Business email compromise (BEC) has overtaken ransomware and data breach by hackers as the main driver of AIG EMEA cyber claims, according to the latest cyber claims statistics. Nearly a quarter of reported incidents in 2018 were due to business email compromise (BEC), up significantly from 11% in 2017. Ransomware, data breach by hackers and data breach due to employee negligence were the other main breach types in 2018.
BEC has entered the report this year under a new category given the high number of BEC-related claims received by AIG over the past 12 months.
In most cases the compromise can be traced back to a phishing email containing a link or attachment. If the recipient engages with the content of a phishing email it may allow intrusion into the user’s inbox. The majority of users are familiar with the concept of phishing emails but there remains a high number of incidents where the user follows a link directing the recipient to a bogus login screen. As soon as the victim enters their credentials, they are captured by the cyber-criminal who then has the necessary information to login to the victim’s email account.
The perpetrator is then able to send and receive emails from the victim’s email address and access all the information in the victim’s email inbox. In many cases the BEC is exacerbated by malware that spreads the scam to contacts in the recipient’s inbox. A relatively simple type of scam, BEC attackers often target individuals responsible for sending payments, using spoof accounts to impersonate the company C-suite or a supplier and requesting money transfers, tax records and/or other sensitive data.
In March 2019, AIG carried out an analysis of more than 1,100 EMEA claims notified under its cyber policies between 2013 and December 2018. The results of this analysis show general insights into this area only. It should be noted that other industries and sectors not highlighted in this report may also experience frequent and severe claims. In 2018, the number of claims notified under AIG’s cyber policies were broadly commensurate with AIG’s premium growth for this product.
For covered BEC and impersonation fraud claims the cyber policy provides for the cost of an IT forensic investigation to determine whether the insured’s system was compromised and identify the compromised data. The policy also covers legal advice on reporting and notification obligations to data subjects and regulators though insurance cover for financial loss due to criminal activity is often restricted.
“These incidents are becoming more expensive to investigate,” notes Mark Camillo, head of cyber for EMEA at AIG. “When a malicious actor gains access to the mailbox you have to do a deep dive, understand what information they may have gained access to and whether it has triggered any GDPR requirements.”
Other attacks focus on the content of the recipient’s inbox, harvesting client and employee information, including personal data. They may also target confidential corporate information, including trade secrets, but most are motivated by monetary gain.
"Ultimately what’s behind a lot of these compromises is organised crime,” says Jonathan Ball, partner at Norton Rose Fulbright. “They’re not interested in stealing personal data and selling it on the dark web. It’s pure financial fraud.”
BEC attacks are often successful because they use social engineering to create emails that appear legitimate. Even larger organisations may fall for the scams, explains Jose Martinez, vice president of financial lines major loss claims, EMEA, AIG, suggesting more investment is needed to train staff to better identify rogue messages. “We’re still seeing a surprisingly high level of these forms of fraud being perpetrated and some are affecting quite large and sophisticated clients. You may think that every CFO at a large company would know about this by now, but it’s still happening.”
Human errors and behavior continue to be a significant driver of cyber claims. Despite encouragement by many organisations, employees often use weak passwords or the same passwords across multiple applications, for instance. n this year’s claims statistics, claims notifications for employee negligence doubled from seven percent to 14%. Losses are driven by staff sending out emails containing company data to the wrong individuals or losing laptops and other devices. And under GDPR there has been an increase in notifications for such incidents.
"We’re seeing issues such as where attachments to emails are not properly checked before they are sent, and, inadvertently, the sender of what he or she believes is a single confidential personal data record being sent to the relevant data subject, ends up sending out a much larger collection of confidential personal data records of other data subjects,” says Jonathan Ball.
Ransomware, the leading breach type in 2017 when it was responsible for 26% of notifications, has become marginally less prevalent, causing 18% of cyber claims notifications in 2018. However, as predicted in last year’s report, there are a number of instances that show ransomware and extortion type attacks are becoming more targeted, with the attack on Norsk Hydro one of the more high-profile examples.
The Norwegian aluminium smelting giant fell victim to a difficult- to-detect strain of ransomware known as “LockerGoga”, through which cyber-criminals gained access to the company’s networks in a targeted attack. The company was forced to halt production at a number of plants across Europe and the US and was forced to switch to manual operations as it attempted to contain the issue, causing widespread business interruption (BI) losses.
The decision whether or not to pay a ransomware or extortion demand continues to be influenced by how well an organisation has backed up its data, and the potential business interruption that may ensue. “The impact of ransomware can be very much mitigated if there is good practice with backups,” says Avery. “But time and time again we see there are poor procedures.”
Meanwhile, the ransom requests have increased in size. While the initial amounts demanded by WannaCry ransomware attackers were between $300 to $600, in 2018 there have been cases where cyber-criminals have requested tens of thousands to millions of dollars. Meanwhile, the disruption and BI costs associated with such attacks have risen. And in an era of GDPR, there is also the need to establish whether sensitive data has been compromised.
There has been a pronounced “GDPR effect” on the overall claims frequency in 2018, with a spike in notifications following implementation of the EU General Data Protection Regulation in May 2018. The provisions of the new rules, including strict breach notification guidelines, is resulting in timely notifications from clients.
Breaking down AIG’s cyber claims statistics by region, it shows there have been significant increases in notifications coming from Belgium, the Netherlands, Germany, France and Ireland over the past 12 months while claims from Sweden and Greece have also grown.
The long-term trend of increasing claims frequency has continued in 2018 as it did over the previous five years, reflecting both the growth and maturity of AIG’s cyber book of business as well as the increasing sophistication of buyers and knowledge of the scope of the product. As cyber becomes a growing exposure for many organisations, based on our claims experience, anticipated losses will continue to grow in both frequency and severity across different industries.
“What our claims numbers clearly show is that more people are buying the coverage and the product is responding to our clients’ needs” Camillo says. “It includes flexible coverage and it is very easy to notify us about an event through the hotline. Clients are showing a preference for affirmative cyber cover, which will indemnify them against a wide range of covered losses, including privacy events, cyber extortion and network business interruption including outsourced service providers and system failure.”