The recently released 2019 Verizon Data Breach Investigations Report and 2018 FBI Internet Crime Complaint Center Report highlight an increasing cyber threat landscape. The reports confirm the increasing risk of Business Email Compromise (BEC)/Email Account Compromise (EAC) and significant losses caused by social engineering leading to fraudulent payments. BEC/EAC events in 2018 resulted in $1.3 billion in reported losses. These involve either a malware attack on a business entity’s computer, leading to a loss of credentials, or social engineering tactics tricking parties into divulging email credentials. The Verizon report indicates that 52% of breaches featured hacking, 38% included social attacks, and 28% involved malware. Obviously these add up to more than 100 percent, but social attacks can precede hacking or installation of malware and vice versa.
Even though wire and ACH fraud triggered by social engineering or BEC/EAC is widely publicized, we continue to see incidents where small businesses are defrauded by use of stolen credentials. Financial institutions can’t ensure customers install up-to-date defenses, but security awareness should be a constant focus in dealing with bank customers, especially those who originate wire transfers such as title companies and law firms, as well as those customers who typically pay vendors with a wire transfer. Simple procedures can stop a significant amount of such fraud. For instance, it should be a red flag if a vendor who has never requested a wire transfer for payment suddenly pressures that customer to pay an invoice with a wire transfer. Such requests should be confirmed by a phone call to a known contact. Most financial institutions now require a phone call to confirm any change in wire instructions. However, some sophisticated fraudsters may be able to forward such calls, so this contact must be known.
Regulatory concerns are increasing as banks turn to fintech partners to provide technology to compete with money transfer and other services. Banks should constantly be aware of and monitor the increase in vendor security risks and must be proactive in investigating the security processes of vendors.
In addition to security enhancements, both financial institutions and their customers should ensure proper cyber liability coverage. Many times the insurance policy will not cover the particular source of damages. We find that a large number of businesses both large and small still do not have proper cyber liability coverage.
To add more uncertainty, court decisions interpreting an obligation of an insurance company to provide coverage vary based on the type of policy — a comprehensive general liability policy, a crime policy, or specific credit for cyber insurance policy. Also, there are splits within the federal circuit courts on an insurer’s obligation to defend. Hopefully, the announcement by Lloyd’s of London that by 2021 all new and existing policies issued by its insurers must either exclude cyberattack coverage or explicitly include such coverage will bring industry-wide clarity.
With the increasing cyber risks and increasing potential liability and lost income, it is imperative to educate customers as to the risk of a BEC/EAC attack. It is equally as important for the bank and its customers that may be subject to a BEC/EAC attack to thoroughly vet current and potential insurance coverage to properly align the policy with the risk exposures.