June 7, 2016 by Canadian Underwriter
Almost half of firms with cyber insurance are unsure if their policy is up-to-date for covering new cyber social engineering attacks, according to research from Mimecast Limited, an email and data security company.
Research from the company into the growing cyber insurance industry and evolving email attack techniques found that 45% of firms with cyber insurance are unsure if their policy is up-to-date for covering new cyber social engineering attacks, and only 10% believe it is completely up-to-date. Just 43% of firms with cyber insurance are confident that their policies would pay out for whaling (CEO fraud) financial transactions, according to the study, released on Tuesday. As well, nearly two-thirds (64%) of firms don’t have any cyber insurance at all, Mimecast said in a statement.
The survey involved 436 IT experts at organizations in the United States, United Kingdom, South Africa and Australia – locations where Mimecast is based. For the survey, conducted in March, respondents assessed the growth in a range of email attacks seen over the prior three months.
The rise of whaling (CEO fraud) has created an attack climate where many insured organizations may not be protected from fraudulent transactions because they fall outside of the coverage scope of when their policies were originally signed, Mimecast suggested in the statement. While over half (58%) of organizations have seen an increase in untargeted phishing emails, 65% have seen targeted phishing attacks grow and 67% have seen a spike in whaling attacks, where a cybercriminal dupes employees into making fraudulent transactions on behalf of a CEO or CFO (chief financial officer). Additionally, 50% said they have seen an increase in social engineering attacks that utilize malicious macros in attachments.
“Cyber insurance uptake is growing quickly, but a lack of employee training on the latest email attacks is leaving organizations at great risk of breaking policy terms,” said Steven Malone, director of security product management at Mimecast, in the statement. “While insurers often pay for clean-up fees after a breach, it is important that organizations check that their policies protect them if an employee is tricked into sending a large amount of money to a fraudulent account. Attacks where employees are tricked into sending personal data or intellectual property are even less likely to be fully covered.”
With the cybersecurity landscape constantly evolving, Malone said, cyber insurers will have great difficulty keeping their coverage up-to-date. “A comprehensive cyber resilience strategy is only effective alongside regular employee training on the latest threats combined with appropriate technology fail-safes.”