The majority of cyber insurance claims continue to come from the same attacks: business email compromise (BEC), social engineering, brute force of remote access, exploitation of known vulnerabilities in unpatched software, and (today’s most severe adversary) ransomware.
According to claims data from Coalition, a US-based technology-enabled cyber insurance and security firm which entered the Canadian insurance market in May 2020, approximately 54% of claims in the first six months of last year were caused by BEC and social engineering, and 29% were linked to remote access.
These risks only increased with more employees working from home due to COVID-19, explained Shawn Ram (pictured), head of insurance at Coalition. He explained that business email is a frequent and easy target, with criminal actors exploiting common email security vulnerabilities, such as misconfigured sender policy framework (SPF), Domain Keys Identified Mail (DKIM), and Domain Message Authentication Reporting and Conformance (DMARC) to enact phishing and email spoofing attacks.
There are simple things companies can do to mitigate and patch up their email security vulnerabilities. Firstly, they should shore up their remote log-in capabilities and implement security measures like multi-factor authentication (MFA) and appropriate SPF, DKIM and DMARC policies. They should also conduct frequent employee training and awareness programs so that people know how to spot phishing scams and fraudulent messages.
“MFA is super easy to implement,” Ram told Insurance Business. “It might seem burdensome or painful having to download an application, but actually, MFA is easily available on all Microsoft products and Google products – and it’s free. And there are other simple things that companies can do, such as implementing SPF, DMARC, or other important anti-phishing techniques – and they’re also free and easy to implement.”
The cyber insurance underwriting community is aware that MFA and/or limiting remote access is important. The problem, according to Ram, is that the only time most of the community really evaluates these measures is at the moment of submission. So, when insurers release a quote, they’re validating that these security measures are in place … and that’s that.
Ram commented: “We must have the ability to continue to evaluate a client’s cyber risk throughout the policy period; that’s what we do at Coalition. And in addition to that, we have to be able to notify clients within minutes of something happening, and then offer them the right tools to help them mitigate the problem.
“The thing about cyber is it’s an extremely dynamic risk. Although ransomware is arguably the topic of the day today; three-years-ago, it was definitely not as prominent. And so, the need for continued education and the need for this hunger for learning about cybersecurity and cyber-related risk mitigating techniques is absolutely critical. The carrier community, the cybersecurity community, and the incident response community – we all need to continue to grow our efforts in educating policyholders and the broker community around the threats associated with cyber risk.”