Don’t think you have any cyber exposures. Here’s 3 cyber claims that will surprise you!
“I don’t have cyber exposures”
“My business is too small”
“I haven’t got a website”.
These are common responses when contemplating the effect of Cyber Privacy and Crime on a small to medium enterprise. However, these three claims scenarios provided by the largest team of dedicated cyber underwriters, CFC underwriting Pty Ltd (Lloyds of London) may surprise you and demonstrate the types of exposures we all face even as a small business not operating on-line point of sale portals or advice on-line.
Three factual claims scenarios
1. Malware Theft
Hackers sent a phishing e-mail with a bogus word document attachment to a member of the accounts team within a small firm of accountants. Upon opening the attachment, a piece of key logging software was automatically installed which allowed the hackers to gather crucial access data and then log into the firm’s bank portal with the credentials of one of their users.
The insured was contacted by the bank after the hackers had initiated several wire transfers and ACH batches from the insured’s account to accounts located in Nigeria. After checking with the user whose credentials had been used to instruct the transactions, the firm instructed an IT forensics company to establish what had happened and to remove the malware from the system.
After managing to recall some of the wire transfers, the firm were left with $164,000 lost in theft of electronic funds and costs of $15,000 for IT forensics work.
The head GP at a private doctor’s surgery switched on his computer on a Monday morning to be greeted with a message stating that every single patient record on the network had been encrypted and that a sum of $30,000 was to be paid in bitcoin in exchange for the decryption key.
The insured contacted an IT forensics firm who confirmed that the level of encryption meant that it was going to be almost impossible to access the data without the encryption key and that the only other alternative was wiping the network of the ransomware which could lead to all data files being deleted. It had been a week since the last software back up, meaning critical patient data would be lost – and so the ransom was paid. Forensics were then engaged to remove any remaining malware from the network at a cost of $10,000.
3. CEO Fraud
A fraudulent yet almost identical looking e-mail address for the Managing Director of a medium sized building contractor was created by fraudsters who used it to instruct an individual in the accounts department to make a wire transfer payment of $50,000 to a new materials supplier. The e-mail stated that the new supplier was being used to source additional materials for a crucial job and that payment had to be made urgently to secure delivery of the goods.
The e-mail was sent whilst the MD was on holiday so that no face to face verification could be made. The account to which the funds were transferred actually belonged to the fraudsters who were able to retrieve the money before the transaction could be recalled.