According to a study released recently by global email security firm Mimecast, only about 35% of businesses carry cyber insurance. Perhaps even more troubling, only 10% of companies with cyber coverage believe their insurance would cover emerging social engineering attacks.
If you aren’t familiar with the term, social engineering does not require a criminal to hack into your system. Instead the perpetrator may pose as an executive at a company and ask someone in that same company to send them files or to transfer funds to a third party.
Steve Malone, director of security product management for Mimecast, said these types of attacks are becoming very common, and also more insidious.
“An attacker pretends to be someone from the victim company, the CEO, CFO, etc., and will trick someone in the organization into giving them something,” Malone said. “These attacks used to be strictly financial, ‘hi, this is the CEO; I’m out of the office. Bob (in finance), can you make this wire transfer for me?’ and Bob is ‘oh, the CEO wants me to do this. I should do it.” Malone said the first wave of social engineering attacks were all financial, but that they have evolved.
Today, he said, the perpetrators are more likely to ask for employee W2 forms or other valuable data. “So, no money changes hands, but if you think about what is in your W2, if I can get 200 of these, I can sell 200 identities on the dark web, but most cyber coverage does not mention data. Most policies are based on financial loss. There is nothing in the insurance policy that says data like W2s are covered, and even if they pay out, what is a W2 worth?”
Other similar attacks, Malone said could include sending top secret future business plans or other intellectual property that a cybercriminal could sell to a competitor. “How do you value that? There is no mention of such losses in most insurance policies.”
More important than coverage for any particular threat, Malone said, is the simple fact that cybercrime is evolving very quickly, and no one knows where it will go next. “How will insurance keep up with these evolving threats? He asks.
