In this second part of a special series, IBA takes a look at a recent analysis of 2017 cyber claims data. The report, 2018 Cyber Claims Digest, which was produced by NAS Insurance, unearthed some compelling findings and outlined some notable claims scenarios.
The report discovered that hacking attacks remained the top cause of loss for non-healthcare claims in both 2016 and 2017. Defined as an unauthorized access or use of a computer system, a denial of service attack, infection of a computer system with malicious code, or an act of cyber terrorism, a hacking attack can seriously impact an organization’s ability to carry out its daily operations. In some cases, being hacked can force a company to shut down completely until the root of the issue is identified and then fixed.
The following NAS claim scenario demonstrates how a hacking attack can impact a non-healthcare organization.
In this scenario, the target company’s firewall was either down or not completely functional. During this time, an employee using the word “password” as his company network password had his workstation hacked.
“By exploiting the employee’s weak password, the hacker gained remote access to the company’s system on multiple occasions and downloaded the financial information of the company’s clients from the past three years,” explains Jeremey Barnett, senior vice president of marketing at NAS. “A forensic investigation revealed that over 65,000 financial files were accessed or stolen. The company’s clients lived in 26 different states and one US territory. Notification costs, IT forensic investigation fees, and breach coach fees totaled approximately $50,000.”
NAS’s claims analysis also found that, in 2017, phishing remained the most common method of cybercrime. In fact, 62% of the cybercrime claims reported to NAS were as a result of phishing scams.
The following scenario concerns a manufacturer of industrial products that purchased items from an existing supplier. A legitimate email from the normal point of contact at the supplier was sent to the manufacturer requesting payment for the items and included wire transfer information in the email.
Unfortunately, a hacker infiltrated the supplier’s email system and registered a domain very similar to the supplier’s, using three Es in the supplier’s name instead of two.
“The hacker used the spoofed email account to send an email to the manufacturer posing as the normal point of contact at the supplier,” says Barnett. “In the email, the hacker asked the recipient to ignore the prior wire transfer instructions and provided new wire transfer information. The manufacturer did not notice the additional ‘E’ in the email address, and, believing the new wire instructions to be legitimate, wired $40,000 to the wrong account.”