There are, famously, three things you can do with risk: accept it, mitigate it, or transfer it. And you transfer risk by buying insurance against it.
Cyber risk is no different, and organizations now routinely seek to indemnify themselves against losses due to cyber attack. It’s important, however, to read and understand the policy closely and in detail.
A recent court case in Minnesota found for the insurance company, the defendant, against the plaintiff, the business who’d purchased the cyber insurance policy.
“A Minnesota computer store suing its crime insurance provider has had its case dismissed, with the courts saying it was a clear instance of social engineering, a crime for which the insurer was only liable to cover a fraction of total losses,” the Register reports. The insurance company, whose motion to dismiss was successful, pointed out that the policy the plaintiff had purchased clearly distinguished “between computer fraud and social engineering fraud.”
The business, SJ Computers, filed its claim under the social engineering fraud clause, damages under which were capped at $100,000. When it realized that it could recoup some ten times that amount for damages incurred through computer fraud, the company sought to convince its insurance carrier, Travelers, that in fact the losses were due to computer fraud.
But the court wasn’t buying it, especially since the case was one of business email compromise, BEC. The Register explains:
“SJ Computers' case is a fairly cut-and-dried instance of BEC, which involves an attacker gaining access to a legitimate email account they use to trick a business into transferring funds or sending sensitive data to attacker-controlled accounts.
“In SJ's instance, an attacker sent fake invoices to SJ's purchasing manager then gained access to the purchase manager's email account in a method not specified in the lawsuit or dismissal order.
“Once inside, the attacker sent the purchase agreements to SJ's CEO, who typically signs off on such orders, court documents said. Because the fraudulent invoices included a change of bank account information, the CEO called the vendor for confirmation, but got no response before the deadline listed on the invoice.”
It’s far better not to suffer the loss in the first place. Before you decide simply to transfer risk, think about ways to reduce it. New school security awareness training can help your employees mitigate the risk of social engineering to the business.
The Register has the story.