After an international group of hackers managed to bypass customers and steal directly from banks, cyber insurance experts are warning that brokers have a renewed responsibility to work with underwriters to ensure all potential coverage gaps are filled.
Kaspersky Lab revealed last month that cyber criminals have stolen as much as $1 billion from 100 banks in 30 countries by installing malware that allowed them to access the banks’ internal operations and even their ATMs, where mules were waiting to collect the dispensed cash. One bank in particular lost $7.3 million in the scheme.
And while this method of hacking is not entirely new, the sheer scale of the operation should give insurance professionals reason to pause—especially as current coverage does not address this risk.
“What this shows is that the type of attacks are changing constantly, and in the case of this attack it was the use of social engineering and phishing that allowed the hackers to gain access to controls for the ATMs,” said Christian Davies, a cyber broker with Safeonline LLC. “For financial institutions, attacks of this nature will certainly shift their risk profile; however, currently there is no specific coverage that will insure against this exact hack.”
Davies added that it is “up to the broker” to work with underwriters to amend cyber policies for cyber institutions to cover such risks, which underwriters need to start considering as their liability.
“It’s a cyber risk from hacking and as such, is excluded under most financial indemnity, crime and banker’s blanked bond policies, as it hasn’t resulted from employee fraud or illegal activities,” he said.
Interested in selling more cyber insurance? Join IBA in our free webinar, "5 Steps to Selling Cyber Liability," on March 25. Register here!
And it isn’t just traditional financial institutions that have to worry. According to Michael Daly, chief technology officer for Raytheon’s cyber-security business, the hackers’ success in this case may inspire other criminals to adopt their methods.
“It’s definitely not limited to banks,” Daly told USA Today, suggesting that any company with business-to-business transactions could be a target.
Davies especially sees a risk for online gaming, payment processors, and companies operating with bitcoins and other cryptocurrencies.
Kaspersky Lab did not name the compromised banks, but noted that institutions in the US, China, the Ukraine, India and Great Britain have all been targeted.
You may also be interested in:
"5 critical coverage gaps for private companies"
"Expect 5-15% price decreases for P/C lines: Marsh"