, most cyber insurance policies are bought by business consumers rather than individuals, and understandably so, because digital technologies are the backbone of modern society and are here to stay.  In commerce, data is important because it facilitates a company’s business and therefore has value.  It can be stolen or ‘hijacked’, and sold on/held for financial gain, and in turn its loss impacts on the business concerned.

So getting the right cover matters to business consumers – especially SME operations that are at the core of UK society; losses can have a significant impact on them.  Cover has broadened to extend benefits as the risks increase, and more policies are being sold, which is encouraging. Three common attacks seen by SME and corporate consumers that customers should ensure are covered are:

1. Ransomware: an attack where a customer’s data is encrypted, resulting in data becoming unusable.  The criminal leaves details of how to pay the ransom to release data.
2. Malware: software specifically designed to disrupt, damage or gain unauthorised access to a computer system.  Malware can be used to steal information or covertly monitor network operations.
3. Data theft: the act of infiltrating digital information with the intent of compromising privacy or obtaining confidential information – this risk is an increasing problem for small to medium enterprises.

Ransomware was the most common cyber fraud we saw in 2018.  The average cost of repairs to compromised networks can run into tens of thousands of pounds, so it’s easy to see why there’s a temptation to ask the insurer to pay the ransom.  But doing this is morally wrong, and potentially a breach of the regulatory framework around financial crime.  Whilst acknowledging that it is a quick solution, it does leave a business open to further attacks and helps fund financial crime, so we fully support the national police policy of not giving in to ransom demands, thus sending a strong deterrent message to perpetrators and protecting the regulatory framework.

But this strategy relies on a true partnership approach involving the policyholder, broker, insurer and police being ‘at one’.  Simply, is it better to pay the ransom and save a significant loss in turnover via a resulting BI claim, or not to pay the ransom, fix the problem and still avoid the loss in turnover?  It’s the latter every time for us.

Fraudsters intercepting emails containing bank account information, resulting in a change of bank account details being conveyed to the recipient and in turn diverting funds to criminals, and phishing emails (criminals masquerading or tricking consumers with bogus email/websites) are also very commonplace, albeit usually not covered by cyber policies.  These are risks that can be countered in other ways, with good old fashioned common sense and diligence at the heart of tactics best
employed to negate these threats.

A word on the culprits: we’ve seen them range from opportunistic or casual individuals who just want to prove they can do it, to premeditated and planned acts committed by organised crime for financial gain.  Defeating the cyber fraudsters and working with police to identify culprits and bring about prosecutions is in our DNA of course; it’s a developing area for the police too, and we’re starting to see some convictions, which is really encouraging.Lessons learnt from dealing with cyber fraud