Cyber Insurance – Back in the Headlines
As the costs of cyber crime increase exponentially, and more organisations find themselves targeted, many are turning to cyber insurance to help limit the financial damage. It is estimated that between 15 to 20 per cent of small businesses are now covered by cyber insurance, and up to 70 per cent of larger ASX-listed firms.
However, cyber insurers often struggle to accurately price cyber risk, given they lack long-term data. In Australia, cyber insurance premiums have gone up between 50 and 150 per cent over the past 12 months, after the proliferation in ransomware attacks caused losses to multiply.
To limit their liability, many insurers have introduced limits on payouts and created eligibility criteria to ensure policyholders have basic defences in place, such as multi-factor authentication, data backups and staff training.
In fact, many organisations take up cyber insurance without having a full understanding of what it actually covers, until a cyber attack occurs.
In many cases, cyber insurance will cover losses from Business Email Compromise (BEC), however it will often be limited to the losses incurred by the actual policyholder, rather than their customers or counterparties.
So, for example, if a vendor’s email system is compromised which results in a false invoice being sent to one of their customers, and the customer loses funds by paying the false invoice, the vendor’s cyber insurance may not cover the losses incurred by the customer.
Businesses must be vigilant about reading the fine print within their cyber insurance policies to understand what isn’t covered fully, particularly in scenarios where liability may not be clear.
With so much uncertainty around cyber risk, all organisations must prioritise prevention as the most effective way to limit substantial financial and reputational harm.
Internal Invoice Fraud
Processing invoices for goods your organisation has purchased is relatively straight forward. After all, it is possible to physically examine that the procured goods have been delivered prior to making a payment.
However, when it comes to paying for services, things can get trickier. It is much more difficult to verify that services have in fact been rendered, opening opportunities for malicious insiders to submit false invoices.
A California hospital has initiated legal action against a former maintenance worker for submitting false invoices for a range of services. Palmdale Regional Medical Centre is accusing former employee, Scott Finstein, of fraud and breach of duty of loyalty, among other charges.
From 2008 to 2019, Finstein was director of plant operations at Palmdale. His responsibilities included coordinating and overseeing construction and maintenance work performed by outside contractors. It is alleged that he engaged in a scheme in which he approved invoices for payments exceeding $660,000 to vendors who hadn’t performed the services listed in the invoices.
This case serves as a reminder of having robust controls in place when it comes to processing invoices for services rendered.
BEC Leads to Data Breach
Business Email Compromise (BEC) is one of the main tactics used by cyber criminals to steal funds. It is also emerging that attackers are using BEC as a vehicle to compromise an organisation’s critical data.
Monongalia Health System Inc. is a company that runs three hospitals in the United States. It was recently struck by a BEC attack in which unauthorised individuals gained access to a contractor’s email account and sent emails from the account to obtain funds through fraudulent wire transfers.
In addition to the payment redirection, the attackers were able to breach personally identifiable information in emails. Details stolen included health plan information and claims, addresses, dates of birth, patient account numbers, medical record numbers, dates of service, provider names, claims information and other medical information.
With health data among the most valuable on the dark web, it’s not surprising that cyber criminals are motivated to steal such information in addition to launching payment redirection scams.
This incident is another reminder that finance executives need to be coordinating closely with their organisation’s cyber security and IT teams. Working together to strengthen email security controls is essential to reduce the risk of a BEC attack which can result in both substantial financial losses, as well as critical data breaches.
Sydney Woman Charged Over Role in $1m BEC Scam
Catching the perpetrators of Business Email Compromise (BEC) scams can be notoriously difficult. All too often the proceeds of such crimes pass through the bank accounts of multiple money mules, before being converted into cryptocurrencies or transferred offshore.
In a rare piece of good news, NSW Police believe they have identified one Sydney woman who participated in a $1 million BEC scam.
Last year, an ACT woman allegedly deposited more than $1 million into a fraudulent bank account when settling on a property she had purchased. Following Cybercrime Squad investigations, it was revealed that the payment details had been sourced from an email that had been sent from a compromised email account belonging to the woman’s lawyer.
Cybercrime Squad Commander, Detective Superintendent Matthew Craft, said people must remain vigilant when conducting transactions online.
“Get in the habit of checking the email address, URL, and spelling used in all correspondence and heavily scrutinise all transactions that you make online,” Det Supt Craft said.
“BEC scams aren’t easy to detect because the invoices for clients and contractors often use the desired recipients branding but contain altered banking details.
“To avoid being scammed, people should use two-step verification methods where appropriate, and regularly update and maintain strong passwords,” Det Supt Craft said.