Finance firms must remain vigilant on cyber liability matters

Finance firms must remain vigilant on cyber liability matters | Insurance Business Canada

Finance firms must remain vigilant on cyber liability matters

At a time when public health requires people to maintain distance, electronic communications have never been as important. But with more business transactions than ever being conducted online, cyber risk has also grown immensely. Along with this risk, come liability issues, especially for financial companies.

According to Brian Twibell (pictured above), co-founder and CEO of cybersecurity firm WireSecure, financial companies are very vulnerable to cybercrime because of the large amounts of money that is transferred between parties. While this is an issue across the financial services industry, it is of particular concern within the private capital markets.

“Venture capital, real estate, private equity and investment banking firms all transfer substantial amounts of capital between investors and portfolio companies,” Twibell said. “Furthermore, they exchange financial information via email – which is very easily hacked into. These make them a prime target for fraudsters who learn their habits and then stealthily provide new wire instructions for money to be diverted to. We often call this social engineering or impersonator fraud and it can account for as much as US$2 billion in theft every year.”

Cybercrime, cybersecurity and cyber insurance are relatively new fields of study, and one of the largest questions related to these fields is liability.

“One of the most striking issues when it comes to liability is the uncertainty itself,” Twibell said. “If a general partner, such as a venture capital or private equity firm experiences impersonator fraud and, as a result, one of their investors wires a capital call to a fraudsters bank account instead, both are likely to claim they are not liable as neither one may have committed any negligence.”

Phishing scams, malware hacks and data breaches are often reported in the news, but Twibell also called attention to impersonator fraud, which, according to the FBI, is the largest issue when it comes to cybersecurity. The FBI’s 2020 Internet Crime Report found that business email compromise was the costliest scheme, with 19,369 complaints and adjusted losses of around US$1.8 billion.

“So when it comes to liability, you need to think about how the theft could have been prevented and if any mistakes were made in protecting and securing information,” Twibell said. “But the issue is that protection often comes down to following best practices, such as call back verification. While making a phone call to verify information is critical, it can be very hard to determine if one actually took place. It can also be time consuming. We do know, however, that the best way to protect liability – and to protect against theft of course – is having technology in place to automatically ensure identity is verified. The best way to prevent against liability for a theft is make the theft impossible to take place.”

While insurance is available to provide financial protection in case of a cyber incident, some activities or attacks fall into a gray area which may not be covered by the policies.

“We have noticed that there is a very large gap in insurance coverage that could have catastrophic consequences for many policyholders,” Twibell said. “While coverage often applies to email compromise or loss due to social engineering initiatives, it is limited to the policyholder and staff. If the actual fraud is perpetrated by outside email accounts being compromised, such as customers, investors, counter parties, advisors, etc., and the policyholder staff acts on fraudulent instructions, this is something that is not covered.

“In most companies, the only defense for this type of fraud is best practices, or procedures that the company expects and hopes will be followed by staff in every instance. But follow-through on this isn’t guaranteed. And, when the only defense against sophisticated fraudsters is manual best practice, attacks can result in losses that can get into the billions.”

In order for businesses, especially financial companies, to protect themselves from cyberattacks, they must categorize the threats properly. Cybercrime methods vary widely, and so do the appropriate responses to these methods.

“Data breaches, for example, are often protected by removing unnecessary data and retaining only what you need, securing employees’ computers and keeping them updated, educating and training them on what to look out for and what to avoid, etc.,” Twibell said. “Email filters can protect against illegitimate or unknown phishing attempts and identity verification protects against being misled by legitimate email accounts or phone calls from parties who have been impersonated and are unaware they’ve been compromised.

“While there are technology offerings for most threats, the primary deterrent for outsiders who have been compromised comes down to best practices and procedures. The most common – call back verification – is tedious and time consuming. As fraudsters become more sophisticated, they prey on situations and transactions that are time-critical and use knowledge gained by their access to a legitimate party’s email account to sound authentic and are sometimes successful in fooling staff members. Thus, we experienced more than $2 billion in losses in the past year due to business email compromise alone.”