The film industry has a rich history of depicting and romanticizing cyber crime, from The Girl with the Dragon Tattoo to Skyfall. While these films might not be true to real life, cyber crime’s frequent portrayal is a telling display of how crime is evolving as our society becomes increasingly reliant on technology.
However, cyber crime today is a far more common threat than anything portrayed in the movies. In the last 20 years, crime has shifted away from the theft of physical possessions, for example, to criminals carrying out the majority of crime digitally.
This is especially true in the United States, where not only are cyber insurance claims dramatically increasing, but they are shifting away from data breaches — the main concern only a few years ago — and moving towards other types of cyber crime. In fact, theft of funds and ransomware now account for over 50% of CFC Underwriting’s cyber claims, eclipsing what is traditionally seen as the main cyber risk in the U.S. — privacy.
The new threat has already begun to shed its skin
Cyber crime, within a cyber insurance context, generally refers to cyberattacks, which relate directly to the theft or extortion of money from the victim, as opposed to theft of data or damage to systems. Of course, cyberattacks involving the theft of data or deliberate damage to systems are criminal acts too, but it tends to be theft of cash, which is labeled as “cyber crime.” Claims of this type are now in the majority, but there are a few particular cyber crime types driving this trend.
One major type of cyber crime on the rise is wire transfer fraud, also known as fraudulent transfer of funds, which was CFC’s single largest source of cyber claims last year, accounting for 30%. Wire transfer fraud can take many forms, but typically involves conning someone into parting with their funds through social engineering. For example, there has been a notable increase in fraudsters impersonating senior company executives over e-mail, imploring unwitting employees to send money externally; this so-called CEO fraud is a prime example of social engineering tactics at play.
Here’s how this situation played out for one of our policyholders: A financial controller at a marketing and media services firm received an e-mail from the CEO requesting that three payments be made to overseas accounts. Accustomed to these types of requests, the employee promptly made the payments totaling $80,000.
However, they discovered that the e-mail from the CEO was fraudulent. In fact, hackers had found a vulnerability in the company’s systems, which allowed them to access company data and e-mail accounts. This enabled them to write a convincing request straight from the CEO’s actual account. After quickly calling the bank, the controller was able to recall one payment of $15,000, but the other two had already been completed, and because the transactions had technically been authorized, no reimbursement was offered by the bank. The total loss came to $65,000 in lost funds.
These types of crimes are frighteningly easy to carry out and are only becoming more common. It is easy to see why this swift loss of cash is becoming a real issue for companies.
Ransomware risks increase
In the wake of last year’s high-profile WannaCry and NotPetya attacks, ransomware is also something that we’ve seen grow steadily. According to CFC’s own claims data, in 2016, ransomware accounted for a little over a tenth of cyber insurance claims. That number has now grown to over a quarter of our total claims volume today. Why the shift? Old-fashioned crime is risky and time-consuming. Ransomware is easier to carry out with virtually no risk of being caught at the crime scene.
Now an established method of attack, we are starting to see ransomware evolve. For example, in-the-wild ransomware attacks — the so-called scatter-gun approach of dispersing ransomware and hoping that it infiltrates a large number of entities — are giving way to targeted extortion. This is when attackers set their sights on individual organizations based on what data assets they hold and then ask for higher ransoms.
Historically, ransomware demands are for relatively small amounts with an average sitting around $300. However, criminals are increasingly targeting vulnerable companies now and making demands of $50,000 or more to release their data. Attackers are also becoming more astute in seeking out backups and corrupting them as part of the attack, sometimes making it impossible to restore critical data.
It is also important to note that the cost of a ransomware attack rarely stops when the extortion demand is paid. Along with an increase in ransomware severity and frequency, we are also seeing a surge in the knock-on business interruption impact these events can have. This is leaving both balance sheets and reputations of businesses exposed.
Here’s an example of how these costs can quickly build up: A food trucking company suffered a ransomware attack where cyber criminals encrypted all of their data files and requested a ransom of $11,000 in exchange for the decryption key.
Like many modern companies, their entire business was run via their systems and hackers had encrypted every single piece of data that they required to run their operations — their routes, logistical information, key contacts, and how much stock they had and needed to order — as well as shutting down their payment card processing capabilities.
Even though business had come to a halt, the CEO refused to give in and pay the demand. Instead, the company immediately set about reconstituting data from a collection of paper records and their employees’ knowledge of day-to-day operations, resulting in a large amount of overtime costs right away. What was worse, however, was the loss of business income that resulted from the extended outage of their systems and the consequential impact on operations.
For one of their biggest revenue months, the insured had forecast that they would complete 220,000 sales transactions but, due to the system outage, they were only able to process around 140,000. With an average transaction value of more than $12, that was a loss in revenue of nearly $960,000.
Combined with the other costs, this final sum significantly eclipsed the original ransom demand and demonstrated how quickly the costs of these types of attacks can escalate, particularly for companies heavily reliant on computer systems to run their day-to-day operations.
Planning for the eventuality
How do modern companies tackle the rise in cybercrime and thwart the malicious actors with the lowest impact on their business?
The swift and considerable rise in ransomware attacks and other types of cybercrime means that companies need to have strong risk management techniques and an incident response plan in place now more than ever. This will no doubt differ across industries and business sizes, but one common thread exists between all organizations when figuring out a response plan: engaging with your cyber insurer as early as possible to lessen the impact of the attack.
We have seen criminals deploy targeted attacks to encrypt data from organizations knowing that these companies must pay in order to avoid significant business interruption. A good cyber insurer brings a level of experience to handling these types of situations that businesses do not often have in their toolbox.
On the other side, insurance providers need to adapt to the changing claims landscape and make sure that their claims teams are offering services relevant to the actual risks policyholders are facing. Because of long-standing privacy legislation, cyber coverage in the U.S. has always been dominated by privacy, so naturally cyber has for a long time been synonymous with privacy cover.
However, the surge in cybercrime claims means that insurers need to arm themselves not just with great privacy lawyers, but an experienced incident response team and forensics and security partner network as well. Quick and coordinated responses to these now-common events are vital to save both the policyholder, as well as the insurer, from financial and reputational harm.
Technology has changed the face of crime as we know it, and the most powerful criminals have morphed from the gun-toting mob bosses to networks of hackers behind the screen. Although privacy-related risks are still very real, other types of cybercrime are gliding silently ahead. The rise in cybercrime — particularly fund transfer fraud and ransomware — means companies must be more diligent than ever when searching for a cyber insurance provider, and insurers must quickly adapt to ensure they are meeting modern businesses’ needs.
James Burns ([email protected]) is the cyber product leader at CFC Underwriting, Ltd. and has nearly ten years’ experience in the London Market, the last five of which focused on cyber, building up expertise and insight in this dynamic area.