Nikki Johnson No Comments

Cyberespionage Explained

Cyberespionage is a type of cyberattack that involves an unauthorized user (or multiple users) accessing a victim’s sensitive information in order to secure economic benefits, competitive advantages or political gain. Also known as cyber spying, the primary targets of such cyberattacks include government entities, large corporations and other competitive organizations.

Cybercriminals may leverage cyberespionage in attempts to gather classified data, trade secrets or intellectual property (IP) from their victims. From there, cybercriminals may sell this information for profit, expose it to other parties, or use it in conjunction with military operations, potentially threatening their targets’ reputations and overall stability. Oftentimes, cyberespionage is deployed across international borders by nation-state attackers.

Over the past few years, cyberespionage has become a rising concern, especially in certain countries. In fact, the Canadian Security Intelligence Service (CSIS) found that in 2020, Canada faced the highest levels of foreign espionage and interference since the Cold War. The CSIS also stated that Canada has been facing national security threats from violent extremism, foreign interference, espionage and malicious cyber activity. Canadian companies in almost all sectors of the economy have been targeted.

With this in mind, it’s crucial for businesses to understand cyberespionage and know how to effectively mitigate such incidents. This article provides a detailed overview of cyberespionage, outlines real-world examples of these cyberattacks and offers key prevention measures that businesses can implement to safeguard their operations.

Cyberespionage Overview

Although cyberespionage often involves nation-state attackers, it’s not interchangeable with cyberwarfare. While cyberwarfare is conducted with the intention of noticeably disrupting a target’s operations or activities, the goal of cyberespionage is for the perpetrator to remain undetected by their victim for as long as possible, therefore permitting them to gather maximum information. Yet, the information collected from cyberespionage efforts could be used later amid acts of cyberwarfare.

When leveraging cyberespionage, perpetrators may attempt to access a wide range of data from their targets, including:

  • Research and development activities
  • Critical organizational projects or IP (e.g., product formulas and blueprints)
  • Financial information (e.g., investment opportunities, employee salaries and bonus structures)
  • Sensitive stakeholder details
  • Business plans (e.g., upcoming marketing, communications or sales initiatives)
  • Political strategies or military intelligence

Cybercriminals may engage in a variety of tactics to execute cyberespionage, such as:

  • Exploiting security vulnerabilities in websites or browsers a target frequently visits and infecting them with malware to compromise the victim’s technology (as well as any data stored on it)
  • Utilizing phishing scams (i.e., deceptive emails, texts or calls) to steal login credentials and gain unsolicited privileges within a target’s network
  • Posing as employees or contractors and physically going to a victim’s workplace to steal hard copies of data or infect devices with malware
  • Bribing actual employees or contractors to share a target’s sensitive information in exchange for payment
  • Infiltrating another party in a victim’s supply chain and using that party’s digital privileges to compromise the actual target’s network
  • Injecting different forms of malware (e.g., Trojans and worms) within updates from third-party software applications, thus hijacking a victim’s technology upon installation of these updates

In any case, cyberespionage can lead to serious consequences for impacted organizations. What’s worse, as cybercriminals’ tactics get more sophisticated, these incidents could become increasingly common.

Examples of Cyberespionage

Over the years, multiple large-scale cyberespionage events have occurred, including the following:

  • The Microsoft Internet Explorer incident—Between 2009 and 2010, Chinese cybercriminals took advantage of a security vulnerability in Microsoft Internet Explorer to execute cyberespionage against at least 20 international media and technology companies, including Google, Yahoo and Adobe. Google reported that the cybercriminals, later coined the “Aurora” attackers, stole various IPs from the company and compromised many Gmail accounts.
  • The Sony Pictures Entertainment (SPE) incident—In 2014, a North Korean hacking group named the “Guardians of Peace” deployed cyberespionage against SPE during the months leading up to the entertainment company’s release of a film that depicted the assassination of the nation-state’s leader. The cybercriminals used malware to compromise SPE’s network and publicly expose a substantial amount of sensitive company data, such as personal details about employees, email exchanges between staff, information regarding executives’ salaries, copies of unreleased films and plans for future films. The incident significantly impacted the film’s release and garnered attention from the U.S. government.
  • The Zhenhua Data Information Technology incident—In 2020, global news sources revealed that Zhenhua Data InformationTechnology, which primarily serves China’s military and intelligence services, had been gathering sensitive data on 2.4 million individuals worldwide for several years. An estimated 20 per cent of this data was not publicly available and likely accessed through cyberespionage.

Considering these incidents and their associated ramifications, it’s clear that businesses need to take action to properly protect themselves against cyberespionage.

Cyberespionage Prevention Measures

Businesses should consider implementing the following best practices to help safeguard their operations from cyberespionage:

  • Educate employees. Be sure employees receive training on cyberespionage and related prevention tactics. Specifically, employees should be instructed to never respond to messages from unknown senders, avoid interacting with suspicious links or attachments and refrain from sharing sensitive company information online. In addition, employees should be required to form complex and unique passwords for all workplace technology.
  • Protect critical data. Review and update existing cybersecurity policies to ensure they promote maximum data protection. Implement new policies as needed (e.g., a Bring-Your-Own-Device policy and data breach response policy). Further, encrypt and store all critical data in safe, secure locations.
  • Restrict access. Only permit employees to access technology and data they need to perform their job duties. Require employees to implement multifactor authentication whenever possible.
  • Leverage sufficient software. Protect all workplace technology (and the data stored on it) with proper security software. This software may include endpoint detection tools, antivirus programs, firewalls, network monitoring services and patch management products. Review this software regularly for vulnerabilities and make adjustments when necessary.
  • Assess supply chain exposures. Assess whether suppliers have adequate measures in place to protect against network infiltration from cybercriminals. Consider including specific cybersecurity requirements in all supplier contracts and keeping the amount of sensitive information shared with these parties to a minimum.
  • Have a plan. Creating a cyber incident response plan can help ensure necessary protocols are in place cyberattacks occur, thus keeping related damages at a minimum. This plan should be well-documented, practised regularly and address a range of cyberattack scenarios (including cyberespionage).
  • Purchase proper coverage. It’s critical to secure adequate insurance to help protect against losses that may arise from cyberespionage. It’s best to consult a trusted insurance professional to discuss specific coverage needs.

Conclusion

Ultimately, cyberespionage is a pressing concern that businesses need to take seriously—especially as nation-state cyberthreats continue to rise. By understanding cyberespionage and implementing adequate prevention techniques, businesses can effectively safeguard themselves against these incidents and minimize associated losses.

For more risk management guidance, contact Reith & Associates.

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Dan Reith

Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com
Dan Reith BA(Hons) CAIB
Nikki Johnson No Comments

Cyber Security Tips for Business Travellers

Now that the world is generally taking a less restrictive approach to travel and business travel will be resuming, at some level, cyber security is a very real threat that need be considered.

Organizations face heightened cybersecurity risks when their employees travel. Business travellers are prime targets for cybercriminals, as they often carry valuable data and may not always be careful about securing their devices. This article discusses key cybersecurity exposures for business travellers and outlines steps employers can take to mitigate these risks.

Cybersecurity Threats While Travelling

Business travellers’ laptops, smartphones and tablets are particularly susceptible to data breaches, loss and theft. Some common cyberthreats that business travellers may encounter include:

  • Unsecured Wi-Fi networks—While convenient, public Wi-Fi networks are unsecure and can allow cybercriminals easier access to connected devices (as well as the data stored on them) than private Wi-Fi networks.
  • Publicly accessible computers—Business travellers sometimes find the need to use their login credentials to access accounts on public computers. However, public computers often lack sufficient security capabilities and may even be infected with malware.
  • Stolen or misplaced devices—Theft or loss of devices is a major threat to business travellers, as this can result in the exposure of important data. Devices could be lost or stolen in airports, hotel lobbies, conference rooms or rental cars. 

How Employers Can Mitigate Cybersecurity Risks

Neglecting cybersecurity when employees are on the road or abroad can be detrimental to a business. In fact, the latest Cost of a Data Breach Report from IBM and the Ponemon Institute found that a single data breach costs a business $4.24 million on average.

Here are some measures employers can implement to minimize cybersecurity risks for business travellers:

  • Establish Wi-Fi policies. Employers should have policies in place requiring employees to confirm the network name and precise login procedures with the appropriate staff before connecting to public Wi-Fi networks in airports or hotels. Sensitive activities, such as banking or confidential work-related projects, should not be conducted on public Wi-Fi networks. Auto-connect should also be disabled so devices don’t connect to Wi-Fi networks automatically.
  • Enforce Virtual Private Network (VPN) use. Via a VPN, all online traffic is routed through an encrypted virtual tunnel. Such a network can help can reduce the risk of cyberattacks by establishing a secure connection between users and the internet. Employers should create VPNs and require employees to utilize these networks whenever possible, especially during business travel.
  • Conduct physical security training for digital valuables. Most travellers let their guards down once they arrive at their destinations, but that can be one of the times they’re most susceptible to theft. Employers should encourage business travellers to never leave their devices unattended. Employees should also be instructed to utilize strong passwords or multifactor authentication capabilities (if possible) and lock devices in hotel safes upon leaving their rooms.
  • Encourage employees to pack minimal devices. Leaving unnecessary technology at home can help reduce the chance of theft or data loss. As such, employers should only permit employees to bring devices that are essential to completing their job duties on the road or abroad.
  • Require regular software updates. Cybercriminals typically look for security flaws in outdated software. Updates are sent out to patch any holes in the software and reduce the opportunity for cybercriminals to attack. Employees should be required to update software on all their devices regularly.
  • Establish response plans. Employers should have specific response plans that outline steps to take when devices containing confidential information are compromised, lost or stolen on the road or abroad.

Conclusion

Business travellers often carry sensitive personal- and work-related data on various devices, leaving them vulnerable to cyberattacks. However, taking the proper precautions while travelling can help them keep their devices and data secure.

For more risk management guidance beyond cyber contact us today.

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com

Nikki Johnson No Comments

Cyber Crime: SMISHING Explained

Most businesses and individuals are familiar with phishing, a cyberattack technique that entails cybercriminals leveraging fraudulent emails to manipulate recipients into sharing sensitive information, clicking malicious links or opening harmful attachments. While these email-based scams remain a pressing concern, a new form of phishing—known as smishing—has emerged over the years, creating additional cyber exposures for organizations and individuals alike.

Smishing relies on the same tactics as phishing. The sole difference between these two cyberattack techniques is that smishing targets victims through text messages rather than emails. As a growing number of individuals utilize their smartphones for both personal and work-related purposes (e.g., interacting with colleagues and clients on mobile applications), smishing has become a rising threat. In fact, in 2021, the Canadian Anti-Fraud Centre totaled 4,451 reports of phishing and 1,323 reports of spear phishing, both of which can involve texting platforms.

With these numbers in mind, it’s evident that organizations need to address smishing exposures within their operations. The following article provides an overview of smishing and offers best practices for organizations to protect against this emerging cyberattack technique.

What Is Smishing?

Smishing follows the same format as phishing, using deceiving messages to manipulate recipients. These messages are generally sent via text but can also be delivered through mobile instant messaging applications (e.g., WhatsApp). In these messages, cybercriminals may implement a wide range of strategies to get their targets to share information or infect their devices with malware. Specifically, they will likely impersonate a trusted or reputable source and urge the recipient to respond with confidential details, download a harmful application or click a malicious link. Here are some examples of common smishing messages:

  • A message claiming to be from a financial institution, saying the recipient’s bank account is locked or experiencing suspicious activity and asking them to click a harmful link to remedy the issue
  • A message impersonating a well-known retailer (e.g., Amazon, Costco or Walmart), encouraging the recipient to download a malware-ridden application to receive a gift card or similar prize
  • A message claiming to be from an attorney or law enforcement, saying the recipient is facing legal trouble or criminal charges and urging them to call an unknown number for more information
  • A message impersonating the government, asking the recipient to click a suspicious link for details on their taxes or participation in a federal loan program
  • A message claiming to be a research organization, requesting the recipient download a malicious application to complete an informational survey
  • A message impersonating a delivery service, informing the recipient that they are receiving a package and providing them with a fraudulent link for tracking the item

If a recipient is tricked into doing what a smishing message asks, they could end up unknowingly downloading malware or exposing sensitive information, such as login credentials, debit and credit card numbers or Social Insurance Numbers. From there, cybercriminals may use the information they obtained from smishing for several reasons, such as hacking accounts, opening new accounts, stealing money or retrieving additional data. Since individuals may use their smartphones for work-related tasks, smishing has the potential to impact businesses as well. For example, an individual who falls for a smishing scam could inadvertently give a cybercriminal access to their workplace credentials, allowing the criminal to collect confidential data from the victim’s employer and even steal business funds.

The nature of smishing has made this cyberattack technique a significant threat. This is because individuals are typically not as careful when communicating on their smartphones compared to their computers, often engaging in multiple text conversations at a time (sometimes while distracted or in a rush). Due to the large number of texts sent and received daily, individuals may be less wary or observant of a message from an unknown number than an email, making them more likely to interact with a malicious text message.

Furthermore, many individuals falsely assume that their smartphones possess more advanced security features than computers, thus protecting them from harmful messages. However, smartphone security has its limits. Currently, these devices are unable to directly safeguard individuals from smishing attempts, leaving all smartphone users vulnerable. That’s why it’s important for businesses to take steps to protect against smishing.

How to Protect Against Smishing

To effectively minimize smishing exposures and prevent related cyberattacks, businesses should:

  • Conduct employee training. First, businesses should educate employees on what smishing is and how it could affect them. Additionally, employees should be required to participate in routine training regarding smishing detection and prevention. This training should instruct employees to:
  • Watch for signs of smishing within their text messages (e.g., lack of personalization, generic phrasing and urgent requests)
  • Refrain from interacting with or responding to messages from unknown numbers or suspicious senders
  • Avoid clicking links or downloading applications provided within messages
  • Never share sensitive information via text
  • Utilize trusted contact methods (e.g., calling a company’s official phone number) to verify the validity of any request sent over text
  • Report any suspicious messages to the appropriate parties, such as a supervisor or the IT department
  • Ensure adequate bring-your-own-device (BYOD) procedures. Apart from providing smishing training, businesses should establish solid BYOD procedures to ensure employees act accordingly when utilizing their personal smartphones for work-related purposes. Such procedures may include using a private Wi-Fi network, implementing multifactor authentication capabilities, conducting routine device updates and logging out of work accounts after each use. These procedures can help deter smishing attempts and decrease the damages that may ensue from smishing incidents.
  • Implement access controls. Another method for limiting smishing exposures is the use of access controls. By only allowing employees access to information they need to complete their job duties, businesses can reduce the risk of cybercriminals compromising excess data or securing unsolicited funds amid smishing incidents. To further protect their information, businesses should consider leveraging encryption services and establishing secure locations for backing up critical data.
  • Utilize proper security software. Businesses should also make sure company-owned smartphones are equipped with adequate security software. In some cases, this software can halt cybercriminals in their tracks, stopping smishing messages from reaching recipients’ devices and rendering harmful links or malicious applications ineffective. In particular, smartphones should possess antivirus programs, spam-detection systems and message-blocking tools. Security software should be updated as needed to ensure effectiveness.
  • Purchase sufficient coverage. Finally, it’s vital for businesses to secure proper cyber insurance to protect against potential losses stemming from smishing incidents. Businesses should reach out to their trusted insurance professionals to discuss specific coverage needs.

Conclusion

In summary, smishing is a serious cyber threat that both individuals and businesses can’t afford to ignore. By staying aware of smishing tactics and implementing solid mitigation measures, businesses can successfully protect against this rising cyberattack technique, deterring cybercriminals and minimizing associated losses.

For more risk management guidance, contact us today.

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com

Nikki Johnson No Comments

Penetration Testing & Minimizing Cyber Attacks

Penetration Testing & Minimizing Cyber Attacks

Keeping workplace technology up and running is vital to any organization’s success. While this task seems feasible, it’s growing harder and harder each year as cybercriminals expand their reach. It’s not enough to simply protect workplace technology with software and security protocols. It’s also critical for your organization to test the overall effectiveness of these protocols on a regular basis. That’s where penetration testing can help.

Essentially, penetration testing consists of an IT professional mimicking the actions of a malicious cybercriminal to determine whether an organization’s workplace technology possesses any vulnerabilities and can withstand their attack efforts. Conducting a penetration test can help your organization review the effectiveness of workplace cybersecurity measures, identify the most likely avenues for a cyberattack and better understand potential weaknesses.

Review this guidance to learn more about what penetration testing is, the benefits of such testing and best practices for carrying out a successful test within your organization.

What Is Penetration Testing?

Put simply, penetration testing refers to the simulation of an actual cyberattack to analyze an organization’s cybersecurity strengths and weaknesses. This testing usually targets a specific type of workplace technology, such as the organization’s network(s), website, applications, software, security systems or physical assets (e.g., computers and smart devices). Penetration testing can leverage various attack methods, including malware, social engineering, password cracking and network hacking, among others.

Generally speaking, penetration testing is often performed by a professional from a contracted IT firm who is not associated with the organization being assessed in any way. This helps the cyberattack simulation seem as authentic as possible. Penetration testing is typically either external or internal in nature. The primary differences between these forms of testing are as follows:

  • External penetration testing requires the IT expert to attack an organization’s external-facing workplace technology from an outside perspective. In most cases, the IT professional won’t even be permitted to enter the organization’s physical establishment during external penetration testing. Rather, they must execute the cyberattack remotely—often from a vehicle or building nearby—to imitate the methods of an actual cybercriminal.
  • Internal penetration testing allows the IT expert to attack an organization’s internal-facing workplace technology from an inside perspective. This form of testing can help the organization understand the amount of damage that an aggrieved employee could potentially inflict through a cyberattack. 

In addition to these testing formats, there are also two distinct types of penetration tests. How much information an organization provides the IT professional prior to the cyberattack simulation will determine the penetration test type. Specifically:

  • An open-box test occurs when the IT expert is given some details regarding the organization’s workplace technology or cybersecurity protocols before launching the attack.
  • A closed-box test occurs when the IT expert is provided with no details other than the organization’s name before conducting the attack.

Ultimately, the penetration testing format and type should be selected based on the particular workplace technology elements or cybersecurity measures that an organization is looking to evaluate.

Benefits of Penetration Testing

Penetration testing can offer numerous advantages to your organization, including:

  • Improved cybersecurity evaluations—By simulating realistic cyberattack situations, penetration testing can help your organization more accurately evaluate its varying security strengths and weaknesses—as well as reveal the true costs and of any security concerns.
  • Greater detection of potential vulnerabilities—If any of your workplace technology or other cybersecurity protocols fail during a penetration test, you will have a clearer picture of where your organization is most vulnerable. You can then use this information to rectify any security gaps or invest further in certain cyber initiatives.
  • Increased compliance capabilities—In some sectors, organizations are legally required to engage in penetration testing. For example, the Payment Card Industry Data Security Standard calls for organizations that accept or process payment transactions to execute routine penetration tests. As such, conducting these tests may help your organization remain compliant and uphold sector-specific expectations.
  • Bolstered cybersecurity awareness—Mimicking real-life cyberattack circumstances will highlight the value of having effective prevention measures in place for your employees, thus encouraging them to prioritize workplace cybersecurity protocols.

Penetration Testing Best Practices

Consider these top tips for executing a successful penetration test within your organization:

  • Establish goals. It’s crucial for you to decide what your organization’s goals are regarding the penetration test. In particular, be sure to ask:
  • What is my organization looking to gain or better understand from penetration testing?
  • Which cybersecurity threats and trends are currently most prevalent within my organization or industry? How can these threats and trends be applied to the penetration test?
  • What specific workplace technology elements or cybersecurity protocols will the penetration test target?
  • Select a trusted IT professional. Consult an experienced IT expert to assist your organization with the penetration test. Make sure to share your organization’s goals with the IT professional to help them understand how to best execute the test.
  • Have a plan. Before beginning the penetration test, work with the IT expert to create an appropriate plan. This plan should outline:
  • The general testing timeframe
  • Who will be made aware of the test
  • The test type and format
  • Which regulatory requirements (if any) must be satisfied through the test
  • The boundaries of the test (e.g., which cyberattack simulations can be utilized and what workplace technology can be targeted)
  • Document and review the results. Take detailed notes as the penetration test occurs and review test results with the IT expert. Look closely at which cybersecurity tactics were successful during the attack simulation and which measures fell short, as well as the consequences of these shortcomings. Ask the IT professional for suggestions on how to rectify security gaps properly.
  • Make changes as needed. Based on penetration test results, make any necessary adjustments to workplace technology or cybersecurity protocols. This may entail updating security software or revising workplace policies.
  • Follow a schedule. Conduct penetration testing at least once every year, as well as after implementing any new workplace technology.

For more risk management guidance and insurance solutions, contact us today.

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Dan Reith

Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com
Dan Reith BA(Hons) CAIB

Nikki Johnson No Comments

DATA BREACH: A Concern for Director’s & Officers of ANY Entity

DATA BREACH:  A Concern for Director’s & Officers of ANY Entity

A data breach can be a devastating event, affecting a company or not-for-profit financially and damaging its reputation. As a director or officer, you face litigation risks based on the decisions made following a breach and on how you influenced cyber security policies, as these are often considered board-level issues. This is true for directors and officers of small/medium incorporated enterprise (the directors, officers and owners/shareholders are typically the same) and volunteer directors and officers of not-for-profit groups as well. 

If a suit is filed against you after a data breach occurs, based on your position as a board member, you will not be protected by your commercial general liability policy or your cyber liability policy. Your best source of protection is from your directors and officers (D&O) policy, as long as your policy is tailored to include protection after a data breach. Sadly, the majority of privately owned small/medium businesses in Canada do NOT make D&O cover part of their insurance program.  Either due to naïve skepticism or concern over additional cost.

DATA BREACH THREATS

The biggest threat from a data breach is loss of information, whether it is information regarding your company’s finances or the personal identification information of your employees and customers, such as Social Insurance numbers, banking and/or credit card information.

Losing sensitive information belonging to your employees/customers or company can have a devastating effect on your reputation. If the credit card information of your customers is stolen, your customers would need to cancel their cards and get new ones—an inconvenient process and one that can damage your company’s image in the eyes of customers.

DATA BREACH RESPONSE

Following a data breach, you may be legally required to notify certain people about it. For example, if your company is publicly traded, guidelines say you must report cyber security incidents to stockholders. The cost of notification after a breach is generally covered by a cyber liability policy; and, depending on the number of people you need to notify, the cost can be quite high.

Notification should be taken very seriously, as the way a company responds to a data breach can lead to exposure and legal action beyond lawsuits from customers—the company could be subject to regulatory action.

DATA BREACHES AND D&O COVERAGE

Insufficient cyber security that leaves your company vulnerable to a data breach can be seen by your customers or shareholders as negligence or a breach of duty. Your customers and shareholders may seek to hold you responsible for the damage, as the board is responsible for making decisions on behalf of the company. Because of this, you need protection in the form of a D&O policy.

In past legal cases following a data breach, directors and officers have been accused of:

  • Failing to take reasonable steps to protect customers’ personal and financial information
  • Failing to implement controls to detect and prevent a data breach
  • Failing to report a breach in a timely manner

A cyber liability policy would not offer the legal protection needed by directors and officers after a data breach, whereas a D&O policy can.

A D&O policy provides coverage for a “wrongful act,” such as an actual or alleged error, omission, misleading statement, act of neglect or breach of duty.

CYBER SECURITY IS VITAL

A company’s directors and officers are expected to be involved in and knowledgeable about the company’s cyber security. It’s rapidly becoming a vital aspect of responsible business management and customer service.

The following are some techniques to improve the cyber security of your company:

  • Install a firewall—Companies with five or more computers should consider buying a network firewall to protect the network from being hacked.
  • Install security software—Anti-virus, anti-malware and anti-spyware should be installed on every computer in the network. All software should be up-to-date.
  • Encrypt data—All data, whether stored on a tablet, flash drive or laptop, should be encrypted.
  • Use a virtual private network (VPN)—A VPN allows employees to connect to the company’s network remotely without the need of a remote-access server. VPNs use advanced encryption and authentication protocols, providing a high level of security for your network.
  • Develop a data breach plan—Have a plan in place so when, not if, you experience a data breach, you can act quickly and minimize your loss.

DATA BREACH RISKS WITHOUT D&O INSURANCE

After a data breach, claims from shareholders and customers will most likely be made. Since you can be held personally responsible for the acts of the company as a board member, your plans and decisions need to be protected.

Without D&O coverage, your personal assets are at stake and could be forfeited to cover legal costs. You can protect yourself with a D&O insurance policy. Talk to your insurer about this type of coverage and be sure your policy is tailored to cover any gaps. Note, that not all D&O polices are the same.  It is important to look at the policy coverage and not the price when making a choice.  D&O is also a specialized form of insurance and not all insurance providers are well versed in the coverage and/or the nuance of policy wordings.  It is important that you select an insurance provider that is educated and knowledgeable about D&O and is able to provide choice and not just a one-size fits all policy.  Selecting the wrong provider and the wrong policy that fails to respond to the breach is also something regulators, shareholders, customers and employees could sue you for.

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Dan Reith

Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com/
Dan Reith BA(Hons) CAIB

Nikki Johnson No Comments

Social Engineering & Fraud Insurance Coverage

Social Engineering Fraud
Social Engineering Fraud

Social engineering fraud (SEF) is a type of fraud that’s become increasingly common over the last several years. However, even though many instances of this fraud transpire over email communications, it’s a company’s crime policy—not a cyber policy—that would often provide coverage in the event of an SEF loss.

That’s why it’s especially important to understand your crime policy, how it might cover SEF, why it might not, and what endorsements you might want to obtain to make sure SEF doesn’t leave your company exposed.

How Social Engineering Fraud Works

There are a number of variations on the theme, but most instances of SEF involve the following elements:

  • A targeted approach. Criminals will research their targets, purchase authentic-looking domains, manufacture email chains and even resort to making phone calls, all in an effort to make their requests seem authentic.
  • A request. The preparation is in service of obtaining something from the target, either money (usually in the form of a wire transfer) or information (such as a list of vendors, routing numbers, etc.).
  • The application of social pressure. In order to bypass in-house safeguards and redundancies, the criminals apply pressure by imposing a time constraint, demanding secrecy or simply flattering the ego of the target by including him or her “in” on an important business transaction.
  • The disappearance of the hacker. Once the criminals obtain what they want, they disappear with the information or money—things that the company won’t miss until it’s too late.

Cyber Policy vs. Crime Policy

It may seem counterintuitive, but SEF is usually not covered by a cyber policy. Even though this fraud often involves emails and wire transfers, cyber policies are not designed to cover them:

  • Cyber policies cover losses that result from unauthorized data breaches or system failures. SEF actually depends on these systems working correctly in order to communicate with an organization’s employees and transfer information or funds.
  • Crime policies cover losses that result from theft, fraud or deception. Because the underlying cause of a loss in SEF is fraud, a company would claim a loss under its crime policy rather than its cyber policy.

Areas of Cover

A standard crime or fidelity policy contains a few provisions under which an SEF claim might be filed:

  • Computer fraud. This refers to losses stemming from the unlawful theft of money due to a “computer violation”—that is, the unauthorized entry into or deletion of data from a computer system by a third party.
  • Funds transfer fraud. This refers to losses stemming from fraudulent instructions to transfer funds made without the insured’s knowledge or consent.

Potential Vulnerabilities

Depending upon the specific language and definitions laid out in the crime or fidelity policy, the insurer might argue that SEF is excluded from coverage for a number of reasons:

  • There was no “computer violation.” Often, SEF doesn’t involve compromising network security in order to steal data. Instead, criminals “hack” human vulnerabilities in order to gain access. Because the system functioned as it was supposed to, and the criminal gained access due to human failure, an insurer might try to deny the claim.
  • The insured knew about and consented to the transfer. Again, it depends on the specific language of the policy, but an insurer might argue that SEF isn’t covered under “funds transfer fraud.” That’s because, in most social engineering scenarios, some agent of the insured willingly and knowingly authorized the transfer of funds to the intended account. Again, in SEF, the systems in place to transfer funds worked as intended; it was human failure that resulted in the loss.
  • The voluntary parting exclusion. Most crime policies have a voluntary parting exclusion that excludes coverage for losses that result from anyone acting on the insured’s authority to part with title to or possession of property. In other words, because the employee knowingly and willingly authorized the transfer, it wouldn’t be covered.

Social Engineering Fraud Endorsements

Because of this potential gap in coverage, some carriers have started offering SEF endorsements to their crime and fidelity policies. The insurance agreements might go by different names, but they’re all intended to make limits and liabilities explicit for both the insured and the policy issuer.

These endorsements are only offered by a handful of carriers, but with the increasing prevalence of SEF, more are likely to follow. To learn more about SEF, we have resources available for you. Ask about our “Risk Insights: The Fake President Fraud.”

To discuss your coverage options and learn what options are available to you, contact your insurance provider today!

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Dan Reith
Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com/