Courts: Banks $2 Million in Losses from a BEC Attack Aren’t Covered by Cyberinsurance

iStock-1169010697Using emails impersonating the wife of a senior executive at Crown Bank, cybercriminals were able to take the bank for $2 million – an amount the courts held the bank responsible for.
When you have a cyberinsurance policy that specifically covers “computer crime”, it’s somewhat assumed that a cybercrime will be covered. But Crown Bank got the bad news this week, when New Jersey federal district court handed down an unfavorable ruling in a lawsuit against the bank’s insurance company. 
The BEC scam was simple – the bad guys pretended to be an executive’s wife, requesting funds be transferred to a bad guy-controlled account. The banks policy was to a) have the requestor fill out and return a form and b) make a phone call to the requestor to verify the request.
The bank took the first step – at which time the bad guys forged the account holder’s signature. The reason the scam worked here was the bank didn’t place the verification phone call.
We’ve talked about this very same scenario many times here on the blog – it’s absolutely critical that anytime financial transactions are being ordered via email, the employee responsible should verify the request using an alternate medium (e.g., a phone call), using predefined details. This keeps the bad guys from further pretending to be the requestor, given that deepfake audio is now not only possible, but being used as part of cyberattacks.
But that’s not the reason the lawsuit was thrown out.
In the end, the courts found for the insurance company, citing that emailed and printed PDF forms don’t constitute original wire transfer documents – a requirement within the policy. It’s a painful lesson that any organization with a cyberinsurance policy should learn: understand the constraints and conditions your policy contains and be certain your financial processes align with the contractual definitions.

Get Your Customized Automated Security Awareness Program, ASAP!

Many IT pros don’t exactly know where to start when it comes to creating a security awareness program that will work for their organization.

We’ve taken away all the guesswork with our Automated Security Awareness Program (ASAP).

ASAP is a revolutionary tool for IT professionals, which allows you to create a customized Security Awareness Program for your organization that will show you all the steps needed to create a fully mature training program in just a few minutes!

asap-monitor-1Here's how it works:

  • Answer seven questions about your organization’s goals, compliance needs, and culture
  • ASAP recommends suggested training content based on your answers
  • See a detailed calendar with a customized task lisk to get your program started
  • Easily export detailed and executive summary PDF versions of your program
  • Get a fully mature awareness program ready in 5 minutes

Get Started Now

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews